ICA management tool on standalone box

the_rock · ‎2023-11-29

Hey guys,

Just need to clarify if this is even officially supported. I set this up many times before on mgmt server and works fine with SSL enabled, BUT, on standalone box, I can never get it working when ssl is in, only if I disable ssl with below command

cpca_client set_mgmt_tool on -no-ssl

https://support.checkpoint.com/results/sk/sk30501

If anyone could confirm this, would be great.

Best regards,

Andy

the_rock · ‎2023-11-29

Here is quick debug I did, but this does not seem to tell me much : - )

Andy

[Expert@CP-STANDALONE-backup:0]# cpca_client -d set_mgmt_tool on -a "CN=standalone-ica,OU=users,O=CP-STANDALONE-backup..r5et7n"
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] main: Initializing debug level 3
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] resolver_gethostbyname: Performing gethostbyname for localhost
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwca_client_command: trying to connect
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwasync_get_maxbuf: maxbuf=4194304
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwasync_conn_params_ex: fd: <4>, my addr: <127.0.0.1,48923>, peer addr: <127.0.0.1,18209>
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwca_infra_clnt_handler: conn id is 4
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwasync_connbuf_realloc: reallocating 0 from 0 to 1032
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwasync_connbuf_realloc: reallocating 0 from 0 to 1032
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] FwCaCmdApi::Process: entered, state = 0
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] FwCaCmdApi::Process: entered, state = 1
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] FwCaCmdApi::Process: entered, state = 2
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] FwCaCmdApi::Process: entered, state = 3
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwca_client_end_handler: connection ended. sock=4
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] FwCaCommandData::CallCallback: result OK, calling callback
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwca_client_command_cb: called callback
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] fwca_set_mgmt_tools_cb: called callback. rc=0
Management tool is ON.
Using SSL.
The authorized administrators:
(
: ("CN=standalone-ica,OU=users,O=CP-STANDALONE-backup..r5et7n")
)
The authorized users:
()
The authorized custom users:
()
[26653 4134562176]@CP-STANDALONE-backup[29 Nov 14:32:30] T_event_mainloop_e: T_event_mainloop_iter returns 0
[Expert@CP-STANDALONE-backup:0]#

the_rock · ‎2023-11-29

I am almost positive the issue is below, as it seems ssl inspection is enabled as per cipher_util, but its NOT...I even verified via smart console object the feature is not enabled.

Andy

[Expert@CP-STANDALONE-backup:0]# cipher_util
Which blade would you like to configure?
(1) Multi Portal
(2) SSL Inspection
2
Which list would you like to edit?
(1) TLS 1.2 Ciphers
(2) TLS 1.3 Ciphers
^C
[Expert@CP-STANDALONE-backup:0]# enabled_blades
fw vpn urlf appi identityServer mon
[Expert@CP-STANDALONE-backup:0]#

Are you a member of CheckMates?

ICA management tool on standalone box