Unable to connect to second Gateway

[jemma_noor]

Hello,

We've installed and cofigured a second NOkia box (ip350) as an enforcement module. The first box (ip330) is set up as a SmartCentre server and enforcement module.

We are now trying to add and push the license from ip330 smartcentre server to IP350 but receive repeated error messages along the line of Sic status not established.

We use 'local' licensing on ip330 and checkpoint ng fp3 on both boxes.

What we'd like is to manage both boxes from a single smartcentre server, although each device is situated at a different site but will be connected to each other over the LAN.

It could be that we need to install smartcentre server on ip350 and then create a gway node on the ip330?

Any suggestions would be welcomed.

Thank you.

[Lackie]

The way you have it set up should work. Have you established SIC between the IP330 and the IP350?

[jemma_noor]

Yes, that's what I thought. But when installing the Enforcement module on the second box, I am asked for an Activation Code - What is this? The sic state is uninitialised at this stage.

I type the admin password of the first box but still fail to authenticate via Sic.

Any other suggestions before I resort to installing both the module and smartcenter on the second box?

Thank you.

[Lackie]

The activation is the SIC password. You have to put that on the firewall and when you set SIC for that object in the management station you use that activation code, not the admin password.

[jemma_noor]

Thanks for the reply 'Lackie'.

Unfortunately I don't know where the SiC/Activation code is on the existing firewall/smartcentre server - both fwall module and smartcentre run off the IP330.

Any suggestions?

Thank you.

[Lackie]

You don't need to know the SIC password for the current firewall (IP330) as there will not be one because the Management station does not need one to connect to itself.

You have to specify the 'one time password' on the new firewall. If you have not already done it or if you don't know it you can redefine it in cpconfig on the firewall.

Once you have that established, In dashboard, you go into the object for that firewall and into the 'Communication' section/button. This is where you put that same 'one time password' in for that firewall.

This will establish SIC between the Management station and the new firewall.

[jemma_noor]

Hi again,

Yes, this is exactly what I have tried. The error reported when initialising the sic is
"SIC Status for fwall1: Unknown

Failed to connect to peer

** Check that peer is running **".

And the Trust stat in the communication box is "Initialized but trust not established".

[Lackie]

Check to see if there is a policy loaded on the firewall. If there is, unload it and try testing the SIC again. If that doesn't work, follow the below:

On the new firewall, run 'cpconfig' and select Secure Internal Communcation. Reset the 'one time password' on the Nokia. When you exit cpconfig it will run a cpstop and cpstart. Because you have changed the SIC password on the appliance now, it will load the default policy that will block all connections. Unload this policy with 'fw unloadlocal'. You will need to have console access to the appliance to run this command. Once the policy is unloaded go into Dashboard and open up the object. Go into the Communication button and select Reset. Put in the same one time password in the spaces provide and select Initialize. This should be enough to reset SIC.

If that doesn't work then you may have a problem with the install on the firewall.

[kva.kva]

Add to previous message, if I may

May be you need to install policy to the old module before sic will be establish and after new firewall object was created.

If you want to see additional information about connections try to run on new module
fw monitor -e "accept src=ip_address_managment or dst=ip_address_managmnet;"