Change control IP addresses to a different network

You can change the control IP address of an Secure SD-WAN Engine to a new IP address in a different network than the old one.

Because these steps require the configuration of Outbound Multi-Link, you can only change the control IP address of Engines to a different network. For all other Secure SD-WAN Engine roles, you must change the IP address within the same network.

If management connectivity is no longer needed, change the control IP address in the SMC and reinitialize the Secure SD-WAN Engine through the command line using a new one-time password.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. If you have an IP-address-bound license for the Secure SD-WAN Engine, request a new Management Server POL code bound license at https://⁠stonesoftlicenses.forcepoint.com.
    This change is required, because IP-address-bound licenses are no longer supported.
  2. Install and bind the new license to the Secure SD-WAN Engine.
  3. Edit the Single Engine or Engine Cluster element in the Engine Editor and add an interface.
    • Define the new primary control address as the backup control IP address.
    • If your engine is a cluster and you do not want to lose any connections, also define a new CVI for the cluster.
  4. Configure Outbound Multi-Link.
    Create two NetLinks: one for the old control IP address and one for the new control IP address.
  5. Install the policy on the Secure SD-WAN Engine.
    From this point on, you can start using the new address in the network.
  6. To set the new and old control IP addresses as the primary and backup IP addresses, respectively, edit the Single Engine or Engine Cluster element in the Engine Editor.
    Note: If your Secure SD-WAN Engine cannot use the old and new control IP addresses simultaneously, remove the interface with the old control IP address from the Interfaces pane in the Engine Editor. Also remove the elements and rules you created for the Multi-Link configuration.
  7. Click Save and Refresh.
  8. Remove the interface with the old control IP address from the Interfaces pane in the Engine Editor.
  9. Remove the elements and rules you created for the Multi-Link configuration.
  10. Click Save and Refresh again.
    Note: If the connection with the Management Server is lost while you try to change IP addressing, run the Secure SD-WAN Configuration Wizard (sg-reconfigure) on the Secure SD-WAN Engine command line. This command returns the Secure SD-WAN Engine to the initial configuration state and re-establishes initial contact between the Secure SD-WAN Engine and the Management Server.