This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rafee
Participant
‎2022-08-29 10:07 AM

ICA Certificate Renewed After Expiry - Caused SIC Breakdown with all the firewalls

GAIA Version R80.40 Take 158

We renewed ICA Certificate using the script provided by Checkpoint TAC on one of the CMA's after it had got expired, which caused SIC Breakdown with all the firewalls managed by the particular CMA.

As per checkpoint SIC issue should get fixed if we reset the SIC, which we tried and it is not fixing the issue.

whenever we try to reset the SIC it is throwing error "Internal SSL authentication error [Certificate expired]"

Note:- We tried resetting SIC on one of the standby firewalls and it has lost its rule base now, It has been a month and Checkpoint has not been able to provide any solution.

Has anyone faced this issue before or any solution would be really appreciated. Thank you

!

!

I also want to know if there is a way to create a new CMA and copy all the configuration of existing CMA

!

5 Replies
PhoneBoy
Admin
Admin
‎2022-08-29 11:29 AM

The SIC errors would probably need TAC’s help to troubleshoot.
Meanwhile the normal (migrate_server) process would also duplicate the corrupt ICA.
Something like the following would not: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

0 Kudos
cem82
Contributor
‎2022-08-30 03:30 AM

We did have similar, have you confirmed the ICA cert has indeed been renewed from the script?

cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate

 

After running that we found that the CN=cp_mgmt SIC for internal_ca hadn't been renewed and had to resign the internal_ca and then replace that cert with mcc replace and revoke old one and then reset SIC to GW

cpca_client lscert -kind SIC -stat Valid

Rafee
Participant
‎2022-08-30 03:52 AM
In response to cem82

Yes we got the latest script from TAC and were able to see the date got extended as below

##cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddat
##notAfter=Jan 19 03:14:07 2038 GM

!

Command [cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"] does not show any certificate on the CMA we are having issue with , however i see "CN=cp_mgmt" certificate is present on all the other working CMA's.

!

Even the command 'cpca_client lscert'  show the certificates are not present for all the gateways , however i see duplicate certificate entries for single gateway with the status as 'Status = Revoked' and one more cert for its HA pair gateway with the status as 'Status = Pending Kind = SIC Serial = XXXXX, OTP validity = none'

!

0 Kudos
Rafee
Participant
‎2022-09-01 05:43 AM
In response to cem82

Is there any SK that covers "replace cert with mcc replace"

starmen2000
Collaborator
Collaborator
‎2023-09-09 05:09 PM
In response to Rafee

Have you solved the problem? If yes , how? We encountered similar problem and involved TAC but still no solution. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events