[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [fw1-gurus] Check List for ISP Change
Out of band access via the console port?
Backups of the current working configuration?
A backout plan in case it all goes south?
Regards,
Lars Higham
-----Original Message-----
From: mailing list [mailto:mailinglist@xxxxxxxxxx]
Sent: Friday, January 23, 2004 3:32 PM
To: fw1-gurus@xxxxxxxxxxxxxxxxxx
Subject: FW: [fw1-gurus] Check List for ISP Change
Hi,
Thanks for your feedback, So here is the list I was going to follow, I
have a quad network card.
1) Put the new external ip address on the 3 interface ( 1st being
internal, 2nd being old external)
2) Apply Licenses
3) cpstop
4) Make OS changes to remove the old interface.
5) Start the firewall
6) Change the firewall object and all Nated Objects
7) Push the policy.
8) Check connectivity
This seemed to me at least the simplest way to do it from all the
solutions I got about this. Do you guys agree with me on this.
Of course all the DNS changes that go with this.
And remote users recreating the site on their side.
Why would I need to send them a New users.C file ?
The topology should be pushed to them when they recreate the site.
Thx
Marty
-----Original Message-----
From: Marc Lampo [mailto:Marc.Lampo@xxxxxxxxx]
Sent: Friday, January 23, 2004 12:52 AM
To: mailing list
Cc: fw1-gurus@xxxxxxxxxxxxxxxxxx
Subject: Re: [fw1-gurus] Check List for ISP Change
Hello,
a word of caution about licenses :
it's unclear if your firewall host is at the same time its own
management station.
If so, are the licenses bound to the external interface (where the IP
address is about to change) ?
If the answer is still : yes, your list will probably bring you into
problems since after you make the OS level changes, checkpoint won't
have a valid license anymore when restarting.
My suggestion is :
*if* a license is bound to an address that changes, then
a) add the new IP address as "secondary" address on the interface
b) add regenerated license via smartupdate
c) switch both address of the interface (new one becomes primary, ...)
d) remove old, now secondary, address
Success !
Marc
mailing list wrote:
> Hi,
> Here is a checklist of things I am going through when changing my isp
> (Internet Service Provider) this weekend, Firewall-1 NG FP3 with VPN,
> 400 Remote VPN users Enforcement point, mgmt station on a single
> machine running Solaris.
>
> 1) cpstop to shutdown the firewall
> 2) Make OS level changes, to reflect new external IP addresses.
> 3) Change routes.
> 4) cpstart to restart the firewall
> 5) Change firewall object to reflect new external ip address
> 6) Apply new licenses to the firewall using smartupdate
> 7) Change all NATed objects to reflect new ip address.
> 8) Push the policy to the firewall.
> 9) Check connectivity.
>
> Please let me know if I have missed something.
>
> I appreciate the feedback.
>
> Thx
> Marty
>
>
> ---------------------------------------------------------------------
> FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus) To
> unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
> For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx
>
--
Security Engineer for C-CURE cvba, Belgium (http://www.c-cure.be/)
CheckPoint CCSA and CCSE for NG Guest teacher of "Client-Server
Programming with Unix" for AT Computing, Nijmegen, The Netherlands
(http://www.atcomputing.nl/ - Dutch spoken)
---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus) To
unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx
---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx