Hi Bill,
Hmmm.... that's a bit of a sticky situation to be in. >:) I hope, that
even though the server has crashed, that you have the ability to pull
files off it?
Here's a relatively straight forward procedure (taken from
SecureKnowledge):
PROCEDURE:
---------------------
1) Perform a clean installation of the VPN-1/FireWall-1 Primary
SmartCenter Server. After installation completion DO NOT:
- Reboot.
- Start services.
- Log in with any part of SmartConsole.
(Violation of the above requires reinstallation.)
2) Copy the files objects_5_0.C, rulebases_5_0.fws, and fwauth.NDB* to
$FWDIR/conf, from the failed SmartCenter Server to the newly installed
SmartCenter Server.
3) Delete all certificates from the objects_5_0.C file. This is
accomplished by editing the objects_5_0.C file, searching for
"certificates ( ... )", and removing the data between the parentheses.
Repeat this task for all occurrences of the parameter "certificates (
... )".
4) Execute a "SIC reset" and initialize Internal Certificate Authority
(ICA) on the SmartCenter Server, as prescribed in sk14526
<https://secureknowledge.us.checkpoint.com/SecureKnowledge/viewSolutionD
ocument.do?id=sk14526> "What to do when the Certificate Authority
cannot be initialized on the Management Module".
5) Log into SmartDashboard, and evaluate the newly restored SmartCenter
Server configuration.
SK14526:
************************************************************************
****************************************************
Procedure
On SmartCenter Server
1. Issue the "fwm sic_reset" command. The following interaction will
take place:
------------------------------------------------------------------------
------------------
C:\>fwm sic_reset
***************** Warning: ****************
This operation will reset the Secure Internal Communication (SIC).
The internal Certificate Authority will be destroyed and Check Point
Components
will not be able to communicate.
You will have to perform the following operations to enable
communication:
1. Re-initialize the internal Certificate Authority (use cpconfig).
2. Restart Check Point Services (cpstart, cpridstart).
3. Reset SIC on each Station that is managed by this SmartCenter Server.
4. Re-establish Trust with each Station that is managed by
this SmartCenter Server.
*******************************************
This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y
*** Checking IKE Certificates ***
*** Stopping services ***
The Check Point FireWall-1 service is stopping...
The Check Point FireWall-1 service was stopped successfully.
The Check Point SVN Foundation service is stopping...
The Check Point SVN Foundation service was stopped successfully.
The Check Point Remote Installation Daemon service is not started.
More help is available by typing NET HELPMSG 3521.
*** Destroying internal Certificate Authority ***
*** Updating objects database ***
SIC Reset operation completed successfully
C:\>
------------------------------------------------------------------------
------------------
2. Select Start > Programs > Check Point SMART Clients > Check Point
Configuration NG (or issue the "cpconfig" command)
3. In the Check Point Configuration Tool dialog box, select the
Certificate Authority tab
4. In the Certificate Authority tab, click on Initialize and Start
Certificate Authority
5. A dialog box with the following message will be displayed:
cpconfig
Your Certificate Authority was initialized successfully
6. Click on OK
7. Make sure the name specified in the Management FQDN field of the
Management FQDN section is the FQDN (Fully Qualified Domain Name) of the
management module, such as "fw.chicago.com". When the name in the
Management FQDN field does not contain the host name and the domain name
of the management module, such as "fw", a dialog box with the following
message will be displayed after clicking on Send to CA in the Management
FQDN section:
cpconfig
Warning: The FQDN might be incorrect!
Make sure it contains the host name and the domain name.
Click OK only if you are sure the FQDN is correct.
8. Click on Send to CA in the Management FQDN section
9. A dialog box with the following message will be displayed:
cpconfig
If the FQDN is incorrect, the Internal CA cannot function properly, and
CRL retrieval will be impossible.
Please re-check the FQDN.
Click OK only if you are sure the FQDN is correct.
10. Click on OK
11. A dialog box with the following message will be displayed.
cpconfig
The Management FQDN was sent successfully to the CA
12. Click on OK
13. Click on OK in the Check Point Configuration Tool dialog box
14. Issue the following command to start the management module:
cpstart
************************************************************************
****************************************************
Hope this helps. Good luck.
Peace,
Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Asia Pacific
E: jha@verisign.com.au
W: www.verisign.com.au
PRIVILEGED - PRIVATE AND CONFIDENTIAL
This email and any files transmitted with it are intended solely for the
use of the addressee(s) and may contain information, which is
confidential or privileged. If you receive this email and you are not
the addressee (or responsible for delivery of the email to the
addressee), please disregard the contents of the email, delete and
notify the author immediately.
________________________________
From: Bill Smith [mailto:vinet138@yahoo.com]
Sent: Wednesday, 7 September 2005 8:43 PM
To: firewalls@securityfocus.com
Subject: management module crashed
Hi Folks,
My FW1 management module is crashed and there is no backup.
Only enforcememt module is surviving. it is still running.
now i can't do anything,
does anyone have any idea how to recover it from rules.C and objects.
bill
________________________________
Click here to donate to the Hurricane Katrina relief effort.
<http://store.yahoo.com/redcross-donate3/>
