Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lei_Liu
Employee
Employee

About change Name of the management server R80.10 Question.

@

Hi Guys,

Have a good day!

 Our customer has already established the management server R80.10, Name of the management server is CPSMC01,

CPSMC01 is including ICA  of the management server R80.10. 

 But unfortunately the customer's leader  wants to change  name of management server  from CPSMC01 to CheckPointSMC01. 

Question:

if we change from CPSMC01 to CheckPointSMC01, not do fwm SIC_reset,  what happen for the management ICA ?

 or I must do fwm sic_reset  to create a new ICA.

Thanks a lot

Lei Liu

0 Kudos
7 Replies
Kaspars_Zibarts
Employee Employee
Employee

Hi you will have to re-do ICA as per SK below

Changing a Security Management (SmartCenter) Name 

0 Kudos
Lei_Liu
Employee
Employee

I have already followed sk14532, sk92752,sk66265,sk34373, unfortunately the ICA still can not reset successfully, via fwm sic_reset.

Thanks a lot.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Did you follow through all steps described in sk42071? If you have and it does not work, raise TAC case with CP

0 Kudos
Lei_Liu
Employee
Employee

Hi Kaspars,

Thank you for your response!

Yes, i have followed sk42071, when do fwm sic_reset, there were some errors:

[Expert@NF-307-Mgmt-202-236:0]# fwm sic_reset
***************** Warning: ****************
This operation will reset the Secure Internal Communication (SIC).
The internal Certificate Authority will be destroyed and ALL remote Check Point Components,
including VPN and Endpoint clients, will not be able to communicate.

In case of Endpoint & VPN clients, this action is not REVERSIBLE which means that clients
will lose connection with the Server and the only way to re-establish it can be done by
re-issuing all certificates (for VPN) or by the re-connect tool for Endpoint clients.

Server communication can be re-established if the following operations are implemented:
1. Re-initialize the Internal Certificate Authority (use cpconfig).
2. Restart Check Point Services (cpstart, cpridstart).
3. Reset SIC on each Station that is managed by this Security Management Server.
4. Re-establish Trust with each Station that is managed by
this Security Management Server.
*******************************************
This operation will stop all Check Point Services (cpstop)
Are you sure you want to reset? (y/n) [n] ? y

*** Checking IKE Certificates ***
There are IKE Certificates that were generated by the
internal Certificate Authority.
Please remove them (using the SmartDashboard) so that
the internal Certificate Authority can be destroyed.

SIC Reset operation could not be completed

By the way, in fact, we did not enable vpn software blade in any gateway with the management server.

BRs,

Lei Liu 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

You should have removed all certs in step 5 of the procedure. What do you get when you run this:

grep -in cert $FWDIR/conf/objects_5_0.C | grep -A 4 ': (defaultCert'

0 Kudos
Lei_Liu
Employee
Employee

Hi Kaspars, 

Thank you for your reply!

You are right. i established a gateway via wizard, enable vpn software blade,  and then remove certificate of the gateway. after install database, at once  i check objects_5_0.C  included  : certificate( )  refer to sk62695 , Now  i can execute fwm sic_reset successfully.

Thank you very much!

BRs,

Lei Liu

vince_02
Explorer

Hi Lei_Liu,

 

May I know if you successfully change the hostname after resetting and regenerate SIC cert?

 

Thanks,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events