Cheers Stephen will try this and let you know how i get on
--- On Mon, 25/1/10, Stephen Bourike <[email protected]> wrote: From: Stephen Bourike <[email protected]> Subject: Re: [FW-1] Smart Center FP3 change of IP To: [email protected] Date: Monday, 25 January, 2010, 13:18 Hi Peter Changing the IP address of the Smartcentre shouldn't need to re-SIC. Only a name change is likely to need that. You should be able to change the IP address directly in the standard Dashboard GUI, but depending on how your implied rules are configured, you are likely to find that you lose access to the firewalls when you save the policy objects. The proper process for changing a MANAGEMENT server IP address is: 1. Create a dummy object for the NEW management server IP address and add it to any rules that allow firewall management protocols. These are located above the STEALTH rule and should be there to replace the default implied rules in Global Properties. 2. Push the updated policy 3. Change the IP address of the management server object using SmartDashboard and acknowledge the conflict of IP with your temporary object. 4. Using the Check Point UserCenter, re-license all modules and the management licenses to match the new management centre IP address (as type 'Central'). This really only applies to existing "Central" licenses, but for ease of management you should always use Central licensing. 5. Add the new licenses to the license repository in the SmartUpdate GUI tool ready for deployment. Deploy the new licenses to each gateway using SmartUpdate. DO NOT REMOVE EXISTING LICENSES !! 6. Physically change the IP address of the management server machine and update the host file on that machine to match the change. IF you have accurate hosts files on your gateways that include an entry for the management server, then update the hosts file entries on each gateway too. 7. Restart the management server by performing a full reboot. This won't affect the firewall gateway operation provided it's not down for too many hours (which can affect VPN operation). 8. Push the updated policy from the management server to the firewalls. They should accept the management connections either because of the (slack) implied rules or because of the changes you made in step 1. The change of management IP address should be ok since you already put new licenses onto the gateways in step 5. 9. Using SmartUpdate you can remove the older incarnations of the licenses which applied to the old management server IP address and then remove these licenses from the license repository. Then you're finished. No SIC changes, no major hassles, no gateway downtime. If your management server has a firewall module installed on it, you WILL need to have physical console access to the server in order to ensure that you're not locked out when you change the IP address and reboot the machine. Worst case you will need to install the policy again locally between steps 7 and 8. Hope this helps ! Steve Bourike. > From: Peter Addy <[email protected]> > Reply-To: Mailing list for discussion of Firewall-1 > <[email protected]> > Date: Mon, 25 Jan 2010 12:41:49 +0000 > To: <[email protected]> > Subject: [FW-1] Smart Center FP3 change of IP > > Hi > Does anyone know of any gotcha's when changing the IP address of the smart > center running NGFP3 > i have the notes from Checkpoint to say change the ip via gui dbedit, host > file etc and then reset sic and re-apply licenses which is not in the notes > but surely the license needs to be re ip'd, but was wondering if anyone has > done this before ansd what we need to look out for, also will this stop or > break current vpn's or just new vpn conections? > > Thanks > > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
