SIC Reset issue on Solaris

[skperez]

When I try to run the Policy Editor for my checkpoint NG server it says “Connection cannot be initiated. Make sure …” I get the same message when I try to run the SmartDashBoard from a client. Everything was working before and I don’t think anything has changed but I can’t get to the firewall dashboard. I have been reading the FAQs and it says I need to reset my SIC. The FAQs are mainly based towards Windows and I am running Solaris 8. Can someone help me on how to reset the SIC?

I tried to work off of the windows way and here is what I have done.

% fwm sic_reset
***************** Warning: ****************
This operation will reset the Secure Internal Communication (SIC).
The internal Certificate Authority will be destroyed and Check Point Components will not be able to communicate.
You will have to perform the following operations to enable communication:
1. Re-initialize the internal Certificate Authority (use cpconfig).
2. Restart Check Point Services (cpstart, cpridstart).
3. Reset SIC on each Station that is managed by this SmartCenter Server.
4. Re-establish Trust with each Station that is managed by
this SmartCenter Server.
*******************************************
This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y

*** Checking IKE Certificates ***
There are IKE Certificates that were generated by the
internal Certificate Authority.
Please remove them (using the Policy Editor) so that
the internal Certificate Authority can be destroyed.

SIC Reset operation could not be completed

It fails and it says to remove the IKE Certificates using the Policy Editor but I am back to the part where I cannot use the policy editor.

Anyone have any hints on how to remove the IKE certs without going through Policy Editor? Am I going at it the right way?

[czech12]

Whoa, I don't think your problem is that you have to reset SIC on your Management Server. If the only issue your having is that you can't log into your Management Server through the GUI clients, it doesn't sound like you need to reset SIC. You would have to reset SIC if you couldn't communicate between modules (e.g. Your Management Server can't push policy to your Firewall)

There are a few things I would try.

1) Do a cpstart on your management server to make sure the Check Point Products are started.

2) Run a cpconfig from the Management Server. Go into the "GUI Client" option. Make sure your IP address or network is defined as a GUI Client, or that you have "Any" which would allow any IP to connect.

3) If there is a firewall between you and the Management Server, make sure that you are allow CPMI to pass through the firewall from your machine to the Management Server.

Confirm that all of these settings are correct and let me know what happens...

[skperez]

1) I have done the cpstart

2) I ran the cpconfig and went into "Management Clients" and verified that the machines that need access are in it.

3) There are no firewalls in the way and also, I was trying to run Policy Editor from the server and it still did not allow me to run the GUI.

Thanks,
Steve

[Lackie]

SIC shouldn't have anything to do with connecting to the Dashboard.

Make sure that the Management station doesn't have a firewall 'accidently' installed on it. You can verify that by typing 'fw stat' from the command line. If there isn't a firewall installed on it then you may have a more serious issue.

[skperez]

I ran the fw stat and I got the following results.

% fw stat
HOST POLICY DATE
localhost Standard 3Nov2005 9:54:54 : [>hme0] [<hme0] [>qfe0] [>qfe2] [<qfe2] [>qfe3] [<qfe3] [>qfe4] [<qfe4] [>qfe5] [<qfe5]


Isn't this normal? I guess the part I am confused about is that I am trying to run the GUI from the server and it won't let me. It worked for me before and then all of a sudden it stopped. Is it a licensing issue?

[Lackie]

That tells me that you have a firewall installed on the managements station (or Standalone setup). Is your management station also working as a firewall or is it just supposed to be a management station?

If it's just supposed to be a management station, as a workaround you can try unloading the policy that is currently installed and then try connecting with the gui client.

[skperez]

This is the actual firewall that I am trying to run the management station on to make changes. I usually run the management station on my PC which has worked in the past but now it doesn't seem to work. When I have issues, I can usually go to the actual firewall and run the management station from it.

[simon hornby]

I'm not sure you've understood the architecture here. There are 3 components, the enforcement module, the management server and the GUI. I suspect from your reply that what you are thinking of as the management server is the gui, also known as SmartDashboard. The management server can be on the same machine as the enforcement module, and in small installations often is. The GUI can be on several different machines at the same time. The GUI is the program you run that allows you to manipulate objects and rules. It connects to the management server to do this. The management server holds the object and rule definitions, as well as some other tasks such as acting as a certificate authority, and compiles policies, which it pushes to the enforcement module. The enforcement module is your perimeter gateway that actually enforces the policy. As I said, the management server and the enforcement module can be on the same machine.

Moving on to your problem. Apologies if this is simplistic, I don't know how much Solaris you know.

Go to the management station (probably the same machine as your enforcement module) and enter 'ps -ef | grep fwm'

If there is no fwm process, do a cpstart and try connecting. If that fails, do the ps -ef | grep fwm again and make sure the fwm process has not died.

If this doesn't help, I would suggest going into cpconfig and removing all gui clients, then re-adding them.

If none of this helps, let us know if you have recently started using any VPNs or have upgraded the firewall. Also what version of firewall-1 you are using.

[skperez]

First off, thanks for all the tips on trying to help with this issue. It's still driving me crazy not knowing what the problem is.

Anyways,
The configuration that I am running here is we have the enforcement module and the management server running on the same machine. I also run the GUI (SmartDashboard) from the same machine occasionally. I also have the GUI (SmartDashboard) loaded on a different machine which is where I usually do all my changes from.

So, following your instructions and greping for "fwm" it came back with a process which verifies that there is a firewall running. I also went into cpconfig and deleted all the management clients and recreated them. After doing all that I still get the same error.

Just for clarification purposes, the error I get is:
Check Point SMART Client
Connection cannot be initiated. Make sure that the server 'hostname' is up and running.

Information on my configuration:
OS: Solaris 8
Upgrade to FW: No upgrades have been performed.
FW Version: Checkpoint SmartCenter NG Feature Pack 3 Build 53168
VPN Running: None that I am aware of.

Are there any FW logs that can be viewed without using the GUI?

[Lackie]

When was the last time that you could connect with the GUI... from any location?

If you unload the current policy on the firewall, are you able to connect with a GUI?

[skperez]

The GUI was working about 1.5 weeks ago.

How do I unload the policy? Is this just issuing the cpstop and then try to run the GUI?

Another thing I was thinking, I run backups of the firewall, If I wanted to reset the firewall back to when it was working (about 1.5 weeks ago) What files do I need to restore and how would I do it?

Here is what I want to try:
do a cpstop
restore the files (Don't know which ones.)
do a cpstart ....and hope it comes up.

Is it something worth trying?

[czech12]

To unload the firewall policy, type:

fw unloadlocal

... from the command prompt of the enforcement module. Then try to connect.

If you do a cpstop, that will also stop the Management Server, which will cause you to not be able to connect...

I would try to unload the policy first, before you run a restore. Seems like to simple of a problem to just do a restore... (Not trying to undermind your problem, but it should be something easy to fix) =)

Did you by chance make any changes to the Implied Rules of the Global Policy right before this stopped working?

[skperez]

I unloaded the policy and then tried to connect to the SmartDashboard and it gave me the same error message.

Connection cannot be initiated. Make sure that the server 'hostname' is up and running.

When the Management console was working I was making changes and then my machine (not the server) crashed. As soon as my machine came back up, I logged back into the console and things seem to be working. I was able to make changes and I thought things were okay. I am not sure if this is coincedence or whether something was left in the objects and then once I applied it screwed things up.

[Lackie]

Not sure if it's related to the problem that you had before. Probably not but can't be sure. If you have a backup from before you had this problem, it may be easiest/quickest to do a clean install and restore from backup. In my previous experience, if a standalone can't connect to itself, it's never been a pretty fix.

[czech12]

I agree with Lackie, unless you have Check Point support and want to create a ticket with them to see what they say.

Before you said that you had a backup, but you were sure what files you needed to restore. How did you back up the server? Did you use a "upgrade_export" Check Point command (recommended) or did you just backup the $FWDIR and $CPDIR directories?

[skperez]

I just back up the $FWDIR and $CPDIR directories which probably is not the right thing.

[czech12]

It's not a bad thing, but an upgrade_export is better... the upgrade_export will tgz the file for you and it is only one file. This binary file is found in $FWDIR/bin/upgrade_tools.

I would run an upgrade_export now, just so you can get back to at least this point is your restore doesn't work out properly. Then, I would rename the $FWDIR and $CPDIR directories (The actual name of the last folder in the path, not the variable), then restore the ones that you have from backup from before you experience the problem.

Let us know how that works out.

[skperez]

I will give it a shot and let you know.

Another idea I was thinking to try was to manually disable one rule at a time from command line. Is there a way to do that? The only way I know is to run SmartDashboard, disable the rule and then "install policy".

[czech12]

I don't believe there is a way to do that. Once the policy is installed, it can only be uninstalled from the command line.

After thinking about it, I don't think it is a security policy issue anymore. First of all, you unloaded the complete policy and still couldn't connect, second, you can't log into the server from itself. Traffic from itself should be allowed to go to itself...