Checkpoint: Recover / Recreate a Dead Checkpoint Smartcenter from Files in $FWDIR

Smartcenter dead, only the disk survives. All credit to RStewart from cpshared for sharing the knowledge found in sk article sk32508 article which unfortunately is internal only. I have only re-worded and re-formatted in places. If anything is wrong or missing, please let me know; I went through this process a couple of weeks ago and am now writing from memory ..

  • Take the following 3 files from the SC’s conf directory ($FWDIR/conf) :
    • objects_5_0.C
    • rulebases_5_0.fws
    • fwauth.NDB
  • Build a new SmartCenter of the same version
  • Install the Check Point software from the CD and reboot.
  • Go through sysconfig and configure the OS and the Check Point software. Set the hostname to match the CMA name as closely as you can.
  • Do not reboot and don’t start the products!
  • Put the 3 files above into $FWDIR/conf.
  • Reboot and once the server is up, check you can log in through the dashboard. If you can’t then either something very bad has happened or the instructions above weren’t followed to the T.

Once you have successfully logged in with dashboard, you can progress to the next phase:

  • Follow the process to rename a SmartCenter, which is found in the sk article: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42071

Once the above is complete you will need to do a brutal fwm sic_reset – this involves manually removing any certificates from the objects file.

  • Follow the sk article below to remove the certificates: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk10451
  • Give it a reboot and you should be good to go

If you’re doing an upgrade from an unsupported version to R7x.x one, the following docs may be useful:

  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R70.pdf
  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R71.pdf
  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R75.gif

Original reference: https://www.cpshared.com/forums/archive/index.php/t-1163.html

Checkpoint: Regenerate the Internal CA

Regenerate the Internal CA Without Breaking SIC

The internal CA certificate expires after 5 years, meaning that if you don’t catch this in time you won’t be able to log into the dashboard or the web UI. You can of course reset SIC on the command line using cpconfig but you will have to re-establish SIC with all your gateways which may be a lot of bother – besides that, any site-to-site or client certificate-based VPNs will also break. This article describes how to regenerate the internal CA without breaking SIC.

This is done on the command line and once completed (a matter of 5 minutes or less) then you will be able to log back in with SmartDashboard and push policies to all your managed gateways; all your certificate-based VPN operations will, quite happily, be none the wiser.

This example is from a R75.20 installation but is common to all up to R77.xx.

On the management station:

Enter expert mode and issue the following commands:

  1. Find the path to your existing (expired) certificate:
    [Expert@mgmt]# find / -name "sic_cert.p12"
    /var/opt/CPshrd-R75.20/conf/sic_cert.p12
    [Expert@mgmt]
  2. Revoke the certificate:
    [Expert@mgmt]# cpca_client revoke_cert -n “CN=cp_mgmt”
  3. Create a new certificate based on the old one
    cpca_client create_cert -n “CN=cp_mgmt” -f /var/opt/CPshrd-R75.20/conf/sic_cert.p12
  4. Restart your Checkpoint services
    [Expert@mgmt]# cpstop 
    [Expert@mgmt]# cpstart

You should now be able to log in with SmartDashboard and everything else which relies on SIC!

Checkpoint: Restore Your Routes in SecurePlatform After ifconfig down / up Without A Network Restart

If you ifconfig down your external interface then your default route will be deleted. ifconfig up however does not restore it. The general consensus is that this requires a service network restart but this will restart all your interfaces – not nice and not necessary.

config net ctrl action startup

will re-read and re-insert the routes contained in the /etc/sysconfig/netconf.C file which contains your default and static routes and things will be sweet once more.