Managing SIC Trust on SmartLSM Security Gateways

You can view and edit the status of the Secure Internal Communication Trust between the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the SmartLSM Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. Trust is established after a certificate is issued by the management server and delivered to the SmartLSM Security Gateway.

To check the SIC Trust of a SmartLSM Security Gateway:

1. Double-click a SmartLSM Security Gateway.

2. In the General tab, find the Secure Internal Communication > DN field.

   This is the SmartLSM Security Gateway's Distinguished Name (SIC name)

   syntax: CN=gw-name, O=Management-domain-name

   If it is empty, change the SIC certificate state.

3. Click Communication.

4. Check the value of the Certificate state field. This field shows the status of the SIC trust between this SmartLSM Security Gateway's and the Security Management Server or Domain Management Server.

   • Initialized - Indicates that the SmartLSM Security Gateway has a valid SIC certificate (it is possible that the Security Gateway is not connected).

   • Uninitialized - Indicates that the SmartLSM Security Gateway does not have a valid SIC certificate (because it was never initialized, or its certificate was revoked).

If the Certificate state is set to Uninitialized, and the IP address of the SmartLSM Gateways & Servers is entered, you can initialize the SIC trust now. Perform this procedure if the Generate button is available.

To initialize a SIC trust:

1. Click Generate to generate a one-time password, or provide a one-time password.

2. Click Initialize. A new SIC certificate is created for this SmartLSM Security Gateway, and its certificate state becomes Initialized.

If no IP address is entered, you must pull the SIC certificate from the Security Management Server or Domain Management Server with the Check Point Configuration tool (cpconfig).

To initialize a SIC trust if the Security Management Server or Domain Management Server cannot find the gateway:

1. Open cpconfig > Secure Internal Communication (SIC) on the Security Management Server or Domain Management Server and on the SmartLSM Security Gateway.

2. Copy the SIC password.

3. On the gateway, provide the password of the Security Management Server or Domain Management Server.

4. Restart Check Point services on the gateway.

You may want to reset an established SIC Trust if you replaced the gateway host machine, or if you lost the Activation Key.

From the time that you reset SIC until trust is re-established, the internal communications between the Check Point applications, the management server, and the managed devices is down. This procedure revokes the current certificate and provides a new one. Therefore, it is recommended that you continue only if you are sure that SIC must be reset. After you complete this procedure, quickly re-initialize SIC trust.

To reset a SIC trust:

1. In the Communication window, click Reset

   A message asks for confirmation: Are you sure you want to reset SIC?

   If you reset the SIC certificate now (revoke current license and get a new one), internal communications between Check Point applications, Security Management Server/Domain Management Server, and managed devices can be adversely affected. Continue only if you are sure this must be done.

2. If you are ready to reset SIC now, click Yes.

3. On the SmartLSM Security Gateway, open the Check Point Configuration tool > Secure Internal Communication tab, and click Reset.

4. Reboot the SmartLSM Security Gateway.