• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2485
  • Last Modified:

Checkpoint Nokia IP350 VRRP Cluster

Hi,

I have reset the sic on the passive node of the cluster and lost all connectivity as the firewall has installed the default policy. The only way can connect to voyager or ping the interfaces is by stopping checkpoint services.

Is there a way I can extract the current ruleset from command line as I am looking to take a backup of the ruleset config,  and then do a clean install, re-apply ruleset ?

My end goal is to this on both nodes and re-configure VRRP

The current version of CP NG R55
0
keithclayton
Asked:
keithclayton
  • 4
  • 3
1 Solution
 
deimarkCommented:
As soon as you reset SIC, you load the initial policy, which as you know, drops everything less for Check Point control info.

Once you have reset sic on the Nokia and the CP services have restarted, you can then re establish SIC using your smartcentre dashboard.

Once sic is established, you can then push the policy.

Once Sic is reset and initial policy is on there, if you need to connect to the device, then you can log on via console cable and issue "fw unloadlocal"

This will remove the firewall policy from the Nokia AND turn off IP forwarding.  This will allow you to connect to the box but it will NOT pass traffic through it.

You asked:
"Is there a way I can extract the current ruleset from command line as I am looking to take a backup of the ruleset config,  and then do a clean install, re-apply ruleset ?"

In short, no, you cannot get the policy from CLI, howeve,r if you want to re install the NOkia you can do the following:

1.  Re install passive Nokia and configure CP and SIC
2.  On smartcentre dashboard, reset SIC on the Nokia GW object and re establish (using the activation key used n 1)
3.  Push policy to the Nokia
4.  Fail over to the this newly re installed nokia
5.  Repeat 1-3

As all the policies, objects, rules etc are all saved on the smartcentre, you can freely re install the nokia and then re connect to it via dashboard and push all the same firewall rules down.

Just note, that Voyager controls hte underlying OS, ie interfaces, routing etc.  Check Point (dashboard) controls the firewall rules, policies, objects etc.

Does this help?
0
 
keithclaytonAuthor Commented:
Yes thanks for the update.

My compnay has recently took control of 2 Nokia firewall, The plan was to get control of the passive node.

How do I go about getting the ruleset onto SCS ? The company who were managing the firewalls will not export there current ruleset. Will I have to re-create the ruleset from scratch ?

They did however provide with ruleset via the Check Point Web Visualization

I have built a smartcentre server

Reset the sic on the firewall
try to establish sic communication from the scs
0
 
deimarkCommented:
If they do not want to give you the export from their smartcentre, I'm afraid the only option you have is to create it all from scratch.

There is no way to revert a policy as it stands oin a firewall, back into the format its needed ot be in for the smartcentre.

If you have the Web VT output, thats a start tho.

I would make sure that you have the full smartcentre and policy built already before resetting SIC!!!  As soon as you reset SIC, the initial policy is loaded and it will wait to get a new policy pushed to it.  During this time, no traffic will flow through the firewall
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
keithclaytonAuthor Commented:
Deimark,

I have already reset the sic on the passive node which has the default policy installed.

In the cpconfig is there is an option disable cluster membership, will be required to disbale this option before the clean build ?

Will i be able to do this in ipso 3.8 ?

Can I re-build the passive cluster node in HA, Install SCS for NGX R65
Create all rules and objects
establish  sic between
Push the policy to firewall
0
 
deimarkCommented:
Ok, I will summarise what I understand your current set up to be and what you want to do with it now.

You have 2 Nokias, previously managed by a 3rd party.  The nokias were in a VRRP HA cluster.

You want to have:

1.  Your own smartcentre
2.  Manage your own, freshly rebuilt Nokias as another VRRP HA cluster.

Currently, one of your nokias has had SIC reset, so has no working policy on it.

You also have a new smartcentre ready to go.

To get to where you want, I would suggest the following:

1.  Ensure your smartcentre has your final version on it (saves upgrading later), you mention R65.
2.  Configure all relevant objects and policies etc (where you can)
3.  Rebuild the 2nd Nokia (with no policy).  The IP350 can go up IPSO v 4.2, so a complete reinstall and upgrade would be beneficial.
4.  Install R65 on the nokia
5.  Add the Nokia to your smartcentre config and finalise the policy and push it to the nokia
6.  Swap over the live firewall traffic to your new system

**note**
this will require some action on your part to ensure that the configuring on the new Nokia does not interfere with the live network, ie interfaces, IPs etc.  You may need to do all the prep work offline or in a separate test net.

7.  Once swapped over and traffic passing successfully, rebuild the remaining nokia with same versions as current
8.  Finalise the cluster config and bring them all up.

These are the rough steps I would follow, but if you are not too sure on the process or how to rebuild nokias, set up clusters etc, I would get someone to do it for you.

HTH
0
 
keithclaytonAuthor Commented:
Ok in the short term, I am looking to control at leat one firewall and have a current rulebase to allow me to make changes. I have a trial version of the same scs version of the 3rd party NG R55

If i can create on the rulebase web xml, that will be start, I can then shedule,plan and test, upgrade to NGX R65 at a later stage.

As one of the firewalls is not working, I thought it may be better to do the upgrade now, and I will be able to build the firewalls one at a time.
0
 
keithclaytonAuthor Commented:
I have tried to create a rule on the current scs for R 55 however when i try to install
 the policy it fails.
When i tried reset the sic on the scs , message unable to connect to the module.

 unfortunately when i try to connect to the firewall module via console cable, I am getting no login prompt. I have tried a null modem cable and a straight thur serial cables.

Any ideas ?
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now