How To Repair A Corrupt Smartcenter Installation

Repair A Corrupt Smartcenter Installation

This article details how to repair a corrupt smartcenter step-by-step. This process is valid for both Windows and *nix-based installations and platform-specific instructions are pointed out where necessary.

In fact, the word “repair” is somewhat misleading as what we really do is create a new smartcenter and use configuration files from the old install to effectively make a clone – all certificates, ICA, VPN etc will remain as they were so no re-SIC will be required with the gateway modules once you are up and running.

There are two ways to restore – minimal and complete. “Minimal” will make sure that all objects, rules, certificates and the user database are restored which is all that is needed a lot of the time. If however you would like to do a “complete” restore including licensing, database versions then the files are specified as well.

In addition, at the end of the article are two simple commands which can be used to gather up all of the files and place them in an archive for easy retrieval!

 

Minimal Restore Requirements

Objects and Rulebase

The following files are required to restore a smartcenter’s rulebase, objects and user database. The first two files are absolutely necessary and there is no point proceeding without them, fwauth.NDB is necessary to restore the user database:

  • $FWDIR/conf/objects_5_0.C
  • $FWDIR/conf/rulebases_5_0.fws
  • $FWDIR/conf/slprulebases_5_0.fws
  • $FWDIR/conf/fgrules.fws
  • $FWDIR/conf/fwauth.NDB

Notes:

  1. Check Point stores all the rulebases in one file, called ‘rulebases_5_0.fws’. This is the only rulebase file needed.
  2. Check Point stores the desktop security rulebase in a database file called ‘slprulebases_5_0.fws’ (Secure LAN Policy).
  3. Check Point stores all the objects, services, etc in one database file called ‘objects_5_0.C’.
  4. Check Point users are stored in the file ‘fwauth.NDB’.
  5. On Windows machines, %FWDIR%\conf\fwauth.NDB is only the pointer to the real user database file, for example, %FWDIR%\conf\fwauth.NDB522. In this case, rename the real database file %FWDIR%\conf\fwauth.NDB522 with the name %FWDIR%\conf\fwauth.NDB
Internal Certificate Authority Files

The ICA is what all other certificates are based on – SIC, VPN etc. restoreing these is necessary to avoid having to re-setup certificate-based VPNs, remote-worker certificates and re-establishing SICwith all managed gateways.

  • $FWDIR/conf/InternalCA.*
  • $FWDIR/conf/ICA*.*
  • $CPDIR/conf/sic_cert.p12
  • $FWDIR/conf/crls/*
Registry Data – SecurePlatform & Gaia

/opt/CPshared/registry/HKLM_registry.data

– copy everything under ‘SIC’

Registry Data – Windows OS

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SIC

(export this key and then import it on the target machine)


 

Full Restore Requirements

The following represents the complete set of files essential for a database restore:
• $CPDIR/conf/cp.license
• $CPDIR/conf/sic_cert.p12
• $CPDIR/database/*.C
• $CPDIR/registry/*
• $FWDIR/conf/lists/*
• $FWDIR/conf/*.fws
• $FWDIR/conf/*.conf (except for ‘components_reg.conf’, ‘fwrl.conf’, ‘cpmad_rulebase.conf’)
• $FWDIR/conf/masters
• $FWDIR/conf/fwmusers
• $FWDIR/conf/gui-clients
• $FWDIR/conf/*.C (except for ‘mv_doc.C’, ‘classes.C’, ‘scheme.C’, ‘fields.C’, ‘tables.C’, ‘rtmclasses.C’, ‘default_objects.C’)
• $FWDIR/conf/db_versions/Database/versioning_db.fws
• $FWDIR/conf/vpe/*
• $FWDIR/conf/XML/*
• $FWDIR/conf/cpsc/*
• $FWDIR/conf/I*
• $FWDIR/conf/crls/*
• $FWDIR/conf/db_versions/repository/*
• $FWDIR/conf/fwauth.NDB
• $FWDIR/conf/DiapCpdList.NDB
• $FWDIR/conf/DiapFwmList.NDB
• $FWDIR/conf/DAIP_RS_Database.NDB
• $FWDIR/conf/robo-gateways.NDB
• $FWDIR/conf/robo-control.NDB
• $FWDIR/conf/robo-ike.NDB

Note: If logs are required then the contents of $FWDIR/log/ should also be included (note that $FWDIR/log/ is a symbolic link to another partition on the hard disk and files should be retrieved from there).

Restore Process

  1. Back up the files noted herein, offloading to a secure location.
  2. Install the same version and feature set onto the replacement Security Management Server, ensuring that the same hostname and leading IP address are used.
  3. Perform the installation as though this was a clean (new) Security Management Server installation.
  4. If the new Security Management Server is rebooted at the conclusion of the installation, run ‘cpstop’ before restoring the files.
  5. Copy the backups from Step 1 to the fresh installation.
  6. Extract the backups to their appropriate locations.
  7.   Before executing ‘cpstart’, delete the $FWDIR/conf/applications.C and $FWDIR/conf/CPMILink*

Automate File Retrieval

Use the below commands to automate retrieval of the files specified above. The files will be bundled into two files named backup1.tgz and backup2.tgz

Note: This does assume that the Check Point path variables $CPDIR and $FWDIR are available:
[Expert@mgmt]# tar -czvf backup1.tgz $FWDIR/conf/objects_5_0.C $FWDIR/conf/gui-clients $FWDIR/conf/fwmusers $FWDIR/conf/rulebases_5_0.fws $FWDIR/conf/slprulebases_5_0.fws $FWDIR/conf/fgrules.fws $FWDIR/conf/fwauth.NDB $FWDIR/conf/InternalCA.* $FWDIR/conf/ICA*.* $CPDIR/conf/sic_cert.p12 $CPDIR/conf/cp.license $CPDIR/registry/HKLM_registry.data $FWDIR/conf/crls

 

[Expert@mgmt]# tar -czvf backup2.tgz $CPDIR/conf/cp.license $CPDIR/conf/sic_cert.p12 $CPDIR/database/*.C $CPDIR/registry $FWDIR/conf/lists/* $FWDIR/conf/*.fws $FWDIR/conf/*.conf $FWDIR/conf/fwmusers $FWDIR/conf/masters $FWDIR/conf/*.C $FWDIR/conf/db_versions/Database/versioning_db.fws $FWDIR/conf/gui-clients $FWDIR/conf/vpe/* $FWDIR/conf/XML/* $FWDIR/conf/cpsc/* $FWDIR/conf/I* $FWDIR/conf/crls/* $FWDIR/conf/*.NDB

Restore the SmartUpdate Generate CPInfo Menu Option

This article describes how to restore the SmartUpdate “Generate CPInfo” menu option which has been disabled by default since the R77 release.

Background

A CPInfo can be generated by the standard “cpinfo -z -o <filename>” command on the console and then either FTP’d from the gateway / management centre to a local server or copied off using WinSCP or equivalent.

There can however be issues here, including:

  • there is no local FTP server to transfer the file to or technicians do not know how to use FTP from the command line
  • A security rule prevents FTP / SCP / SFTP between the gateway / management station and the FTP/SCP/SFTP client
  • WinSCP sometimes has buffer issues and the copy fails
  • The default shell on the gateway / management centre must be changed to /bin/bash for the WinSCP connection to work

A much easier way for the less technically minded is to use SmartUpdate – the Checkpoint console application – to generate and save a copy of the cpinfo on the local machine.

Since R77 however, this option has been disabled and the only option is to “Upload diagnostics CPInfo to Checkpoint.” This is fine if you have a direct-to-vendor support contract all companies except the largest corporations go through a reseller who will require a CPInfo for support purposes.

Using SmartUpdate to Generate a CPInfo

To re-enable the local “Generate CPInfo” menu, follow these instructions. Click on the images to see them full-size:

1. File -> Tools -> Upload diagnostics (CPInfo) to Checkpoint -> Settings

SmartUpdate Generate CPInfo
Open the settings menu

2. Enable the Generate CPInfo menu

SmartUpdate Generate CPInfo
Enable “Generate cpinfo” menu

3. Exit and restart the application

4. Locate the gateway, right click and choose “Generate CPInfo”:

SmartUpdate Generate CPInfo
Choose “Generate CPInfo”

Now you can generate CPInfos and save them from the application directly to your desktop – just like in the old days!

Checkpoint: Find The Serial Number of IP Appliances Via CLI

Find The Serial Number of IP Appliances Via CLI

Sometimes it is necessary to find the serial number of IP appliances but you either don’t have physical access to the machine or someone has removed the sticker from the side or bottom. This article lists methods to retrieve the serial via the command line interface (CLI).

1. If you are physically next to the device, look for a label on the physical box.

2. If you are remotely accessing the firewall, log into Voyager, then look for “Unit SN” under the “Basic IPSO Information” section of the homepage.

3. On the CLI (either SSH or console), run the following IPSO command:

ipso[admin]# ipsctl hw:eeprom:serial_number

hw:eeprom:serial_number = 7Hxxxxxxxx4

OR

ipso[admin]# ipsctl -a | grep serial

ipso[admin]# ipsctl -a | grep "serial"
hw:eeprom:motherboard:serial_number = 94072202114
hw:eeprom:cpci_1:serial_number = 94072301073
hw:eeprom:cpci_2:serial_number = 94072301093
hw:eeprom:power_a:serial_number = SH52618
hw:eeprom:power_b:serial_number = SH52471
hw:eeprom:wx_3:serial_number = 94072202755
hw:eeprom:viper_4:serial_number = 94072300835
hw:eeprom:wx_1_1:serial_number = 94073601141
hw:eeprom:serial_number = 7Hxxxxxxxx4
hw:motherboard:serialnumber = 0
hw:chassis:serialnumber = 7Hxxxxxxxx4

This will give you all serial numbers related to different parts – the chassis is the last in the list and it is this serial number which is most commonly used.

4. In the clish shell (enter “clish” on the command line):

NokiaIP1260:102> show asset hardware
Chassis Serial Number: 7Hxxxxxxxx4
CPU Model: Pentium 4/XEON
CPU MFR: GenuineIntel
CPU Frequency: 2794587100
Memory: 1073741824
Disk 0 Model: STI Flash 8.0.0
Disk 0 Capacity: 128MB
Disk 1 Model: FUJITSU MHV2040AS
Disk 1 Capacity: 40007MB
Platform: IP1260
Bios Vendor: Hilo BIOS
Bios Version: 5.0-1.5
Bios Date: 10-19-2004
Motherboard Serial Number: 0
Motherboard Revision: B01
Motherboard Model: HILO-RCC1

5. For Nokia IP VPN devices:

hostname> show fru

MAIN (MOTHERBOARD) EEPROM FRU INFO:
-----------------------------------
Product Name: 10i
EEPROM info format rev num: 6
Number of slots: 0
MAC address count: 3
Base MAC address: 00:A0:8E:XX:XX:XX
System serial number: 7HXXXXXXXXX
System Agile part number: N806189001
System Agile H/W rev: C
Onboard MAC count: 3
System PCA Agile P/N base: 6187
System PCA Agile P/N suffix: 1

6. For former Nokia IPS platforms, please run the following command:

ip390ips ~ # cat /proc/nokia/nvram/serial_num

7. For UTM-1 EDGE devices, you can also use run the command:

EDGE:XX> show asset hardware