We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Checkpoint Nokia IP350 VRRP Cluster

keithclayton
keithclayton asked
on
Medium Priority
2,545 Views
Last Modified: 2013-11-16
Hi,

I have reset the sic on the passive node of the cluster and lost all connectivity as the firewall has installed the default policy. The only way can connect to voyager or ping the interfaces is by stopping checkpoint services.

Is there a way I can extract the current ruleset from command line as I am looking to take a backup of the ruleset config,  and then do a clean install, re-apply ruleset ?

My end goal is to this on both nodes and re-configure VRRP

The current version of CP NG R55
Comment
Watch Question

CERTIFIED EXPERT

Commented:
As soon as you reset SIC, you load the initial policy, which as you know, drops everything less for Check Point control info.

Once you have reset sic on the Nokia and the CP services have restarted, you can then re establish SIC using your smartcentre dashboard.

Once sic is established, you can then push the policy.

Once Sic is reset and initial policy is on there, if you need to connect to the device, then you can log on via console cable and issue "fw unloadlocal"

This will remove the firewall policy from the Nokia AND turn off IP forwarding.  This will allow you to connect to the box but it will NOT pass traffic through it.

You asked:
"Is there a way I can extract the current ruleset from command line as I am looking to take a backup of the ruleset config,  and then do a clean install, re-apply ruleset ?"

In short, no, you cannot get the policy from CLI, howeve,r if you want to re install the NOkia you can do the following:

1.  Re install passive Nokia and configure CP and SIC
2.  On smartcentre dashboard, reset SIC on the Nokia GW object and re establish (using the activation key used n 1)
3.  Push policy to the Nokia
4.  Fail over to the this newly re installed nokia
5.  Repeat 1-3

As all the policies, objects, rules etc are all saved on the smartcentre, you can freely re install the nokia and then re connect to it via dashboard and push all the same firewall rules down.

Just note, that Voyager controls hte underlying OS, ie interfaces, routing etc.  Check Point (dashboard) controls the firewall rules, policies, objects etc.

Does this help?

Author

Commented:
Yes thanks for the update.

My compnay has recently took control of 2 Nokia firewall, The plan was to get control of the passive node.

How do I go about getting the ruleset onto SCS ? The company who were managing the firewalls will not export there current ruleset. Will I have to re-create the ruleset from scratch ?

They did however provide with ruleset via the Check Point Web Visualization

I have built a smartcentre server

Reset the sic on the firewall
try to establish sic communication from the scs
CERTIFIED EXPERT

Commented:
If they do not want to give you the export from their smartcentre, I'm afraid the only option you have is to create it all from scratch.

There is no way to revert a policy as it stands oin a firewall, back into the format its needed ot be in for the smartcentre.

If you have the Web VT output, thats a start tho.

I would make sure that you have the full smartcentre and policy built already before resetting SIC!!!  As soon as you reset SIC, the initial policy is loaded and it will wait to get a new policy pushed to it.  During this time, no traffic will flow through the firewall

Author

Commented:
Deimark,

I have already reset the sic on the passive node which has the default policy installed.

In the cpconfig is there is an option disable cluster membership, will be required to disbale this option before the clean build ?

Will i be able to do this in ipso 3.8 ?

Can I re-build the passive cluster node in HA, Install SCS for NGX R65
Create all rules and objects
establish  sic between
Push the policy to firewall
CERTIFIED EXPERT
Commented:
Ok, I will summarise what I understand your current set up to be and what you want to do with it now.

You have 2 Nokias, previously managed by a 3rd party.  The nokias were in a VRRP HA cluster.

You want to have:

1.  Your own smartcentre
2.  Manage your own, freshly rebuilt Nokias as another VRRP HA cluster.

Currently, one of your nokias has had SIC reset, so has no working policy on it.

You also have a new smartcentre ready to go.

To get to where you want, I would suggest the following:

1.  Ensure your smartcentre has your final version on it (saves upgrading later), you mention R65.
2.  Configure all relevant objects and policies etc (where you can)
3.  Rebuild the 2nd Nokia (with no policy).  The IP350 can go up IPSO v 4.2, so a complete reinstall and upgrade would be beneficial.
4.  Install R65 on the nokia
5.  Add the Nokia to your smartcentre config and finalise the policy and push it to the nokia
6.  Swap over the live firewall traffic to your new system

**note**
this will require some action on your part to ensure that the configuring on the new Nokia does not interfere with the live network, ie interfaces, IPs etc.  You may need to do all the prep work offline or in a separate test net.

7.  Once swapped over and traffic passing successfully, rebuild the remaining nokia with same versions as current
8.  Finalise the cluster config and bring them all up.

These are the rough steps I would follow, but if you are not too sure on the process or how to rebuild nokias, set up clusters etc, I would get someone to do it for you.

HTH

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Ok in the short term, I am looking to control at leat one firewall and have a current rulebase to allow me to make changes. I have a trial version of the same scs version of the 3rd party NG R55

If i can create on the rulebase web xml, that will be start, I can then shedule,plan and test, upgrade to NGX R65 at a later stage.

As one of the firewalls is not working, I thought it may be better to do the upgrade now, and I will be able to build the firewalls one at a time.

Author

Commented:
I have tried to create a rule on the current scs for R 55 however when i try to install
 the policy it fails.
When i tried reset the sic on the scs , message unable to connect to the module.

 unfortunately when i try to connect to the firewall module via console cable, I am getting no login prompt. I have tried a null modem cable and a straight thur serial cables.

Any ideas ?
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.