[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Changing firewall object IP address
Mike, I suggest you get a copy of the Stonebeat manual and read it thoroughly before you go making any changes to the config on those firewalls. Currently, they are set up exactly the way Stonebeat recommends; changing the config in the way you're proposing is unnecessary (there are better solutions to the problem you're trying to solve), unsupported by Stonebeat (AFAIK), and likely to cause you other, larger problems. Stonebeat classifies the external and internal interfaces as ONICs (Operative interfaces), and the management interface as a CNIC (Control interface). The control interface can also be the heartbeat interface, or you can have two separate interfaces there (one for heartbeat and one for control). We usually just used one CNIC for both heartbeat and control. Unless something has changed in Stonebeat HA since the last time I set it up, you have to have the CNIC separate from the ONICs. The manual clearly states that CNICs are dedicated to communication between the firewalls and/or the management station, and that the IP address of the firewall's hostname should be bound to the CNIC. The people who originally set up the HA weren't crazy - they were following directions. I'm not a Stonebeat guru, but I've set it up about a half-dozen times, and that has always been the recommended config. If you can't work out the proper rules / routing to access the logs on the management station from your internal network, one way around that is add a second interface to the management station and connect that NIC to the internal network... (But you'll have to determine whether that poses security risks in your environment. Getting Checkpoint training and setting up the access via the firewall rules is a much better option.) BTW, the reason that the heartbeat / control net is on registered (by which I assume you mean "not RFC1918") addresses may be to support your VPN connectivity - if your VPN connections terminate to the IP address of the firewall's hostname, the IP addresses used on the CNIC have to be routable since they're the endpoint for the VPN. We've had to do that in the past, too... It sounds like you have a standard Stonebeat HA with VPN support setup - I strongly recommend that you either get Stonebeat training or at least read the manual before you try to administer it, let alone make changes to it. What you're suggesting, to move the firewall IP off the CNIC, will at the very least break your VPNs as currently configured, and may well cause problems with your HA communication (and hence your failover), too. Hope this helps, Lisa Standard disclaimer: the content of this message represents my personal views, not those of my employer. >>> [email protected] 11/05/2001 12:18:49 >>> Thanks for the reply but I have to change the architecture because I have done what you said and I cannot use the GUI client to get the logs from a management server on the heartbeat network either. I've checked the rule base very, verycarefully - it's not the rules stopping it from working. I hear you on the backup issue. I'm quite good a doing the backups before I change stuff! The real problem is that the heart beat network is a registered address. Crazy people did the original install. I'm left to pick up the pieces. Thanks again, Mike H =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|