This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrey_Gl
Explorer
Explorer
‎2023-07-25 08:54 AM

Manual transfer policy from SMS to GW

Hello!

I have many gateways on my SMS, including a remote gateway that currently has no network connectivity until I set a policy on it. However, I cannot set the policy because of this issue. Can you please advise if there is a way to manually extract the policy file from the SMS and place it onto the gateway, then restart the gateway to install from local policy file?

0 Kudos
6 Replies
Tal_Paz-Fridman
Employee
Employee
‎2023-07-26 02:09 AM

The Security Gateway does have a policy installed before it is connected to the Security Management Server called "Initial Policy":

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-07-26 02:24 AM

Assuming that the GW has internet connectivity and the current policy enables no access to it, this may be resolved by issuing fw unloadlocal from GW CLI, see https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CL...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Andrey_Gl
Explorer
Explorer
‎2023-07-26 02:56 AM
In response to G_W_Albrecht

The gateway is only accessible through VPN, but VPN cannot be established because the gateway is not aware of it. A policy needs to be installed instead of removing it.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-07-26 03:15 AM
In response to Andrey_Gl

There's still something not clear here. How can it be accessible through VPN when it is still not connected to the Security Management Server and part of a VPN Community? 

The first connection to it is always SIC which requires direct connectivity to the Security Gateway.

0 Kudos
the_rock
Legend
Legend
‎2023-07-26 04:53 AM
In response to Andrey_Gl

You could attempt something like below via api, but no guarantee it will work, if SIC is not even established (im just guessing here, as I dont have all the details)

Andy

 

https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v1.9%20

Examples

install-policy

v

 

Command

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway"  --format json
 • "--format json" is optional. By default the output is presented in plain text.
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-26 07:19 AM
In response to Andrey_Gl

SIC will not go through VPN by default.
The reason for this is simple: if the VPN is down, you will be unable to manage the gateway.
Which is the precise situation you have here.
You will need to get SIC working without VPN first.
Without that, this will never work.

The following thread provides some pointers on managing a gateway over a VPN with SIC:
https://community.checkpoint.com/t5/Management/Managing-a-gateway-over-VPN/m-p/13674/highlight/true#... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top