Re-Configuring Checkpoint NG R55

Posted on 2008-11-07
Medium Priority
Last Modified: 2013-11-16
We have inherited a couple checkpoint firewalls from a connection that no longer exists. One was the Hot. and the other was a cold spare. I have a couple questions on getting these re-ip'd to be put back into production on a different link.

1. On the cold spare, the certificate seems to have expired. I have to backdate the Box and my laptop to connect to the GUI. How do I update this certificate to be current?

2. If I Re-IP the Interfaces, do I need to reset the certificate for this to work properly, or will it just work with new IP's?

Question by:Deathshadow
  • 3
  • 3

Accepted Solution

yurisk earned 500 total points
ID: 22904932
a)I guess you already tried on the Firewall object in SmartDashboard properties
to click on Renew certificate , if so and it didnt work :
 b) You disable rules if exist that are using certificate features (all VPN-connected)
 c) Remove certoficate with Remove button on firewall object properties window in smartdashboard (but first jot down the name certificate was created with)
 d) Clicking Create should present you with dialog box asking the name for certificate
(put the name you noted before) , then clicking NExt , Next ... Enable rules back solves the issue
IF above didnt help, do b) and c), then
enter CLI of the FW (ssh, or locally) and issue #fw sic_reset, if it goes well issue
 #cpconfig    and pick the option of creating CA authority , after finishing do step d)

2) Changing IPs doesnt affect certs, but will most probably invalidate licenses
that were issued for particular IPs. You will have to change IPs in your account in CP as well.
LVL 14

Expert Comment

ID: 22905122

You say that you are connecting to the GUI on the old box - I take it this is a management server and enforcement gateway in one?

What platforms are these firewalls on and what OS are they running?


Author Comment

ID: 22905165
Yea, it is an all in 1 box.

Sun Solaris 8 running CP NG R55

Looks good as far as renewing the cert, but I still have to backdate to connect with the GUI. Here is a cut of the Cert

Not Valid Before: Tue Jan  1 10:12:08 2008 Local Time
Not Valid After:  Mon Dec 31 10:12:08 2012 Local Time
Serial No.:  19506

The original expired on Feb 18 2008, so I have to still backdate before that date.

It refuses the connection saying;
1. The Smart Servers Clock is not set up properly
2. The Cert issue date is later than the date of the smartcenter
3. The GUI Client clock is wrong
4. The Cert has expired
5. The Cert is Invalid
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 14

Expert Comment

ID: 22905331
1 Check the clock on the gateway and SC server and your laptop and make sure they are all correct
2 As above but with the timezones
3 Changing the hostname will invalidate the certificate in which case you may want to do a "fwm sic_reset" and then cpconfig to re-initialise the ICA

Can you let us know if anything here applies?

Author Comment

ID: 22905440
This is what I get when trying to run sic_reset.

This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y

*** Checking IKE Certificates ***
There are IKE Certificates that were generated by the
internal Certificate Authority.
Please remove them (using the SmartDashboard) so that
the internal Certificate Authority can be destroyed.

SIC Reset operation could not be completed
LVL 14

Assisted Solution

grimkin earned 500 total points
ID: 22906099
The easiest way to do this is to go into the dashboard, select the gateway object, General Properties and untick the VPN tickbox. After you have done the fwm sic_reset then you can go back in and re-check it.

Have you checked the clocks and timezones? Were they all correct?

Author Comment

ID: 22906412
Beautiful! Worked like a charm after removing the VPN's

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question