I would use a simple network node or gateway object (depending on whether your management server has more than one interface configured).
Steve -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Peter Addy Sent: 25 January 2010 16:09 To: [email protected] Subject: Re: [FW-1] Smart Center FP3 change of IP Thanks btw was thinking that dummy host, is this a new checkpoint>host or gateway just the same as the exisiting mgmt server? --- On Mon, 25/1/10, Stephen Bourike <[email protected]> wrote: From: Stephen Bourike <[email protected]> Subject: Re: [FW-1] Smart Center FP3 change of IP To: [email protected] Date: Monday, 25 January, 2010, 15:39 Remember to make a backup of your management server environment before you start, and I suggest a Database Revision snapshot before you embark on making changes too for easy rollback in the event of a problem. Steve > From: Peter Addy <[email protected]> > Reply-To: Mailing list for discussion of Firewall-1 > <[email protected]> > Date: Mon, 25 Jan 2010 15:23:43 +0000 > To: <[email protected]> > Subject: Re: [FW-1] Smart Center FP3 change of IP > > Cheers Stephen > will try this and let you know how i get on > > > > --- On Mon, 25/1/10, Stephen Bourike <[email protected]> wrote: > > > From: Stephen Bourike <[email protected]> > Subject: Re: [FW-1] Smart Center FP3 change of IP > To: [email protected] > Date: Monday, 25 January, 2010, 13:18 > > > Hi Peter > > Changing the IP address of the Smartcentre shouldn't need to re-SIC. Only a > name change is likely to need that. > > You should be able to change the IP address directly in the standard > Dashboard GUI, but depending on how your implied rules are configured, you > are likely to find that you lose access to the firewalls when you save the > policy objects. > > The proper process for changing a MANAGEMENT server IP address is: > > 1. Create a dummy object for the NEW management server IP address and add > it to any rules that allow firewall management protocols. These are located > above the STEALTH rule and should be there to replace the default implied > rules in Global Properties. > > 2. Push the updated policy > > 3. Change the IP address of the management server object using > SmartDashboard and acknowledge the conflict of IP with your temporary > object. > > 4. Using the Check Point UserCenter, re-license all modules and the > management licenses to match the new management centre IP address (as type > 'Central'). This really only applies to existing "Central" licenses, but > for ease of management you should always use Central licensing. > > 5. Add the new licenses to the license repository in the SmartUpdate GUI > tool ready for deployment. Deploy the new licenses to each gateway using > SmartUpdate. DO NOT REMOVE EXISTING LICENSES !! > > 6. Physically change the IP address of the management server machine and > update the host file on that machine to match the change. IF you have > accurate hosts files on your gateways that include an entry for the > management server, then update the hosts file entries on each gateway too. > > 7. Restart the management server by performing a full reboot. This won't > affect the firewall gateway operation provided it's not down for too many > hours (which can affect VPN operation). > > 8. Push the updated policy from the management server to the firewalls. > They should accept the management connections either because of the (slack) > implied rules or because of the changes you made in step 1. The change of > management IP address should be ok since you already put new licenses onto > the gateways in step 5. > > 9. Using SmartUpdate you can remove the older incarnations of the licenses > which applied to the old management server IP address and then remove these > licenses from the license repository. > > Then you're finished. No SIC changes, no major hassles, no gateway > downtime. > > If your management server has a firewall module installed on it, you WILL > need to have physical console access to the server in order to ensure that > you're not locked out when you change the IP address and reboot the machine. > Worst case you will need to install the policy again locally between steps 7 > and 8. > > Hope this helps ! > > > Steve Bourike. > > > >> From: Peter Addy <[email protected]> >> Reply-To: Mailing list for discussion of Firewall-1 >> <[email protected]> >> Date: Mon, 25 Jan 2010 12:41:49 +0000 >> To: <[email protected]> >> Subject: [FW-1] Smart Center FP3 change of IP >> >> Hi >> Does anyone know of any gotcha's when changing the IP address of the smart >> center running NGFP3 >> i have the notes from Checkpoint to say change the ip via gui dbedit, host >> file etc and then reset sic and re-apply licenses which is not in the notes >> but surely the license needs to be re ip'd, but was wondering if anyone has >> done this before ansd what we need to look out for, also will this stop or >> break current vpn's or just new vpn conections? >> >> Thanks >> >> >> >> >> >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [email protected] >> ================================================= > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
