Re-establishing SIC Trust with Virtual Devices

In the event you encounter connectivity problems due to the loss of SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. Trust for a specific Virtual DeviceClosed Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. (Virtual SystemClosed Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. or Virtual RouterClosed Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR.), you can use the procedure below to manually re-establish the SIC trust.

To manually re-establish SIC Trust with a Virtual Device:

Follow the instructions in the sk34098.

  1. On the VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or each VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster MemberClosed Security Gateway that is part of a cluster.:

    1. Connect to the command line the VSX Gateway or each VSX ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

    2. Log in to the Expert mode.

    3. Examine the VSX configuration to determine the ID of the Virtual Device:

      vsx stat -v

    4. Reset the SIC with the specified Virtual Device:

      vsx sic reset <ID>

  2. On the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

    1. Connect to the command line the Management Server.

    2. Log in to the Expert mode.

    3. On the Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., change the context to the applicable Target Domain Management Server used to manage the Virtual Device:

      mdsenv <IP Address or Name of Domain Management Server>

    4. Determine the SIC name of the Virtual Device:

      cpca_client lscert -stat valid -kind SIC | grep -i -A 2 <Name of Virtual Device Object>

    5. Revoke the SIC certificate of the Virtual Device:

      cpca_client revoke_cert -n <CN=...,O=...,>

  3. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Main Domain Management Server used to manage the VSX Cluster.

  4. From the Gateways & Servers view or Object Explorer, double-click the Virtual Device object.

  5. Click OK.

    This action creates a new SIC certificate for the Virtual Device and saves it on the VSX Gateway or each VSX Cluster Member.

Resetting SIC in Scalable Platforms

Background

Resetting SIC on a VSX Gateway (VS0)

Workflow to reset SIC on a VSX Gateway (VS0):

  1. Initialize SIC on the Scalable Platform.

  2. Initialize SIC in SmartConsole in the Scalable Platform object.

  3. Make sure that Trust is established on the Scalable Platform.

To initialize SIC on the Scalable Platform:

  1. Use a serial console to connect to the Scalable Platform.

  2. Log in to the Expert mode.

  3. Run:

    asg stat -i tasks

    This tells you which SGM is the SMOClosed See "SMO"..

  4. Run:

    g_cpconfig sic init <activation_key>

    Note - SIC Reset takes 3 to 5 minutes.

Important- Do the next steps immediately.

To initialize SIC in SmartConsole:

  1. In the Scalable Platform object, click the General Properties> Communication.

  2. Click Reset.

  3. Enter the same activation key you used when you initialized SIC on the Scalable Platform.

  4. Click Initialize.

    Make sure that Trust is established.

  5. Click OK.

  6. Install the policy on the Scalable Platform object.

  7. At the serial console connection to the Scalable Platform, press c to complete the procedure.

Note - At this stage, all SGMs except for the SMO, reboot.

To make sure that Trust is established on the Gateway:

Run:

g_cpconfig sic state

Example of the expected output:

-*- 6 blades: 1_01 1_02 1_03 2_01 2_02 2_03 -*-

Trust State: Trust established

Resetting SIC for Non-VS0 Virtual Systems

To reset SIC on Virtual Systems that are not VS0:

  1. Log into the SMO over an SSH.

  2. Log in to the Expert mode.

  3. Go to the applicable context ID:

    vsenv <VS ID>

  4. Initialize SIC:

    g_cpconfig sic init <activation_key>

  5. Revoke the Virtual Systems certificate defined in the Management Server.

    For the detailed procedure, see Part II of sk34098.

  6. In SmartConsole, open the Virtual System object and just click OK without changing anything.

    This pushes the VSX configuration and re-establishes SIC trust with the SMO.

  7. Install a policy on the Virtual System object.

Troubleshooting SIC Reset in Scalable Platforms

Resetting SIC takes 3-5 minutes. If resetting of the SIC was interrupted (for example, by loss of network connectivity), run the g_cpconfig sic state command to get the SIC state and follow these steps.

SIC state

Do this

Trust established

Repeat the SIC reset procedure.

Initialized, but Trust was not established

  1. Reboot all SGMs.

  2. In SmartConsole, open the Scalable Platform object.

  3. Go to General Properties page >Communication.

  4. Initialize SIC.

  5. Install the policy.

SIC Cleanup

To resolve other SIC issues, do a SIC cleanup. There are two ways to do a SIC cleanup:

Run:

asg_blade_config reset_sic -reboot_all <activation_key>

OR

  1. Log in to the Expert mode.

  2. Use the ccutil command to shut down all SGMs (but not the SMO).

  3. Connect to the SMO using a serial console.

  4. In SmartConsole, open the Scalable Platform object.

  5. Go to General Properties page >Communication.

  6. Initialize SIC.

  7. Install the Access Control Policy on the SMO.

  8. Use the ccutil command to turn on all SGMs.