Steps to change IP or Subnet of Firewall Management circuit on VSX

book

Article ID: 167902

calendar_today

Updated On:

Products

XOS

Issue/Introduction

I need to change the firewall management circuit IP/subnet and am looking for the steps to change it.

Resolution

  1. Back up the XOS and firewall management station configuration prior to proceeding to next step.
  2. Remove the default route or static route for the firewall management circuit. For example: 
config no ip route 0.0.0.0/0 192.168.32.1 vap-group vsx circuit mgmt
  1. Set the new IP address on the firewall management circuit in XOS CLI.
  2. Add the new default gateway static route for the firewall management circuit. For example:
config ip route 0.0.0.0/0 192.168.32.3 vap-group vsx circuit mgmt
  1. Unload the firewall policy with "fw unloadlocal" on each VAP in the VAP group (this step shutdowns the firewall)
  2. From the firewall management station run  vsx_util change_mgmt_subnet (or vsx_util change_mgmt_ip).
  3. Go through the vsx_util wizard and repeat the command to change information for *all*  VAP members.
  4. Optional: In Check Point SmartDashboard > update default gateway in Cluster Topology and press OK to sync with the XOS configuration.
  5. Optional: Reestablish SIC, if required and push policy.
  6. Reload the VSX VAP group and check the updated APM, XOS and Dashboard configuration associated with the firewall management circuit to verify that there are no mismatches.
Powered by Wolken Software