fw unloadlocal

[humayun]

How can I undo the command fw unloadlocal? Or I cant?

- Humayun

[Lackie]

fw unloadlocal will 'unload' the policy from the appliance. To load a policy you have to either push it out from the management station either using DashBoard or command line or fetch it using command line on the appliance.

[humayun]

How can you fetch you using the command line on a given firewall?

I am having a lot of issues with my IP710 firewall recently bought. It's not live yet but I had to unload the policy and reinstall but its not connecting to the ftp server to pull down the ipso image.

It is in a funky state with half sic done but not fully established sic and unable to reset sic because it was management server & firewall built together.

Just completely hosed here apparently.
Thanks.

[Lackie]

Quote:

Originally Posted by humayun

How can you fetch you using the command line on a given firewall?

I am having a lot of issues with my IP710 firewall recently bought. It's not live yet but I had to unload the policy and reinstall but its not connecting to the ftp server to pull down the ipso image.

It is in a funky state with half sic done but not fully established sic and unable to reset sic because it was management server & firewall built together.

Just completely hosed here apparently.
Thanks.

If it was a firewall and management station before and you don't want it to be that way, you will have to uninstall and reinstall Check Point alltogether, not just unload the policy.

[kva.kva]

If you don't want to reinstall, may be try to reset ica server or/and re-create object in smartdashboard.

[humayun]

kva...

Your advice might save me a millions headaches.

Can you please tell me how I can do that?

Thanks.

[kva.kva]

From SK

"The fw sic_reset operation will reset Secure Internal Communications (SIC) on the SmartCenter Server. The Internal Certificate Authority (ICA) will be destroyed, and Check Point components will not be able to communicate.

fw sic_reset - This operation will stop all Check Point Services (cpstop).

To enable communication, perform the following operations:
Reinitialize the ICA. (Use cpconfig).
Restart Check Point Services (cpstart).
Reset SIC on each module managed by the SmartCenter Server.
Reestablish trust with each machine managed by the SmartCenter Server.

Warning:
THIS OPERATION WILL CAUSE YOUR VPN-1/FireWall-1 NG ENVIRONMENT TO FAIL.
CONSIDER THE IMPLICATIONS VERY CAREFULLY, BEFORE USING THIS SOLUTION. "

If you have you FW on working environment, do this operation only at "downtime" (better 1'st on stand/lab). And create backup before it.
Really i don't know how this command work on standalone installation. I use it on distributed installation. And don't have problem with it.

[Claer]

If your nokia is not yet on production, and if you have your SmartCenter separated, reinstall the checkpoint on the nokia is often a lot faster than trying to fix the error (well, in the process of finding error, you'll learn).

Unlike kva.kva, I experienced problems resetting SIC. The SIC was not fully deleted, and I had to patch manually some files. Therefore, to avoid headhache, I suggest to reinstall the checkpoint part of your nokia, delete and recreate the module on your SmartCenter.

Don't forget to verify your rules if you disabled implicit rules for management. It's often a cause of problem if not done well.

Verify your connectivity and network parameters before recreating the firewall object on the SC.

Good luck :)

[humayun]

Sounds like a lot of work for someone new to firewalls.

I definitely do NOT want to reset the sic on all 6 externally managed firewalls because that is spelling disaster.

This firewall is stand alone right now but the problem I have is that I am not able to connect to the ftp server to pull down the ipso image. I had done a sic but the trust was not established and I wanted to reset the sic but I cant do that for some reason. People have suggested that is due to the firewall being configured as a management server as well.

[kva.kva]

About ftp, we need more information, smth like what in tracker, etc. May be this problem does not connect to SIC.

[Lackie]

Quote:

Originally Posted by humayun

Sounds like a lot of work for someone new to firewalls.

I definitely do NOT want to reset the sic on all 6 externally managed firewalls because that is spelling disaster.

This firewall is stand alone right now but the problem I have is that I am not able to connect to the ftp server to pull down the ipso image. I had done a sic but the trust was not established and I wanted to reset the sic but I cant do that for some reason. People have suggested that is due to the firewall being configured as a management server as well.

If this firewall is a management station as well, you CANT establish SIC with it and you CANT manage it from another management station. If you have not logged into it's management station and pushed a policy to it, you are probably being blocked by the default policy. If you have already unloaded it then it may be something else, possibly routing that is stopping you from getting the IPSO image.

I'm not sure what you are trying to get another IPSO image for, what version of IPSO are you running now?

Even if you upgrade your IPSO image, you will still have to uninstall check Point and reinstall to make this firewall just a firewall and not a management station as well.