Re-Configuring Checkpoint NG R55

We have inherited a couple checkpoint firewalls from a connection that no longer exists. One was the Hot. and the other was a cold spare. I have a couple questions on getting these re-ip'd to be put back into production on a different link.

1. On the cold spare, the certificate seems to have expired. I have to backdate the Box and my laptop to connect to the GUI. How do I update this certificate to be current?

2. If I Re-IP the Interfaces, do I need to reset the certificate for this to work properly, or will it just work with new IP's?

Thanks
DeathshadowAsked:
Who is Participating?
 
yuriskConnect With a Mentor Commented:
1)
a)I guess you already tried on the Firewall object in SmartDashboard properties
to click on Renew certificate , if so and it didnt work :
 b) You disable rules if exist that are using certificate features (all VPN-connected)
 c) Remove certoficate with Remove button on firewall object properties window in smartdashboard (but first jot down the name certificate was created with)
 d) Clicking Create should present you with dialog box asking the name for certificate
(put the name you noted before) , then clicking NExt , Next ... Enable rules back solves the issue
IF above didnt help, do b) and c), then
enter CLI of the FW (ssh, or locally) and issue #fw sic_reset, if it goes well issue
 #cpconfig    and pick the option of creating CA authority , after finishing do step d)

2) Changing IPs doesnt affect certs, but will most probably invalidate licenses
that were issued for particular IPs. You will have to change IPs in your account in CP as well.
0
 
grimkinCommented:
Hi,

You say that you are connecting to the GUI on the old box - I take it this is a management server and enforcement gateway in one?

What platforms are these firewalls on and what OS are they running?



0
 
DeathshadowAuthor Commented:
Yea, it is an all in 1 box.

Sun Solaris 8 running CP NG R55

Looks good as far as renewing the cert, but I still have to backdate to connect with the GUI. Here is a cut of the Cert

Not Valid Before: Tue Jan  1 10:12:08 2008 Local Time
Not Valid After:  Mon Dec 31 10:12:08 2012 Local Time
Serial No.:  19506

The original expired on Feb 18 2008, so I have to still backdate before that date.

It refuses the connection saying;
1. The Smart Servers Clock is not set up properly
2. The Cert issue date is later than the date of the smartcenter
3. The GUI Client clock is wrong
4. The Cert has expired
5. The Cert is Invalid
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
grimkinCommented:
1 Check the clock on the gateway and SC server and your laptop and make sure they are all correct
2 As above but with the timezones
3 Changing the hostname will invalidate the certificate in which case you may want to do a "fwm sic_reset" and then cpconfig to re-initialise the ICA

Can you let us know if anything here applies?
0
 
DeathshadowAuthor Commented:
This is what I get when trying to run sic_reset.

*******************************************
This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y

*** Checking IKE Certificates ***
There are IKE Certificates that were generated by the
internal Certificate Authority.
Please remove them (using the SmartDashboard) so that
the internal Certificate Authority can be destroyed.

SIC Reset operation could not be completed
0
 
grimkinConnect With a Mentor Commented:
The easiest way to do this is to go into the dashboard, select the gateway object, General Properties and untick the VPN tickbox. After you have done the fwm sic_reset then you can go back in and re-check it.

Have you checked the clocks and timezones? Were they all correct?
0
 
DeathshadowAuthor Commented:
Beautiful! Worked like a charm after removing the VPN's
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.