Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrey_Gl
Explorer
Explorer

Manual transfer policy from SMS to GW

Hello!

I have many gateways on my SMS, including a remote gateway that currently has no network connectivity until I set a policy on it. However, I cannot set the policy because of this issue. Can you please advise if there is a way to manually extract the policy file from the SMS and place it onto the gateway, then restart the gateway to install from local policy file?

0 Kudos
6 Replies
Tal_Paz-Fridman
Employee
Employee

The Security Gateway does have a policy installed before it is connected to the Security Management Server called "Initial Policy":

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

 

 

0 Kudos
G_W_Albrecht
Legend
Legend

Assuming that the GW has internet connectivity and the current policy enables no access to it, this may be resolved by issuing fw unloadlocal from GW CLI, see https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CL...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Andrey_Gl
Explorer
Explorer

The gateway is only accessible through VPN, but VPN cannot be established because the gateway is not aware of it. A policy needs to be installed instead of removing it.

0 Kudos
Tal_Paz-Fridman
Employee
Employee

There's still something not clear here. How can it be accessible through VPN when it is still not connected to the Security Management Server and part of a VPN Community? 

The first connection to it is always SIC which requires direct connectivity to the Security Gateway.

0 Kudos
the_rock
Legend
Legend

You could attempt something like below via api, but no guarantee it will work, if SIC is not even established (im just guessing here, as I dont have all the details)

Andy

 

https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v1.9%20

Examples

install-policy

v

 

Command

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway"  --format json
 • "--format json" is optional. By default the output is presented in plain text.
0 Kudos
PhoneBoy
Admin
Admin

SIC will not go through VPN by default.
The reason for this is simple: if the VPN is down, you will be unable to manage the gateway.
Which is the precise situation you have here.
You will need to get SIC working without VPN first.
Without that, this will never work.

The following thread provides some pointers on managing a gateway over a VPN with SIC:
https://community.checkpoint.com/t5/Management/Managing-a-gateway-over-VPN/m-p/13674/highlight/true#... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events