Jason says right. but I'd like to warn you about an important matter. Do
not ever edit objects_5_0.c file with any text editors, whether your
management server runs on Windows or on a Unix-based server. Rather you
sholuld use command line utility 'dbedit' which comes up with Checkpoint
software itself. I hope it works properly by the way.
And likewise, you must remove the certificate(s) by the utility of
'GUIDBedit' which you can find in Policy Editor/Smartdashboard
installation directory. search as 'certificate' there, and delete the
upcoming entry(ies).
since enforcement module and man. module communication depends on PKI,
you should defintely re-install man. module and re-establish trust
between modules. you may require 'fw unloadlocal' and 'fw ctl uninstall'
commands on enforcement module on behalf of 'fw sic_reset' command.
hope you can overcome the problem soon.
-----Original Message-----
From: Ha, Jason [mailto:JHa@verisign.com.au]
Sent: Thursday, September 08, 2005 3:30 AM
To: Bill Smith; firewalls@securityfocus.com
Subject: RE: management module crashed
Hi Bill,
Hmmm.... that's a bit of a sticky situation to be in. >:) I
hope, that even though the server has crashed, that you have the ability
to pull files off it?
Here's a relatively straight forward procedure (taken from
SecureKnowledge):
PROCEDURE:
---------------------
1) Perform a clean installation of the VPN-1/FireWall-1 Primary
SmartCenter Server. After installation completion DO NOT:
- Reboot.
- Start services.
- Log in with any part of SmartConsole.
(Violation of the above requires reinstallation.)
2) Copy the files objects_5_0.C, rulebases_5_0.fws, and
fwauth.NDB* to $FWDIR/conf, from the failed SmartCenter Server to the
newly installed SmartCenter Server.
3) Delete all certificates from the objects_5_0.C file. This is
accomplished by editing the objects_5_0.C file, searching for
"certificates ( ... )", and removing the data between the parentheses.
Repeat this task for all occurrences of the parameter "certificates (
... )".
4) Execute a "SIC reset" and initialize Internal Certificate
Authority (ICA) on the SmartCenter Server, as prescribed in sk14526
<https://secureknowledge.us.checkpoint.com/SecureKnowledge/viewSolutionD
ocument.do?id=sk14526> "What to do when the Certificate Authority
cannot be initialized on the Management Module".
5) Log into SmartDashboard, and evaluate the newly restored
SmartCenter Server configuration.
SK14526:
************************************************************************
****************************************************
Procedure
On SmartCenter Server
1. Issue the "fwm sic_reset" command. The following interaction
will take place:
------------------------------------------------------------------------
------------------
C:\>fwm sic_reset
***************** Warning: ****************
This operation will reset the Secure Internal Communication
(SIC).
The internal Certificate Authority will be destroyed and Check
Point Components
will not be able to communicate.
You will have to perform the following operations to enable
communication:
1. Re-initialize the internal Certificate Authority (use
cpconfig).
2. Restart Check Point Services (cpstart, cpridstart).
3. Reset SIC on each Station that is managed by this SmartCenter
Server.
4. Re-establish Trust with each Station that is managed by
this SmartCenter Server.
*******************************************
This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y
*** Checking IKE Certificates ***
*** Stopping services ***
The Check Point FireWall-1 service is stopping...
The Check Point FireWall-1 service was stopped successfully.
The Check Point SVN Foundation service is stopping...
The Check Point SVN Foundation service was stopped successfully.
The Check Point Remote Installation Daemon service is not
started.
More help is available by typing NET HELPMSG 3521.
*** Destroying internal Certificate Authority ***
*** Updating objects database ***
SIC Reset operation completed successfully
C:\>
------------------------------------------------------------------------
------------------
2. Select Start > Programs > Check Point SMART Clients > Check
Point Configuration NG (or issue the "cpconfig" command)
3. In the Check Point Configuration Tool dialog box, select the
Certificate Authority tab
4. In the Certificate Authority tab, click on Initialize and
Start Certificate Authority
5. A dialog box with the following message will be displayed:
cpconfig
Your Certificate Authority was initialized successfully
6. Click on OK
7. Make sure the name specified in the Management FQDN field of
the Management FQDN section is the FQDN (Fully Qualified Domain Name) of
the management module, such as "fw.chicago.com". When the name in the
Management FQDN field does not contain the host name and the domain name
of the management module, such as "fw", a dialog box with the following
message will be displayed after clicking on Send to CA in the Management
FQDN section:
cpconfig
Warning: The FQDN might be incorrect!
Make sure it contains the host name and the domain name.
Click OK only if you are sure the FQDN is correct.
8. Click on Send to CA in the Management FQDN section
9. A dialog box with the following message will be displayed:
cpconfig
If the FQDN is incorrect, the Internal CA cannot function
properly, and CRL retrieval will be impossible.
Please re-check the FQDN.
Click OK only if you are sure the FQDN is correct.
10. Click on OK
11. A dialog box with the following message will be displayed.
cpconfig
The Management FQDN was sent successfully to the CA
12. Click on OK
13. Click on OK in the Check Point Configuration Tool dialog box
14. Issue the following command to start the management module:
cpstart
************************************************************************
****************************************************
Hope this helps. Good luck.
Peace,
Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Asia Pacific
E: jha@verisign.com.au
W: www.verisign.com.au
PRIVILEGED - PRIVATE AND CONFIDENTIAL
This email and any files transmitted with it are intended solely
for the use of the addressee(s) and may contain information, which is
confidential or privileged. If you receive this email and you are not
the addressee (or responsible for delivery of the email to the
addressee), please disregard the contents of the email, delete and
notify the author immediately.
_____
From: Bill Smith [mailto:vinet138@yahoo.com]
Sent: Wednesday, 7 September 2005 8:43 PM
To: firewalls@securityfocus.com
Subject: management module crashed
Hi Folks,
My FW1 management module is crashed and there is no backup.
Only enforcememt module is surviving. it is still running.
now i can't do anything,
does anyone have any idea how to recover it from rules.C and
objects.
bill
_____
Click here to donate to the Hurricane Katrina relief effort.
<http://store.yahoo.com/redcross-donate3/>
