Resetting SIC after upgrade\migration of mng server

[Youngy]

Hi all,

Does anyone know if this is the correct procedure to follow after you put an new management server in place in relation to resetting the SIC connections to the managed devices (enforcement modules).

1. Stop all Check Point processes on the Management Station (cpstop).

2. Remove the SIC entries from the Registry under `SOFTWARE/CheckPoint/SIC

3. Delete the InternalCA.* and ICA.* files from the $FWDIR/conf directory.

4. Open $FWDIR/conf/objects_5_0.C:
Remove the Primary Management Object's "sic_name" attribute.
Remove the InternalCA object.

5. Run cpconfig and initialize the CA.

6. Restart the Check Point processes (cpstart).

WARNING: THIS OPERATION WILL CAUSE YOUR FIREWALL-1 NG ENVIRONMENT TO FAIL.
CONSIDER THE IMPLICATIONS VERY CAREFULLY BEFORE USING IT.

Thanks

[Youngy]

Or it could be this one, which seems a little less brutal than what I previously posted.

To reset SIC on a module, perform the following two steps. The order is not important.

1. In the Policy Editor, open the Module object, click on Communication and press Reset in the Communication window.

This will revoke the Module's certificate and changes its SIC status to "Not initialized".

2. At the Module machine:

On Windows:

Open the cpconfig configuration tool, and in the SIC tab select Reset.

[Lackie]

Quote:

Originally Posted by Youngy

Or it could be this one, which seems a little less brutal than what I previously posted.

To reset SIC on a module, perform the following two steps. The order is not important.

1. In the Policy Editor, open the Module object, click on Communication and press Reset in the Communication window.

This will revoke the Module's certificate and changes its SIC status to "Not initialized".

2. At the Module machine:

On Windows:

Open the cpconfig configuration tool, and in the SIC tab select Reset.

I would do this but in the reverse order.

[Youngy]

Thanks for the reply Lackie,

I'll give this a go in the next day or so. I'll post up my findings.

Cheers

[Youngy]

Hi Guys,

Well this has now been scheduled for next week. I just want to be sure that when I do this I will not actually affect the firewalls and or their function (they are in prod) in some way.

Is it really as easy as it sounds above? And is there a possibility of firewall enforcement point downtime?

Thanks

[Lackie]

Resetting SIC on the modules will need a cpstart/cpstart and when it comes back up it usually loads the default filter blocking all connections until you unload it and push another policy, so there will be some downtime.

There is also always a chance (although rare) that even after resetting SIC that you can't push a policy to the modules thus leaving you in a down state.

Make sure you have backups and if needed schedule some downtime in case things go for the worst.

[Youngy]

Hi,

I was just wondering why you would get down time as the enforcement point would just keep working even if the current management station is powered off.

A SIC reset does not unload the security policy\rule base from the enforcement point does it?

[Youngy]

Hi,

Well I found out that resetting the SIC requires a reboot of the module. Thus this plan requires a more robust plan an outage window than what CPs documents imply.

[simon hornby]

Resetting SIC does not require a reboot of the module, but it does require a restart of the cp processes on the module. Because it no longer trusts the source that it got the old policy from (that's what resetting SIC does), it will load the default, called InitialPolicy. You should be able to establish trust with a module in this situation, because the InitialPolicy does not block SIC traffic, but a fw unloadlocal from the command line will let you talk to it anyway, i there is a problem.

You should make sure it has TCP/Ip conenctivity to the new management station before doing this.

Once you have reset SIC on the module, you should be able to initialise it with the new management station and then push the policy to the firewall. Downtime is minimised by creating the policy on the new SmartCenter before you start, obviously.

[Youngy]

Well it is almost as good a sa reboot as far as down time is concerned. I used the word reboot as this is what the tech at CP used when describing how much down time this change will generate.

The new management server is set up with the same IP and addressing info as the current one so that should not be an issue.

Thanks for the reply Simon you have clarified a few things for me

[Youngy]

Hi all,

After sometime of umming and arrgghhhing from the decision makers on a time window for when this change could happen I have finally had the chance to put in the new FW management server and cut over to it.

I did not need to reset any SIC communication at all and it went very smoothly.

I have to thank Erick from CP for his help an advice on this one. I hope some of my posts will help others in future.

[chillyjim]

For refference "fwm sic_reset" will reset the SIC on a management server (AKA SmartCenter)

-jlh

[Lackie]

Quote:

Originally Posted by chillyjim

For refference "fwm sic_reset" will reset the SIC on a management server (AKA SmartCenter)

-jlh

Yes, but if you are managing more than one firewall, that will force you to reset SIC with all of your firewalls.