Security Management Servers on DHCP Interfaces

In This Section: Requirements Enabling and Disabling Using a Dynamic IP Address Licensing a Dynamic Security Management Limitations for a Dynamic Security Management

Requirements

Beginning with version R71, Security Management Servers are supported with Dynamic IP addresses on DHCP. To use this:

• The Security Management must be on a Windows system with a DHCP adapter.
• The Security Management must be part of a distributed deployment.

Enabling and Disabling

When you install a Security Management on a Windows machine with a DHCP interface, the Security Management recognizes the DHCP interface. As a result, a Dynamic Address checkbox appears in the General Properties of the Security Management object. This checkbox is automatically selected to enable using the Security Management with a dynamic IP address.

If the Security Management object is not shown in SmartDashboard, make sure that at least one interface is defined with a valid IP address and run cpstop and cpstart to restart Check Point services.

Clear the checkbox to disable the feature and to indicate that a static IP address is being used. When the Dynamic Address checkbox is cleared, Security Gateways will only accept connections from the exact last known IP address of the Security Management.

Using a Dynamic IP Address

For the Security Management to install policy, it should use an IP address that is defined as an allowed Network or Address Range. If no range is defined, a default address range is created from the first 3 octets of the first assigned IP address. For example, if the server is configured with the IP address 192.168.184.55, the default range will be 192.168.184.0 - 192.168.184.255. You can define a new allowed address network or range at any time.

When the managed Security Gateway is of version R71 or higher, policy installation fails if the IP address of the Security Management is outside of the defined ranges and networks.

When the IP address of the Security Management changes, the change is reflected in the database after you restart the SmartDashboard.

To define an allowed Network or Address Range:

1. From the General Properties window of the Security Management object, click Manage.

   The Management DHCP Ranges window opens.

2. Click Add to add a new Network or Address Range.
   • Network - Define the first IP address and a subnet mask
   • Address Range - Define the first and last IP address of the range.
3. When all networks and address ranges are added, click OK to activate them.

Licensing a Dynamic Security Management

A Security Management uses constant IP address based on a MAC address.

To obtain a license for a Security Management with a dynamic IP address:

1. Run cplic dynlic from the CLI.

   An IP address is returned.

2. Use this IP address to obtain a license from the Check Point User Center.
3. Run cplic put in the CLI to install the license. Do not install it using SmartUpdate.

Limitations for a Dynamic Security Management

• You cannot configure a Security Management on a DHCP interface in a standalone deployment.
• A dynamic Security Management can only manage remote UTM-1 gateways, and Power-1 gateways if they have static IP addresses and are of version R70 or higher.
• Management High Availability is not supported together with automatic IP Address replacement of the Security Management.