Restablish SIC between Manager and CLUSTER

[robori]

I reinstaled SPLAT R60 NGX products on the same machine/hardware and used the RESTORE command. Now everything looks good, system settings, objects and rules, OK!

But in Smartview MOnitor every gateway is showing the UNTRUSTED status and I can't actually manage the firewalls or install policy.

I'd like to know how to re-stablish de SIC between the Manager R60 NGX and the Gateways but they're NG R55W on a Cluster configuration. Is there any special step for re-stablishing SIC when I have a Cluster config ?



Any help plz ?

Thx!

[kva.kva]

Re-establish for one server, check cluster status, re-establish for another one and install policy.
I had one problem a couple times - after reset SIC on stand-alone module, it dropped traffic till policy installation.

[robori]

Ok!

My first step was to try to restablish the SIC with the Backup node and the manager, so I performad cpconfig on the node, selected Secure Internal Communications and followed all the steps. It shows some kind of error though.

After that I wen't to the Smartdashboard and right clicked the backup node gateway , in Properties I selected Reset Sic and typed the new key I had set in the node, there's an error message stating that Communication problems occurred.

I didn't go any further because I couldn't get through this first steps... do you have any clue on what must be causing this ?


Thanks again,
Robori

[kva.kva]

Quote:

Originally Posted by robori

My first step was to try to restablish the SIC with the Backup node and the manager, so I performad cpconfig on the node, selected Secure Internal Communications and followed all the steps. It shows some kind of error though.

What kind of error?

You need to check connectivity between module and SC, check resolving sc host's name, is SC name correct in /etc/masters on module. Also you can type "fw unloadlocal" on module before sic re-establishing (I think in this case active module will be active, backup will be down).

[robori]

I can ping the SC from the node and the other way around too, ok!


As I said I first tried restablishing SIC on the backup gateway, there's an error message when trying to initialize the policy, it tries to get it from the SC but has no success, then it cpstops then cpstarts again. I guess when it cpstarts it loads a local policy or a blank one... because after that i can't connect to the module anymore (via SSH) and I can't ping it too.

I had to log on locally and type fw unloadlocal so that I could be able to access it again through the network.


: (

[kva.kva]

"Hardening OS Security: Initial policy will be applied until the first policy is installed" is answer for the question about connectivity.

Does Tracker show any errors when you try to initialize SIC from Dashboard? Do I understood right that also you cannot establish SIC after fw unloadlocal?

[robori]

Hmm.. I got it.

Now , do you know if we need to install the license prior to reseting SIC ? We're still running on trial period.

Do we need to reset the ICA on the manager as well ?


Thank u!

[kva.kva]

If error relate to connectivity, I don't think, that you need to recreate ICA.

Which error message does Dashboard show exactly?
On the Security Gateway, the cpd daemon records SIC related information to cpd.elg. Look at the file.
I think it's time to debug.
Good SK - Troubleshooting SIC - https://secureknowledge.checkpoint.c...ion&id=sk30579

And one more - did you reboot SmartCenter after restoring?

[robori]

That's what's on our cpd.elg:

SIC Error: Server could not find authentication method for service amon. Peer is cp_mgmt



And yes, we rebooted the manager.


I didn't take note of the error on the Smartdashboard when trying to reset SIC , but the error occurs before, when I try to reset it on the gateway first.


Thanx!!!