cpconfig

[humayun]

Which of the following Options in cpconfig is used to "reset" the SIC on the firewall? Thanks.

Configuration Options:
----------------------
(1) Licenses
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Group Permissions
(6) PKCS#11 Token
(7) Random Pool
(8) Certificate Authority
(9) Certificate's Fingerprint
(10) Enable Check Point SecureXL
(11) Automatic start of Check Point Products

[humayun]

Can someone please reply to my question?
Many thanks in advance.

[Sergej]

What options are awalable inside (8) Certificate Authority?

[intehnet]

looks like that's a management install??

use fwm sic_reset from the command line

[ddarby1]

It's definitely a management install, the (3) GUI Clients gives this away for example.

I think it might be a standalone install though with that number of options. Is it a Nokia install by any chance?

Also 'fwm sic_reset' destroys the Internal Certificate Authority and therefore invalidates the certifciates (and SIC) for all modules.

It's not the way I would choose to do it, better off going to the enforcement module and running cpconfig there, before resetting/re-establishing in Smart Dashboard.

Out of interest, what was the original motivation for the question?

[humayun]

I have 6 other firewalls at various sites across US would using fwm sic_reset cause issues with them? I wanted to add a new firewall at my current location and I was trying to bring that online. I wanted to reset the SIC because I forget the SIC that I had used on this Nokia IP710 firewall when I first built it.

I don't know the different with the management/standalone install. I am running IPSO 3.9 came preinstalled on this Nokia IP710.

Usually in the past when you run cpconfig, you have an option in the main menu for "Secure Internal Communication" which I can't find on here.

More help needed.
Thanks.

[humayun]

This is the menu when I select Option 8

Enter your choice (1-12) :8

Configuring Certificate Authority...
====================================
The Internal CA is initialized with the following name: "firewallname"

Do you want to change it (y/n) [n] ?



************************************************** ************************************************** ****************
This is the menu when I select Option 7

Enter your choice (1-12) : 7

Configuring Random Pool...
==========================
You are now asked to perform a short random keystroke session.
The random data collected in this session will be used in
various cryptographic operations.

Please enter random text containing at least six different
characters. You will see the '*' symbol after keystrokes that
are too fast or too similar to preceding keystrokes. These
keystrokes will be ignored.

Please keep typing until you hear the beep and the bar is full.

[ ]

[ddarby1]

Hi Humayun,

You don't have the option for 'Secure Internal Communication' via cpconfig when it is a managment install.

This is because it is typically reset at an enforcement module, then re-established using the GUI connected to the management server.

This is why I'm sure that you have a managment install or standalone (enforcement module and management on the same box). The fact that there is a Certificate Authority confirms this.

You may have to reconfigure the install if you only want this box to be an Enforcement Module only for example.

Don't issue the 'fwm sic_reset' command on the Management Server if you are managing multiple firewalls and do not want to reset SIC on all of them. Invoking this command will basically though up a warning text and y/n prompt which you should read and understand before accepting.

If you have one problem firewall, it's much better to go to the command prompt and run through the Secure Internal Communication command from cpconfig.

Hope that helps.

[intehnet]

right, well if you've got 6 remote firewalls then definately don't run fwm sic_reset :) will take a bit of un-needed work to get them all talking again..
i was assuming you had one local firewall enforcement point you could just re-establish sic with

reset sic on the enforcement..

[humayun]

This was just going to be a new firewall and I have a separate management server which we use to currently manage the 6 other firewalls. This came preinstalled with IPSO3.9 build 41 so I am assuming that I need to reinstall CP on this and make this only a firewall.


Thanks for your help guys.

[Lackie]

Thats correct, you will have to uninstall and reinstall CP to set it up as just a firewall.