https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187703#M31425 <P>SIC will not go through VPN by default.<BR />The reason for this is simple: if the VPN is down, you will be unable to manage the gateway.<BR />Which is the precise situation you have here.<BR />You will need to get SIC working without VPN first.<BR />Without that, this will never work.</P> <P>The following thread provides some pointers on managing a gateway over a VPN with SIC:<BR /><A href="https://community.checkpoint.com/t5/Management/Managing-a-gateway-over-VPN/m-p/13674/highlight/true#M2423" target="_blank">https://community.checkpoint.com/t5/Management/Managing-a-gateway-over-VPN/m-p/13674/highlight/true#M2423</A>&nbsp;<BR /><BR /></P> Wed, 26 Jul 2023 14:19:12 GMT PhoneBoy 2023-07-26T14:19:12Z https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187560#M31396 <P>Hello!</P><P>I have many gateways on my SMS, including a remote gateway that currently has no network connectivity until I set a policy on it. However, I cannot set the policy because of this issue. Can you please advise if there is a way to manually extract the policy file from the SMS and place it onto the gateway, then restart the gateway to install from local policy file?</P> Tue, 25 Jul 2023 15:54:59 GMT https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187560#M31396 Andrey_Gl 2023-07-25T15:54:59Z https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187644#M31409 <P>The Security Gateway does have a policy installed before it is connected to the Security Management Server called "Initial Policy":</P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/The-Initial-Policy.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Guide/Content/Topics-IUG/The-Initial-Policy.htm</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 26 Jul 2023 09:09:39 GMT https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187644#M31409 Tal_Paz-Fridman 2023-07-26T09:09:39Z https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187645#M31410 <P>Assuming that the GW has internet connectivity and the current policy enables no access to it, this may be resolved by issuing fw unloadlocal from GW CLI, see <A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-unloadlocal.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-unloadlocal.htm</A></P> Wed, 26 Jul 2023 09:24:20 GMT https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187645#M31410 G_W_Albrecht 2023-07-26T09:24:20Z https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187651#M31411 <P>The gateway is only accessible through VPN, but VPN cannot be established because the gateway is not aware of it. A policy needs to be installed instead of removing it.</P> Wed, 26 Jul 2023 09:56:43 GMT https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187651#M31411 Andrey_Gl 2023-07-26T09:56:43Z https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187655#M31413 <P>There's still something not clear here. How can it be accessible through VPN when it is still not connected to the Security Management Server and part of a VPN Community?&nbsp;</P> <P>The first connection to it is always SIC which requires direct connectivity to the Security Gateway.</P> Wed, 26 Jul 2023 10:15:17 GMT https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187655#M31413 Tal_Paz-Fridman 2023-07-26T10:15:17Z https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187659#M31414 <P>You could attempt something like below via api, but no guarantee it will work, if SIC is not even established (im just guessing here, as I dont have all the details)</P> <P>Andy</P> <P>&nbsp;</P> <P><A href="https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v1.9%20" target="_blank">https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v1.9%20</A></P> <H3 class="examples">Examples</H3> <DIV class="examples-container"> <DIV> <H4>install-policy</H4> <A class="btn-toggle-collapse-next ar_open" target="_blank">v</A> <DIV class="collapse in"> <P>&nbsp;</P> <P class="example-sec-title">Command</P> <PRE class="code">mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" --format json • "--format json" is optional. By default the output is presented in plain text.</PRE> </DIV> </DIV> </DIV> Wed, 26 Jul 2023 11:53:09 GMT https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187659#M31414 the_rock 2023-07-26T11:53:09Z https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187703#M31425 <P>SIC will not go through VPN by default.<BR />The reason for this is simple: if the VPN is down, you will be unable to manage the gateway.<BR />Which is the precise situation you have here.<BR />You will need to get SIC working without VPN first.<BR />Without that, this will never work.</P> <P>The following thread provides some pointers on managing a gateway over a VPN with SIC:<BR /><A href="https://community.checkpoint.com/t5/Management/Managing-a-gateway-over-VPN/m-p/13674/highlight/true#M2423" target="_blank">https://community.checkpoint.com/t5/Management/Managing-a-gateway-over-VPN/m-p/13674/highlight/true#M2423</A>&nbsp;<BR /><BR /></P> Wed, 26 Jul 2023 14:19:12 GMT https://community.checkpoint.com/t5/General-Topics/Manual-transfer-policy-from-SMS-to-GW/m-p/187703#M31425 PhoneBoy 2023-07-26T14:19:12Z