Checkpoint Nokia IP350 VRRP Cluster

Posted on 2009-02-19
Last Modified: 2013-11-16

I have reset the sic on the passive node of the cluster and lost all connectivity as the firewall has installed the default policy. The only way can connect to voyager or ping the interfaces is by stopping checkpoint services.

Is there a way I can extract the current ruleset from command line as I am looking to take a backup of the ruleset config,  and then do a clean install, re-apply ruleset ?

My end goal is to this on both nodes and re-configure VRRP

The current version of CP NG R55
Question by:keithclayton
    LVL 18

    Expert Comment

    As soon as you reset SIC, you load the initial policy, which as you know, drops everything less for Check Point control info.

    Once you have reset sic on the Nokia and the CP services have restarted, you can then re establish SIC using your smartcentre dashboard.

    Once sic is established, you can then push the policy.

    Once Sic is reset and initial policy is on there, if you need to connect to the device, then you can log on via console cable and issue "fw unloadlocal"

    This will remove the firewall policy from the Nokia AND turn off IP forwarding.  This will allow you to connect to the box but it will NOT pass traffic through it.

    You asked:
    "Is there a way I can extract the current ruleset from command line as I am looking to take a backup of the ruleset config,  and then do a clean install, re-apply ruleset ?"

    In short, no, you cannot get the policy from CLI, howeve,r if you want to re install the NOkia you can do the following:

    1.  Re install passive Nokia and configure CP and SIC
    2.  On smartcentre dashboard, reset SIC on the Nokia GW object and re establish (using the activation key used n 1)
    3.  Push policy to the Nokia
    4.  Fail over to the this newly re installed nokia
    5.  Repeat 1-3

    As all the policies, objects, rules etc are all saved on the smartcentre, you can freely re install the nokia and then re connect to it via dashboard and push all the same firewall rules down.

    Just note, that Voyager controls hte underlying OS, ie interfaces, routing etc.  Check Point (dashboard) controls the firewall rules, policies, objects etc.

    Does this help?

    Author Comment

    Yes thanks for the update.

    My compnay has recently took control of 2 Nokia firewall, The plan was to get control of the passive node.

    How do I go about getting the ruleset onto SCS ? The company who were managing the firewalls will not export there current ruleset. Will I have to re-create the ruleset from scratch ?

    They did however provide with ruleset via the Check Point Web Visualization

    I have built a smartcentre server

    Reset the sic on the firewall
    try to establish sic communication from the scs
    LVL 18

    Expert Comment

    If they do not want to give you the export from their smartcentre, I'm afraid the only option you have is to create it all from scratch.

    There is no way to revert a policy as it stands oin a firewall, back into the format its needed ot be in for the smartcentre.

    If you have the Web VT output, thats a start tho.

    I would make sure that you have the full smartcentre and policy built already before resetting SIC!!!  As soon as you reset SIC, the initial policy is loaded and it will wait to get a new policy pushed to it.  During this time, no traffic will flow through the firewall

    Author Comment


    I have already reset the sic on the passive node which has the default policy installed.

    In the cpconfig is there is an option disable cluster membership, will be required to disbale this option before the clean build ?

    Will i be able to do this in ipso 3.8 ?

    Can I re-build the passive cluster node in HA, Install SCS for NGX R65
    Create all rules and objects
    establish  sic between
    Push the policy to firewall
    LVL 18

    Accepted Solution

    Ok, I will summarise what I understand your current set up to be and what you want to do with it now.

    You have 2 Nokias, previously managed by a 3rd party.  The nokias were in a VRRP HA cluster.

    You want to have:

    1.  Your own smartcentre
    2.  Manage your own, freshly rebuilt Nokias as another VRRP HA cluster.

    Currently, one of your nokias has had SIC reset, so has no working policy on it.

    You also have a new smartcentre ready to go.

    To get to where you want, I would suggest the following:

    1.  Ensure your smartcentre has your final version on it (saves upgrading later), you mention R65.
    2.  Configure all relevant objects and policies etc (where you can)
    3.  Rebuild the 2nd Nokia (with no policy).  The IP350 can go up IPSO v 4.2, so a complete reinstall and upgrade would be beneficial.
    4.  Install R65 on the nokia
    5.  Add the Nokia to your smartcentre config and finalise the policy and push it to the nokia
    6.  Swap over the live firewall traffic to your new system

    this will require some action on your part to ensure that the configuring on the new Nokia does not interfere with the live network, ie interfaces, IPs etc.  You may need to do all the prep work offline or in a separate test net.

    7.  Once swapped over and traffic passing successfully, rebuild the remaining nokia with same versions as current
    8.  Finalise the cluster config and bring them all up.

    These are the rough steps I would follow, but if you are not too sure on the process or how to rebuild nokias, set up clusters etc, I would get someone to do it for you.


    Author Comment

    Ok in the short term, I am looking to control at leat one firewall and have a current rulebase to allow me to make changes. I have a trial version of the same scs version of the 3rd party NG R55

    If i can create on the rulebase web xml, that will be start, I can then shedule,plan and test, upgrade to NGX R65 at a later stage.

    As one of the firewalls is not working, I thought it may be better to do the upgrade now, and I will be able to build the firewalls one at a time.

    Author Comment

    I have tried to create a rule on the current scs for R 55 however when i try to install
     the policy it fails.
    When i tried reset the sic on the scs , message unable to connect to the module.

     unfortunately when i try to connect to the firewall module via console cable, I am getting no login prompt. I have tried a null modem cable and a straight thur serial cables.

    Any ideas ?

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now