Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Naiko
Explorer

Issue with SIC not re-establishing after return of WAN interface state change

To all:

 

I am really struggling with this one and I think  that I have found an issue with the smaller gateways from Checkpoint but nothing has come back from Checkpoint as a solution as of yet.

 

So I have a bunch of 1570R and 1200R devices in the field. I have an internal network assigned to the LAN1 interface and have turned off all DHCP and Switching settings on the SMB gateways. The WAN is a part of a large layer 2 LAN. 

Sample IP addresses:

1200/1570 devices:

LAN 1.1.1.1/24

WAN 10.10.10.1/23

Management server is 1.1.254.254 and the 1200R/1570R need to traverse this interface to get back to the management server

I can initially establish SIC to the LAN IP address of the 1200/1570 device and need to based on the fact that the 1200/1570 is part of a secured network. That is going to be the registered address of the Gateway object in the Manager. So from the aspect of a first time stand up I am able to connect normally and make the 1200/1570 as a centrally managed gateway.

My problem is that on the WAN this is part of a layer 2 optical switch solution (JMUX, Cienna, ETC) so when there is a major break that ends up logically breaking the WAN and I lose SIC since it traverses the WAN interface to get back to the Manager, I cannot get it back or it restores itself after days of being down... I would expect this once it comes back for SIC to re-establish but so far I am only able to restore SIC with a manual intervention (which is not optimal).

I am not seeing any issue in the policy on the 1200/1570 devices, and the WAN connections connect to an R77.30 (yet to be upgraded) Cluster of Firewalls. This policy on this cluster has a rule that states any traffic to/from the managers destined or originating from the 1200/1570 over any port to be allowed. This rule has no hits on it when I look into the logs when testing this loss of WAN from the remote ends.

Anyone have an idea of what I can look into on this? I have been struggling with this for over 3 weeks and I would be wanting this connection to at least recover the SIC so I can mange these firewalls?

 

 

 

 

 

 

0 Kudos
4 Replies
_Val_
Admin
Admin

How those appliances are defined? As DIAP?

0 Kudos
David_Naiko
Explorer

No everything is 100% Static since we are required by our compliance group to do so for Asset definitions...

 

0 Kudos
_Val_
Admin
Admin

Okay, second question. Why not defining with the external IP address of your GW?

0 Kudos
David_Naiko
Explorer

I tried that last week and there is no change to the solution once the WAN comes back. Also I added routes to make sure that the traffic got there as well. But basically anything that was related to the IP addressing of the FW for any reason from compliance needed to be defined on the LAN address side space because of NERC CIP assets. I completely agree that the WAN interface should be ok to do as well but the prior design was also running SIC on the LAN interface of the remote firewalls but the remote firewalls were line cards that resided in a switch chassis and I am wondering if that was also the reason that this worked before... I will try again to make it work with the WAN interface for SIC and test with a lab box, but at the same time, why is SIC establishing on the first try when using the LAN interface ? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events