- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-10-2018 11:44 AM
we're upgrading the internet link in one of our offices...so qwe purchased a new link from a different provider...and I was thinking of unplugging the old link, plugin the new link, remove the old public IP address and then add the IP address of the new link, change the default route...the firewall is PA-200 version 7.1.14...has anyone done this before? is this a good practise?
06-28-2018 12:23 PM
ISP was changed successfully...for all of the network engineers out there...
- Change the interface IP
- Chane the default route
- Change GlobalProtect settings
- Issue a new cert. for GlobalProtect
- Change the polices
-No need to reset the VPN
06-11-2018 02:26 AM
If you have a maintenance window where you can perform a cutover, this would be a good way to go about your migration (don't forget NAT and security policies)
This will be the quickest way, but will require some downtime (and you'll need to make sure you have OOB acccess or can be on-site to perform this)
alternatively you can plug the new ISP in a free interface and set it up from scratch (new zone, add the sone to existing security policies, create new NAT rules, add default route with slightly higher metric and commit)
after the commit you can first run a few tests and will retain access to the office through the original ISP, until you shut off the original interface and the NEW ISP will take over
06-11-2018 06:33 AM
A great deal depends on what your doing,
Do you have inbound rules for NAT to inside hosts?
Do any of the third parties you connect to have IP address restrictions?
A "Cutover" period migration from one to the other would be ideal rather than a Straight complete swap over.
Both can run at the same time, and you can use PBF to move traffic out the second link.
Rob
06-11-2018 08:29 AM
Make sure to check your default outgoing NAT rule as well. If it is set to source translate to the interface address then you will be fine, otherwise the configuration will need to be amended to your new public IP range.
06-11-2018 08:29 AM
I am not in the office...we can afford some downtime...i just need to do this quickly...
We have a VPN tunnle with another office so i need to change that as well...
if I use PFB, Can i remove it later without any downtime?
also, when I access the firewall public IP...i am redirected to Global Protect Page, not the firewall GUI page...any idea how to access it?
I think I need to change the below:
- Interface IP
-Global Protect portal
- Global protect gateway
- IKE Gateway
- One NAT policy
- Default route..
Can you think of something else?
Will the VPN work after changing the IP address and resetting it?
06-28-2018 12:23 PM
ISP was changed successfully...for all of the network engineers out there...
- Change the interface IP
- Chane the default route
- Change GlobalProtect settings
- Issue a new cert. for GlobalProtect
- Change the polices
-No need to reset the VPN
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!