Check Point Troubleshooting

From The sin within

Jump to: navigation, search

Contents

Troubleshooting Check Point Issues

This page will contain information on troubleshooting Check Point issues for NGX (and NG-AI R55, if there's the case for that)

SIC errors when trying to connect to the Management Server using Smart Dashboard

If you do a fresh install of NGX Management Server (and if the case, Enforcement Module) on a RHEL 3.0 box and after that you apply the latest HFA (HFA_02 at the time of this writing) without first connecting to the Management Server and instaling at least a Security Policy Rule and the fwm.elg file in $FWDIR/log says something like the sample output below: 

 [FWM 1252 3076384128]@fw-1.domain.com[1 Feb 17:33:01] opsec_new_auth_conn_to_server: 
 conn from 10.255.255.2 to entity cpmi_server (0xb6dcc88) failed (313) 
 SIC Error for cpmi: authentication methods are not initialized

you have to run the following command on the management server. Note: The fwm sic_reset command will destroy ALL user certificates and they all will have to be re-issued (note by Ray sixsigma44 [at] hotmail.com) 

 fwm sic_reset

to clear the current contents of the ICA and to reinitialize it: 

 cpconfig

and choose option 8 from the menu and say yes when it asks you to initialize the ICA

Restoring a failed VSX NGX cluster member

If by any chance a cluster member from a VSX NGX cluster fails, the restore procedure is as follows:

  • do a clean install of SecurePlatform on the failed member (after you repaired it)
  • make sure that at least the interface that has communication with the SmartCenter Server is configured correctly
  • run cpconfig on the member, select CPHA component to be installed (and also SecureXL if you have the license for it)
  • enter the activation key and leave it like that
  • log into the SmartCenter Server (here I assume it runs on Linux)
  • from the shell, as root, issue vsx_util reconfigure command
  • follow the onscreen instruction for the SmartCenter Server IP address, username and password
  • when asked what VSX gateway you want to restore, type the IP address of the newly restored member
  • enter the activation key when asked for it (it's the same as the one you typed earlier on the VSX member)
  • wait as the VSX cluster member is being restored and after is says it's finnished, log into the VSX member and issue reboot
  • after the member is rebooted, log into it and check the HighAvailability using the cphaprob state command


Importing configuration with multiple policy revisions

If by any chance you try do do an upgrade_import from an archive that contains many revisions (more than 10 let's say) it's very possible that the import will fail. In this case it's adviseable to follow the steps below:

  • do an upgrade_export with the full config
  • logon to the smartdashboard and delete all the previous revisions
  • do another upgrade_export with the now lesser revisions in it
  • run the upgrade_import on the new target machine
  • copy the archive with all the revisions on the new machine
  • untar and ungzip it, and copy the revisions directory over the newly imported configuration

For some reason, the checkpoint upgrade script times out when importing many revisions.

"Infinite" timeout for a service

If for some reason you need to have a TCP or UDP service have a timeout longer than the max you can set in SmartDashboard, then you need to use dbedit in the following way:

infinte timeout for a service: 

modify services <service name> timeout 2147483647
update services <service name>

Although not quite infinite timeout, but 16 years it's alot of time :)

Clearing the lichosts entries

In case your firewall starts giving messages such as: "too many internal hosts detected", you can clear the lichosts table with the following command: 

fw tab -t hosts_table -x
Retrieved from "http://www.imacandi.net/sin/wiki/Check_Point_Troubleshooting"
Personal tools