This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cosinus93
Explorer
‎2020-03-14 04:56 AM
Jump to solution

LOST SMS Virtual Machine

Hello gentlemen,

We've lost our SMS Virtual Machine and have no backups and no way to recover it. We have 2 Security Gateways in ClusterXL. Gateways are working fine but we are unable to change anything in policy because of the lack of SMS.

1. Is there any way to recover policy (access rules, objects, exceptions etc.) from gateways and import it to SMS?

2. If first option is impossible what is the safest method of reinstalling SMS in our situation ? By safest I mean anything which allows us to save as much as possible from working configuration and  has minimal impact on our production environment?

Thank you for all your answers, I hope there is a solution other then creating everything from scratch.


0 Kudos
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion
‎2020-03-14 08:34 AM
In response to cosinus93
Jump to solution

Step1: Backup your gateways now

Step2: Install ccc on your gateways to check what IP your SMS had and what the security policy‘s name was, VPN gateways IP addresses, VPN topology, interface topology and much more

Step3: Set up a new SMS VM with the same IP it had before

Step4: Create a cluster object with the two cluster nodes that you have

Step5: Establish SIC to the new SMS using this procedure.

Step6: Read in the entire cluster topology

Step7: Recreate the rules using the $FWDIR/state/local/FW1/local.rule file on your gateways.

Step8: Install the new security policy

Step9: Check if everything is fine. In case it‘s not, restore the backup from Step1 and rework your security policy before trying again from Step5

View solution in original post

7 Replies
_Val_
Admin
Admin
‎2020-03-14 07:06 AM
Jump to solution

Depending on the version, the answer might be different. Best is to request Check Point Professional Services to help you out.

0 Kudos
cosinus93
Explorer
‎2020-03-14 07:10 AM
In response to _Val_
Jump to solution

Version is 80.30.

0 Kudos
Danny
Champion Champion
Champion
‎2020-03-14 08:34 AM
In response to cosinus93
Jump to solution

Step1: Backup your gateways now

Step2: Install ccc on your gateways to check what IP your SMS had and what the security policy‘s name was, VPN gateways IP addresses, VPN topology, interface topology and much more

Step3: Set up a new SMS VM with the same IP it had before

Step4: Create a cluster object with the two cluster nodes that you have

Step5: Establish SIC to the new SMS using this procedure.

Step6: Read in the entire cluster topology

Step7: Recreate the rules using the $FWDIR/state/local/FW1/local.rule file on your gateways.

Step8: Install the new security policy

Step9: Check if everything is fine. In case it‘s not, restore the backup from Step1 and rework your security policy before trying again from Step5

cosinus93
Explorer
‎2020-03-16 04:19 AM
In response to Danny
Jump to solution

Thank you so much for such detailed solution.

I have one question about local.rule file.
As I understand there is no way to recreate rules from this file other than manually (any script etc.)?
0 Kudos
Danny
Champion Champion
Champion
‎2020-03-16 04:58 AM
In response to cosinus93
Jump to solution

Unfortunately such tool hasn't been created yet. I'm planning to do this later this year and add it to ccc.

0 Kudos
_Val_
Admin
Admin
‎2020-03-16 12:34 AM
In response to cosinus93
Jump to solution

Did you, by any chance, opened a support request and sent CPINFO file from your management to Check Point TAC in the past?

0 Kudos
cosinus93
Explorer
‎2020-03-16 03:20 AM
In response to _Val_
Jump to solution

First of all, thank you for all the answers.

Unfortunately we have never sent CPINFO to CheckPoint TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events