I would think so. Unfortunately there's only one way to find out for sure.
The only stumbling block might be if here are rules on the standalone that
would block the management communication, but that would be able to be seen
in the logs easily.
I've got a sort of similar situation. My SmartCenter is on our internal
network and I manage the main firewall from behind it. We have WAN
connections to other locations. In one of those other locatons I have an
internal firewall. I can only reach it from its external interface and I can
manage it just fine.
Good luck!
Ray
From: Alexander Simbun <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] managing an enforcement server externally
Date: Mon, 23 Jan 2006 07:54:38 +0800
Hmmm... The more I try to explain...the more confusion there are. Ok ok.
Let me get straight to the point. Yes, you're right! Both network behind
the Cluster and the standalone firewall are the same but they are not
connected on each other (separate network). Am not using VPN at all here.
I'm using central licensing. The main objective is to move the SmartCenter
behind the Cluster to behind the standalone firewall which also the same
private network as at the Cluster. I'm not going to change the
SmartCenter's IP address at this moment. Once I move it, am I still able to
manage Cluster at the same time the standalone firewall without any
reconfiguration?
Thanks again.
Ray wrote:
I'm not sure what this means: "since it shares same private subnet"
Can you give an example of the subnets involved? It sounds like you may be
saying that the internal network behind the custer and the internal
network behind the standalone are the same (example: both are
192.168.1.x/24). I guess that means there is not a site-to-site VPN
between them, which I somehow assumed.
If that's correct and you can keep the SmartCenter IP address the same, I
can't see a problem. I am somewhat concerned that you licensed the
internal IP addresses of the firewall, though, since that can mess up VPN
traffic.
Are you using central licensing?
What versions are the SmartCenter and enforcement modules on?
Ray
From: Alexander Simbun <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] managing an enforcement server externally
Date: Sun, 22 Jan 2006 08:54:41 +0800
Hi,
Licenses on both standalone enforcement server and the Cluster are binded
to their internal interfaces. At this moment, our SmartCenter is located
behind the Cluster and able to manage my another standalone enforcement
server remotely. I would like to move my SmartCenter from behind the
Cluster to behind the standalone enforcement server since it shares same
private subnet. So, am I able to manage the standalone enforcement once I
moved the SmartCenter in from the Cluster? Am I able to manage the
Cluster, once the SmartCenter is moved to behind the enforcement server?
Please help me as I'm really not sure on how to do the migration.
Regards,
Alex
Ray wrote:
It should just work, assuming you licensed the external IP address on
both. When SmartCenter is behind the enforcement module, it still needs
a route to the external interface IP to work properly.
We fought a problem when we first went to NG and split the enforcement
module from the management server (we were on 4.0 at the time). The new
SmartCenter had a router between it and the enforcement module and the
router was set to drop all traffic aimed at the external IP address of
the enforcement module, for whatever reason.
Since the SmartCenter was behind the enforcement module with the router
between them, it caused all kinds of problems. We couldn't push a
policy, we could read logs but it kept disconnecting, etc.
It sounds like you will changing the IP address of the SmartCenter from
"behind the cluster" to "behind the standalone". If you are using
central licensing, you will have to re-license the SmartCenter using the
User Center. If that's the only change, I don't think you'll have to
change anything with SIC.
Ray
From: Alexander Simbun <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] managing an enforcement server externally
Date: Fri, 20 Jan 2006 21:57:59 +0800
Hi all,
I have a question about managing an enforcement server externally and
later internally from one SmartCenter server. Currently, I have one
SmartCenter server which manage a Cluster and a standalone enforcement
server. The standalone enforcement located on different network and I
had configured my SmartCenter (located behind the Cluster) to manage my
external enforcement server. Everything is working smooth but I wonder,
let say if I want to move my the only SmartCenter server behind the
Cluster to my behind externally managed enforcement server, does it
still works? I mean, am I able to manage my standalone enforcement
server and Cluster after the move (migration)? Is there a way to do
this?
Thanks very much.
Regards,
Alex
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
