Re-establishing SIC Trust with Virtual Devices

In the event you encounter connectivity problems due to the loss of SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. Trust for a specific Virtual DeviceClosed Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. (Virtual SystemClosed Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. or Virtual RouterClosed Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR.), you can use the procedure below to manually re-establish the SIC trust.

To manually re-establish SIC Trust with a Virtual Device (except VS0):

Follow the instructions in the sk34098.

  1. On the VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or each VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster MemberClosed Security Gateway that is part of a cluster.:

    1. Connect to the command line the VSX Gateway or each VSX ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

    2. Log in to the Expert mode.

    3. Examine the VSX configuration to determine the ID of the Virtual Device:

      vsx stat -v

    4. Go to the context of the Virtual Device:

      vsenv <ID>

    5. Reset the SIC with the specified Virtual Device:

      vsx sicreset <ID>

  2. On the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

    1. Connect to the command line the Management Server.

    2. Log in to the Expert mode.

    3. On the Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., change the context to the applicable Target Domain Management Server used to manage the Virtual Device:

      mdsenv <IP Address or Name of Domain Management Server>

    4. Determine the SIC name of the Virtual Device:

      cpca_client lscert -stat valid -kind SIC | grep -i -A 2 <Name of Virtual Device Object>

    5. Revoke the SIC certificate of the Virtual Device:

      cpca_client revoke_cert -n <CN=...,O=...,>

  3. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Main Domain Management Server used to manage the VSX Cluster.

  4. From the Gateways & Servers view or Object Explorer, double-click the Virtual Device object.

  5. Click OK (without changing anything).

    This action creates a new SIC certificate for the Virtual Device and saves it on the VSX Gateway or each VSX Cluster Member.

Resetting SIC in Security Groups

Resetting SIC on a VSX Gateway (VS0)

Workflow to reset SIC on a VSX Gateway (VS0):

  1. Initialize SIC on the Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

  2. Initialize SIC in SmartConsole in the Security Group object.

  3. Make sure that Trust is established on the Security Group.

To initialize SIC on the Security Group:

  1. Use a serial console to connect to the Security Group.

  2. Log in to the Expert mode.

  3. Run:

    asg stat -i tasks

    This tells you which Security Group Member is the SMO.

  4. Run:

    g_all cp_conf sic init <activation_key>

    Note - SIC Reset takes 3 to 5 minutes.

Important- Do the next steps immediately.

To initialize SIC in SmartConsole:

  1. In the Security Group object, click the General Properties> Communication.

  2. Click Reset.

  3. Enter the same activation key you used when you initialized SIC on the Security Group.

  4. Click Initialize.

    Make sure that Trust is established.

  5. Click OK.

  6. Install the policy on the Security Group object.

To make sure that Trust is established on the Gateway:

Run:

g_all cp_conf sic state

Example of the expected output:

-*- 6 blades: 1_01 1_02 1_03 2_01 2_02 2_03 -*-

Trust State: Trust established

Resetting SIC for Non-VS0 Virtual Systems

To reset SIC on Virtual Systems that are not VS0:

  1. Log into the SMO over an SSH.

  2. Log in to the Expert mode.

  3. Go to the applicable context ID:

    vsenv <VS ID>

  4. Initialize SIC:

    g_all cp_conf sic init <activation_key>

  5. Revoke the Virtual Systems certificate defined in the Management Server.

    For the detailed procedure, see Part II of sk34098.

  6. In SmartConsole, open the Virtual System object and just click OK without changing anything.

    This pushes the VSX configuration and re-establishes SIC trust with the SMO.

  7. Install a policy on the Virtual System object.

Troubleshooting SIC Reset in Security Groups

Resetting SIC takes 3-5 minutes.

If resetting of the SIC was interrupted (for example, by loss of network connectivity), run the g_all cp_conf sic state command to get the SIC state and follow these steps:

SIC state

Do this

Trust established

Repeat the SIC reset procedure.

Initialized, but Trust was not established

  1. Reboot all Security Group Members.

  2. In SmartConsole, open the Security Group object.

  3. Go to General Properties page >Communication.

  4. Initialize SIC.

  5. Install the policy.

SIC Cleanup

To resolve other SIC issues, do a SIC cleanup in the Expert mode:

asg_blade_config reset_sic -reboot_all <activation_key>