Solved

Checkpoint Firewall Manager and FW (SPLAT) SIC error

Posted on 2008-09-30
4
5,569 Views
Last Modified: 2013-11-16
hello all,

When I am trying to apply a policy to firewall members, it fails. I believe it is due to SIC problem. When a communication SIC test is undertaken I receive the following message:

"SIC Status for SAUSFW01: Not Communicating
Internal SSL authentication error [ Certificate expired]"

Do i need to a new certificate? or there something else that might be causing this problem?

thanks
0
Comment
Question by:sheepsheep
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 250 total points
ID: 22612441
Which node is giving the SSL cert error?  Is it the firewall or the management server?

If its the firewall and you are using a full public SSL cert (ie from comodo etc) then renew the cert via the providers means.

If not, then you should be able to renew the GW cert via dashboard by going to :

VPN > Certs > click on the VPN cert and select "renew".

This should renew the cert with the ICA on the smartcentre and the error "should" go away.

If it does not, then you will need to reset SOC between firewall and management server as follows:

1.  On firewall, run cpconfig, sleect SIC
2.  Jump through the hoops to reset sic and set a new one time password

NOTE : This will kill all comms with the management server but will NOT stop processing traffic!!!!

3.  ON smartcentre dashboard, select the GW object and click on the communications button.
4.  In resulting window, click reset.
5.  Enter the OTP as set in 2
6.  If all goes well, they will be communication.

I always test the connection again, just to make sure.

Once they are all talking, you should be able to push policy
0
 

Author Comment

by:sheepsheep
ID: 22612926
Thanks Delmark.

I am assuming it is the firewall member(s)? - after I log into SMARTDashboard and click on the firewall member > properties > Communication > Test SIC , I receive this error. How can I tell if it is the firewall or manager?

How might I view the firewall and manager certifications to check the expiration dates and signing authority?
0
 
LVL 18

Expert Comment

by:deimark
ID: 22613219
OK, thats a bit more info :P

If its the gateway object you see the SIC error, then its the GW thats at fault here.

SIC is normally related to an internally generated certificate from the ICA on the management server (the management server is the one that you connect to using smartdashboard

Note, the management system can ALSO be installed on the firewall.  These installs are called standalone, ie all the systems you need to run the set up is on one box

On the GW object VPN tab, this should list all the certs as issued.  CP can only have one cert per CA, so I assume that you should have 2 listed there.

The defaultcert as issued by the ICA and a full SSL cert as issued by comodo, geotrust etc.

If you click on "view cert" while highlighting one, it will open up and give you all the details you need re expiry etc

Let me know how that goes
0
 

Author Closing Comment

by:sheepsheep
ID: 31501832
Thanks Deimark. A  reset of SOC between firewall and management server was needed. Issue resolved.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now