Change engine control IP addresses to a different network

You can change the control IP address of a Firewall to a new IP address in a different network than the old one.

Because these steps require the configuration of Outbound Multi-Link, you can only change the control IP address of Firewalls to a different network. For all other engine roles, you must change the IP address within the same network.

If management connectivity is no longer needed, change the control IP address in the SMC and reinitialize the engine through the command line using a new one-time password.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. If you have an IP-address-bound license for the engine, request a new Management Server POL code bound license at https://⁠stonesoftlicenses.forcepoint.com.
    This change is required, because IP-address-bound licenses are no longer supported.
  2. Install and bind the new license to the engine.
  3. Edit the Single Firewall or Firewall Cluster element in the Engine Editor and add an interface.
    • Define the new primary control address as the backup control IP address.
    • If your firewall is a cluster and you do not want to lose any connections, also define a new CVI for the cluster.
  4. Configure Outbound Multi-Link.
    Create two NetLinks: one for the old control IP address and one for the new control IP address.
  5. Install the policy on the engine.
    From this point on, you can start using the new address in the network.
  6. To set the new and old control IP addresses as the primary and backup IP addresses, respectively, edit the Single Firewall or Firewall Cluster element in the Engine Editor.
    Note: If your engine cannot use the old and new control IP addresses simultaneously, remove the interface with the old control IP address from the Interfaces pane in the Engine Editor. Also remove the elements and rules you created for the Multi-Link configuration.
  7. Click Save and Refresh.
  8. Remove the interface with the old control IP address from the Interfaces pane in the Engine Editor.
  9. Remove the elements and rules you created for the Multi-Link configuration.
  10. Click Save and Refresh again.
    Note: If the connection with the Management Server is lost while you try to change IP addressing, run the NGFW Initial Configuration Wizard (sg-reconfigure) on the engine command line. This command returns the engine to the initial configuration state and re-establishes initial contact between the engine and the Management Server.