Resources for the Check Point Community, by the Check Point Community.
Please ignore post below, I finally worked out what edit encryption domain was referring to! All done and working :) Thanks for your help.
I have exactly the same issue as the sticky you just posted.
Can you answer a few question that i dont understand..
what do you mean by redefine the encryption domain? I have read this and other articles stating the same, but i just dont understand what is meant by redefine the encryption domain and am feeling a little stupid that I dont.
sorry for asking such a dumb question.
Please let me know if above steps are correct.
if yes then:
Q-1 Should we perform above steps by plugin the sync cable between both FW or without it.
Q-2 Will this whole process interfere with the Active(secondary) FW which currently is passing the traffic? (as we want it to continue passing traffic after the primary comes back up as we will not be changing the priority of the FWs right now.
I am planning to do the below steps, can u confirm if they r correct.
We have restored from the backup we had so basically primary FW is ready & we just want to put it in the cluster & for the time being continue passing traffic to the secondary FW which is "active" right now.
So this is what we are planning to do, please let me know if any modification is needed in the below steps:
1) Go to FW module(secureplatform) & re-initialize SIC communication by entering activation key (all through CLI)
2)Go to Dashboard & Reset SIC on the firewall object by :
a)Double click on the Firewall Object on Policy
b)Click on Communication.
c)Click on Reset Button.
d) Put the activation key
e)Put the activation Key on Confirm Activation Key (this is the same we entered in Fw module)
f)Click on Initialize button.
g)Click on Test SIC status.
h)Push the policy
We are currently running Checkpoint R55 AI on secureplatform in a cluster mode. A few days ago the primary module crashed and the secondary took over, so we have rebuilt a new Primary FW and have restored the config from backup.
So now primary FW is ready, after plugging it what steps we need to follow so that both the FW are in Sync & steps to re-initialize the SIC(I think we need to do that for making it communicating to the smartcenter server).
In ISP redundency, after setting up in the FW Properties, we will have 2 ISP with 2 different IP address, but if any external client connects to the FW, which IP will they use.....ISP1 IP or ISP2 IP?
is it possible on the Checkpoint to create two VPN tunnels going to the same destination network, but terminating on different IP address vpn end points?.....how the checkpoints will work if we have two VPN tunnels going to the same destination network. For example will it load balance over the two VPN tunnels, or select one as the primary and if that fails use the other as backup.
1) what does rule any-any-NBT-drop means?
2) can 192.168.1.12(source) - 10.10.5.55(destination) - http - accept
10.10.5.55(source) - 192.168.1.12(destination) - http - accept
be put in single rule....if earlier they were in 2 different rules?
Can you also tell me the steps to how to renew a certificate for cp_mgmt?
When you did the sync did it move the SMARTCenter back by 10minutes.
If it did then it should then work.
Personally I would look at getting NTP onto the gateways and SMARTCenter, then once have them all on a single clock then resic the gateway to the SMARTCenter.
After resiccing the gateway then push the policy and also push the policy to the remote gateways that you manage from the SMARTCenter.
After you reset the SIC on the gateway then the gateway will lose all connectivity until you reattach to the SMARTCenter and resinstall the security policy to the gateway.
The fact that is shared secret as opposed to internal certificate doesn't make any difference in this case.
i have done cprestart after sync the smartcenter and gui client clock....but stil getting the same message......when i backdated the smartcenter and gui client clock then it worked.......but the there is no trust between firewall and smartcenter server...........my smarcenter server and firewall is showing the status untrusted in the smarview monitor......and the staus between smarcenter server and amsterdam is showing OK......what should i do?....its such a mess.....help me!!!
1 more thing.....if i reinitialize the SIC then u said that the VPN connectivity wil go down......so it wil go down for couple of min till the initialization is complete...right?......and do we need to do anything at the amsterdam and france firewall end too where we have site to site vpn connection from london?....1 important thing.....i have selected shared secret for SITE TO SITE VPN...so now also the vpn connectivity wil fail?
I have also checked with ICA management tool that the certificate has expired.....how to create a new one...is this causing the problem?....plz give me steps by steps what to do?