Re-Configuring Checkpoint NG R55

Posted on 2008-11-07
Last Modified: 2013-11-16
We have inherited a couple checkpoint firewalls from a connection that no longer exists. One was the Hot. and the other was a cold spare. I have a couple questions on getting these re-ip'd to be put back into production on a different link.

1. On the cold spare, the certificate seems to have expired. I have to backdate the Box and my laptop to connect to the GUI. How do I update this certificate to be current?

2. If I Re-IP the Interfaces, do I need to reset the certificate for this to work properly, or will it just work with new IP's?

Question by:Deathshadow
    LVL 4

    Accepted Solution

    a)I guess you already tried on the Firewall object in SmartDashboard properties
    to click on Renew certificate , if so and it didnt work :
     b) You disable rules if exist that are using certificate features (all VPN-connected)
     c) Remove certoficate with Remove button on firewall object properties window in smartdashboard (but first jot down the name certificate was created with)
     d) Clicking Create should present you with dialog box asking the name for certificate
    (put the name you noted before) , then clicking NExt , Next ... Enable rules back solves the issue
    IF above didnt help, do b) and c), then
    enter CLI of the FW (ssh, or locally) and issue #fw sic_reset, if it goes well issue
     #cpconfig    and pick the option of creating CA authority , after finishing do step d)

    2) Changing IPs doesnt affect certs, but will most probably invalidate licenses
    that were issued for particular IPs. You will have to change IPs in your account in CP as well.
    LVL 14

    Expert Comment


    You say that you are connecting to the GUI on the old box - I take it this is a management server and enforcement gateway in one?

    What platforms are these firewalls on and what OS are they running?


    Author Comment

    Yea, it is an all in 1 box.

    Sun Solaris 8 running CP NG R55

    Looks good as far as renewing the cert, but I still have to backdate to connect with the GUI. Here is a cut of the Cert

    Not Valid Before: Tue Jan  1 10:12:08 2008 Local Time
    Not Valid After:  Mon Dec 31 10:12:08 2012 Local Time
    Serial No.:  19506

    The original expired on Feb 18 2008, so I have to still backdate before that date.

    It refuses the connection saying;
    1. The Smart Servers Clock is not set up properly
    2. The Cert issue date is later than the date of the smartcenter
    3. The GUI Client clock is wrong
    4. The Cert has expired
    5. The Cert is Invalid
    LVL 14

    Expert Comment

    1 Check the clock on the gateway and SC server and your laptop and make sure they are all correct
    2 As above but with the timezones
    3 Changing the hostname will invalidate the certificate in which case you may want to do a "fwm sic_reset" and then cpconfig to re-initialise the ICA

    Can you let us know if anything here applies?

    Author Comment

    This is what I get when trying to run sic_reset.

    This operation will stop all Check Point Services (cpstop)
    Are you sure you want to reset? (y/n) [n] ? y

    *** Checking IKE Certificates ***
    There are IKE Certificates that were generated by the
    internal Certificate Authority.
    Please remove them (using the SmartDashboard) so that
    the internal Certificate Authority can be destroyed.

    SIC Reset operation could not be completed
    LVL 14

    Assisted Solution

    The easiest way to do this is to go into the dashboard, select the gateway object, General Properties and untick the VPN tickbox. After you have done the fwm sic_reset then you can go back in and re-check it.

    Have you checked the clocks and timezones? Were they all correct?

    Author Comment

    Beautiful! Worked like a charm after removing the VPN's

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now