How to establish SIC betwn mgmt cntr and enforcement module WITHOUT SMART DASHBOARD

[kausik]

Hi
I am using a CPMI client(running on a linux pc) to access the checkpoint object database at the management center. I have a physically connected module (R65 installed)to this management center. Now after login to this management center thru my cpmi client, I am able to add a network object as gateway_ckp with ipaddress that corresponds to that physically existing module. I could install Firewall and enable VPN on this newly created object. But when I am trying to update this object SIC is not getting established as I am not able to find to give the activation key that we usually give while configuring through SmartDashboard. Thus the communication state is showing initialized(ideally it should be communicating if SIC got established) and the trust state is showing not established (ideally it should be established if everything goes fine).

Note: I am not allowed to use the Smart Dashboard and everything I want to do through CPMI

My guess is to create a CPMI OPSEC application object for the (linux)host running CPMI client. Establish a SIC between this OPSEC application host and the module. But I am not sure the right steps out of those thousand option in checkpoints management interface.

Please let me know if anybody has got any inputs regarding this.
Thanks
kausik

[jimfitz]

I've always used the sic option under cpconfig and after a restart of the services the sic gets established.

[kausik]

Hi jimfitz,
Using cpconfig i could reset the sic in the enforcement module.
Now in the management center (using dashboard) I have to establish sic for any network object by giving the activation key followed by communicate.
Now sic will be established if this activation key matches with the sic name given in the enforcement module.

Now suppose (that is my actual scenario), you dont have dashboard. You have reset the sic in the enforcement module by cpconfig. Now you have a CPMI client and through that you have logged in to the management center object database. Now you have created a network object corresponding to your enforcement module. Henceforth you want to establish the sic.
How to do that. My setup doesnt allow me to use the Dashboard.

Hope you have got the problem. Please suggest.
Thanks
kausik

[mcnallym]

Is there an actual REAL reason that you cannot use Dashboard as trying to use Check Point without the SMARTConsole Tools is pretty much banging your head and going to leave you issues with support people as they will 99.9% of the time be expecting you to be using this.

How do you intend to view the logs, create VPN communities, you really are making very hard work of Check Point by not using the Dashboard.

[kausik]

Yes Sir,
The real reason for not using the Dashboard is I want to automate the configuration of my setup. I want to create network objects , policies or any other database object through script. And that I am presently able to do using CPMI interface as checkpoint encourages third party applications to use this interface.
But the problem I am facing is the sic establishment between the management center and the enforcement module. I am not able to figure out which one is the corresponding field in the CPMI object database for the activation key that we use through Dashboard while establishing sic.

Please suggest

Thanks
kausik

[dantro]

cp_conf sic
Description Enables the user to manage SIC.
cp_conf sic state # Get the current Trust state
Usage
cp_conf sic init <Activation Key> [norestart] # Initialize
SIC
cp_conf sic cert_pull <SmartCenter Server name/IP> <module
object name> # Pull certificate (DAIP only)

[kausik]

Hi Dantro,
Thanks for the reply.

But I am still not getting your point. Using this cp_conf command I can reset or modify the sic at the enforcement module. But what are the changes required in the Management Center so as to trust to be established(as I wont be using the dashboard) ?
To be more straight forward, what are sic related inputs needed in the management center through command line so as to establish the sic. (as cp_conf sic is not valid command in the management center)

Thanks a lot and please correct me if I am missing something very basic and not getting your point.

kausik

[kausik]

Could anyone tell how to configure the sic (secret) at the MANAGEMENT CENTER so as to establish sic with the enforcement module through COMMAND LINE (no dashboard)?

Thanks
kausik

[chillyjim]

"fw put key" is the only thing I can think of.

[dantro]

From the Secure Knowledgebase:

Performing an 'fw putkey'

Solution
An easy method for performing this is to use the 'fw putkey' command from the OS command prompt. To perform this correctly:

1. Ensure that both machines have a hosts file with name to IP address resolution that directly matches the hostname as they are defined on their respective machines.

2. Stop the FireWall and Management modules.

3. At the command prompt type 'fw putkey <hostname>' with hostname being the hostname of the opposite machine. In other words, from the Management module command issue the hostname of the FireWall module that you have placed in the hosts file. You will then be prompted for a password. Use a password of 8 characters or less. Enter it again.

4. Perform the same action from the other machine.

5. Now start the management module, and once it is fully started, start the FireWall module.

Using fw putkey when Static NAT is used for the Management Station

Solution
Numbered items 1-5 describe the environment:

1. Management Server machine

Private IP address = 172.30.5.11
Statically NAT'd IP address = 212.150.194.191

2. Module A machine directly connected to the Management Server

LAN IP address = 172.30.5.2
External IP address = 212.150.194.213

3. Module B machine NOT directly connected to the Management Server

External IP address = 212.150.194.215

4. The $FWDIR/conf/clients file on the Management Server includes the following IP addresses:

* LAN IP address = 172.30.5.2 (Module A machine directly connected to Management Server).
* External IP address = 212.150.194.215 (Module B machine NOT directly connected to Management Server).

5. The $FWDIR/conf/masters file on the Module machines includes the following IP addresses:

* Module machine directly connected to Management Server = 172.30.5.11
* Module machine NOT directly connected to management = 212.150.194.191 and 172.30.5.11

Proceed as follows:

Stage 1
======
Run 'fw putkey' between the Management Server and the Module A machine directly connected to the Management, as follows:

1. Run 'fwstop' on both machines

2. On Management machine run:
fw putkey -n 172.30.5.11 172.30.5.2

3. Enter the secret key.

4. On Module A machine run:
fw putkey -n 172.30.5.2 172.30.5.11

5. Enter the secret key (same one as entered on Management).

6. On Management machine run 'fwstart'.

7. On Module A machine run 'fwstart'.

6. Define Module object in Policy Editor.

7. Define following rule: Source = management, Destination = Module machine directly connected to Management, Service = FW1, Action = Accept

8. Install Policy

9. Ping the IP address 212.150.194.191 to make sure that Static NAT works.

Stage 2
======
Run 'fw putkey' between the Management Server and Module B machine NOT directly connected to Management, as follows

1. Run 'fwstop' on both machines

2. On Management machine run:
fw putkey -n 172.30.5.11 212.150.194.215

3. Enter secret key.

4. On Management machine run:
fw putkey -n 212.150.194.191 212.150.194.215

5. Enter secret key:

6. On Module B machine run:
fw putkey -n 212.150.194.215 212.150.194.191

7. Enter secret key (same one as entered on Management)

8. On Module B machine run: fw putkey -n 212.150.194.215 172.30.5.11

9. Enter secret key: (same one as you entered on Management)

10. On Management machine first run: 'fwstart'

11. On Module B machine run: 'fwstart'

12. Define Module object on Management machine (This could be done in an earlier stage)

13. Install Policy


Flushing all putkey related files and reestablish putkeys

Solution
If the putkey command is not working, you can flush all putkey related files as follows:

1) Run 'fwstop' on the Management Module and the FireWall Module

2) Backup the following files by copying them to <filename>.old

$FWDIR/database/authkeys.C
$FWDIR/database/opsec_authkeys.C
$FWDIR/conf/fwauth.keys
$FWDIR/conf/serverkeys.*
NOTE: You must delete the original files. If you do not, the new putkeys will not overwrite the old keys and the procedure will not work.

3) Confirm that $FWDIR/lib/control.map is using the same authentication method as the Management Module (either fwa1 or skey).

4) Make sure the modules are able to resolve each other's IP address, and the addresses you receive are the ones you use in steps 5 and 6.

5) On the Management Module, perform the following command:
fw putkey -p <password> -n <Management Module IP> <FireWall Module IP>

6) On the remote FireWall Module perform the following command:
fw putkey -p <password> -n <FireWall Module IP> <Management Module IP>

7) On the Management Module:
fwstart

8) Wait for manager to be up, and then on the FireWall Module(s):
fwstart

The putkey process is very detailed and a single error can make it fail. If the putkey process still does not work. Repeat steps 1. to 8.

If the above procedure does not work you can try using a different encryption scheme- skey for example.

In the $FWDIR/lib/control.map replace fwa1 with skey

SECURITY WARNING: If you absolutely must fetch or push a new policy on the firewall, the following step will DISABLE policy and log authentication on the firewall:
If you use none in the control.map instead of fwa1 or skey you will be able to push a new policy to the FireWall Module from ANY Management Module.

[kausik]

Hi Dantro,Chillyjim,
Thanks a lot. My problem is solved by fw putkey .
For others who wants to make use of cli and NO DASHBOARD for specific purpose the steps are as follows.

Outline:
1.Create your object
2.Establish a secure communication trust between management center and enforcement module
3.Create and Push policy

Details:
1.Create your object:
This could be done using dbedit or using CPMI interface

eg.
using dbedit

create gateway_ckp gateway_1.1.2.1
modify network_objects gateway_1.1.2.1 ipaddr 1.1.2.1
modify network_objects gateway_1.1.2.1 location external
modify network_objects gateway_1.1.2.1 os_info:osName IPSO
modify network_objects gateway_1.1.2.1 VPN_1 true
modify network_objects gateway_1.1.2.1 firewall installed
update network_objects gateway_1.1.2.1

OR using CPMI
open database once you are connected..then open

network_object>gateway_ckp>ipaddr ......
location
os_info>osName
VPN_1 true
firewall installed
update

2.
For this section please refer to dantro's post below.
Apart from that you should make sure that your /etc/hosts file is modified correctly at both the management and enforcement module by pinging the other using the hostname(not the ipaddress).
e.g.
at module /etc/hosts

if you have added this line as
10.11.12.13 ManagementCenter

then try to "ping ManagementCenter" from the module and viceversa

If that ping is not working then look back to the file /etc/hosts and see if your modification is already prevailed or not.

then follow the fw putkey steps as rightly said by dantro

NOTE: to capture the trust negotiation you could the dump the packets at both the end

3.Create and Push policy:
This could be done using CPMI interface (WITHOUT USING THE SMART DASHBOARD).
while creating the policy when you would be asked for install option....then select object_ckp and you would see the creted gateways(that you have created at step one either by dbedit or cpmi) as your option. select one of the gateway.
the update the database.
The policy will be installed on the created object.
you could see the data exchanged between the management center and the enforcement module if you are capturing them.

[Note: I have not given more elaborate details of the cpmi part here. Anyone interested could start a new thread]

The advantage of this procedure is that, anyone could do any FW1/VPN1 operation using command line and without the use of any graphycal interface.This data is very useful for people to automate the process.