Re-Configuring Checkpoint NG R55

We have inherited a couple checkpoint firewalls from a connection that no longer exists. One was the Hot. and the other was a cold spare. I have a couple questions on getting these re-ip'd to be put back into production on a different link.

1. On the cold spare, the certificate seems to have expired. I have to backdate the Box and my laptop to connect to the GUI. How do I update this certificate to be current?

2. If I Re-IP the Interfaces, do I need to reset the certificate for this to work properly, or will it just work with new IP's?

Thanks
DeathshadowAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yuriskCommented:
1)
a)I guess you already tried on the Firewall object in SmartDashboard properties
to click on Renew certificate , if so and it didnt work :
 b) You disable rules if exist that are using certificate features (all VPN-connected)
 c) Remove certoficate with Remove button on firewall object properties window in smartdashboard (but first jot down the name certificate was created with)
 d) Clicking Create should present you with dialog box asking the name for certificate
(put the name you noted before) , then clicking NExt , Next ... Enable rules back solves the issue
IF above didnt help, do b) and c), then
enter CLI of the FW (ssh, or locally) and issue #fw sic_reset, if it goes well issue
 #cpconfig    and pick the option of creating CA authority , after finishing do step d)

2) Changing IPs doesnt affect certs, but will most probably invalidate licenses
that were issued for particular IPs. You will have to change IPs in your account in CP as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grimkinCommented:
Hi,

You say that you are connecting to the GUI on the old box - I take it this is a management server and enforcement gateway in one?

What platforms are these firewalls on and what OS are they running?



0
DeathshadowAuthor Commented:
Yea, it is an all in 1 box.

Sun Solaris 8 running CP NG R55

Looks good as far as renewing the cert, but I still have to backdate to connect with the GUI. Here is a cut of the Cert

Not Valid Before: Tue Jan  1 10:12:08 2008 Local Time
Not Valid After:  Mon Dec 31 10:12:08 2012 Local Time
Serial No.:  19506

The original expired on Feb 18 2008, so I have to still backdate before that date.

It refuses the connection saying;
1. The Smart Servers Clock is not set up properly
2. The Cert issue date is later than the date of the smartcenter
3. The GUI Client clock is wrong
4. The Cert has expired
5. The Cert is Invalid
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

grimkinCommented:
1 Check the clock on the gateway and SC server and your laptop and make sure they are all correct
2 As above but with the timezones
3 Changing the hostname will invalidate the certificate in which case you may want to do a "fwm sic_reset" and then cpconfig to re-initialise the ICA

Can you let us know if anything here applies?
0
DeathshadowAuthor Commented:
This is what I get when trying to run sic_reset.

*******************************************
This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y

*** Checking IKE Certificates ***
There are IKE Certificates that were generated by the
internal Certificate Authority.
Please remove them (using the SmartDashboard) so that
the internal Certificate Authority can be destroyed.

SIC Reset operation could not be completed
0
grimkinCommented:
The easiest way to do this is to go into the dashboard, select the gateway object, General Properties and untick the VPN tickbox. After you have done the fwm sic_reset then you can go back in and re-check it.

Have you checked the clocks and timezones? Were they all correct?
0
DeathshadowAuthor Commented:
Beautiful! Worked like a charm after removing the VPN's
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.