The hostname of the Smartcenter is an issue not because of license, but because the Internal Certificate Authority (ICA) was initialized with that hostname, if you load an upgrade_export file to a new smartcenter with different hostname the ICA gets corrupted and the only way around it is reinitializing it, which is a real pain (you have to backup files, delete files and manually modify some others). If you already did this, you have two options, follow that procedure or just do a reinstall and set the correct hostname before doing the import, which I would consider a lot easier if you are running SPLAT because it reinstalls everything pretty fast. If you have no way around it and you MUST change the hostname of your SmartCenter, then follow the ICA reinitialization procedure. Attached I have included a txt file with the best documented procedure I have found, the ones from the SecureKnowledge were not so detailed, but this one for the Nokia knowledgebase worked great for me once, even though I was not working with Nokia boxes back then.
Hope this info is useful. Regards On 8/27/06, Marendra Nutriaji <[EMAIL PROTECTED]> wrote:
Hi, thank you Reinhard, I think I successfully doing it. However, the hostname the new firewall is different. How can I change the name of primary smartcenter? I heard It has relation with license, how can I do that? Thanks -----Original Message----- From: Reinhard Stich [mailto:[EMAIL PROTECTED] Sent: Saturday, August 26, 2006 10:11 PM To: [email protected] Subject: [FW-1] AW: [FW-1] migration problems hi, first of all you have to define a new host-object for your new smartcenter-server and make it a smartcenter-server only. disable the fw1 running there. then create a new object for your nokia and setup SIC. cheers reinhard -- Reinhard Stich [EMAIL PROTECTED] Internet Security AG www.internet-security.at ** Check Point Connectra secured WebMail ** -----Ursprüngliche Nachricht----- Von: Mailing list for discussion of Firewall-1 im Auftrag von Marendra Nutriaji Gesendet: Sa 26.08.2006 04:08 An: [email protected] Betreff: [FW-1] migration problems Hi, Iam new in checkpoint. So i really need help regarding to migration issues. I have one stand alone checkpointsecure platform. It is the firewall module and primary smartcenter.(Machine A) Then, i have 1 Nokia IP 390 platform (Machine B), and 1 Smart Center Server (SCS) based on Secureplatform. What iam trying to do: Starting point: Machine A --> SCS and Firewall Module End Point: Machine B -- >Firewall Module which has the same imported rule from Machine A SCS --> Primary Smart Center Managemnet Server which manage the Machine B Basically, i want to split the scs and firewall module into another 2 servers. What i have done: 1. Install checkpoint in Nokia 2. Install new SCS server 3. export configuration from Machine A using upgrade export_tools 4. import the exported configuaration to the new SCS server The last step done without errors. Nut i realized i have exported the Primary Smartcenter configuration, so when i tried to reinitialize the SIC in SCS server (un smartdashboard connected to new scs server) to make new SCS server and Nokia communicate, i can't, it was greyed out. How can i make it not become primary smartceenter, or are there any steps, links, suggestions, based on experience, or concept. to splitting that machine A into 2 new machine? There is a link CP knowledgebase, but i still confused about it. I hope anyone could help me... Thank you in advance Best Regards marendra ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
Description: Sometimes a `fw sic_reset` does not work.We can forcibly remove some files to reset SIC. Resolution: To reset SIC forcibly please do the following: Execute `cpstop`: nokia[admin]# cpstop Check for adequate disk space: nokia[admin]# df -k None of the directories listed should show a capacity of higher than 80%, except for /. If they do, you may need to clear out some of these partitions first. Contact Nokia Support if you need assistance doing this. Change Directories to $FWDIR: nokia[admin]# cd $FWDIR Backup the entire conf directory, as in the following example: nokia[admin]# tar cvf /var/admin/conf.backup.tar conf This will create a tarfile of the conf directory called "conf.backup.tar" and place it in the /var/admin directory. You can then ftp it off to a safe place using the most appropriate method. Change Directories to $FWDIR/conf: nokia[admin]# cd $FWDIR/conf Delete the InternalCA.* and ICA.* files from the $FWDIR/conf directory: nokia[admin]# rm InternalCA.* nokia[admin]# rm ICA.* Edit, using vi, $FWDIR/conf/objects_5_0.C and remove the "sic_name" attribute for the primary management object: nokia[admin]# vi objects_5_0.C This will bring up the editor. If you are not familiar with vi, please follow these next lines exactly: Type /sic_name and then hit Enter. This will bring you to the "sic_name attribute. To move the cursor right, use the letter L. Move the cursor to directly under the first quote. Hit the letter X. This will delete the quote. Keep hitting x until you have deleted the last quote in that line. You should be left with sic_name () Type /internal_ca and hit Enter. This will bring you to the internal_ca object. The object should look like this: :servers (servers: (internal_ca:AdminINfo ( If the line does not look like the above, type /internal_ca again. When you get to the correct one, the cursor will be on the line : (internal_ca. Hit dd (d, twice). This will erase the line. Continue hitting dd until you erase the line :type (ca), and then the second to last closed bracket. You will be left with this: :servers (servers ) If at anytime a line is erased incorrectly or you are unsure if it is correct, hit Esc and then Ctrl-C to cancel out of vi, and try again. When you are certain that you have edited everything correctly, type :wq! to save. run `fwm sic_reset` to reinitialize SIC nokia[admin]# fwm sic_reset There will be 4 steps that should be followed after running fwm sic_reset. These steps come up when running the command, and are further detailed in Resolution 8250. You may need to run cpstart before following Resolution 8250. Please also verify that the IP Address of the GUI is listed in GUI Clients in cpconfig, and that the time and date of the GUI client (PC) and the Nokia appliance are the same (within reason). The Nokia appliace date and time can be confirmed by typing 'date' at the command line. At this point, you should be able to connect with the GUI. Please refer to Resolution 8250.
