Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cosinus93
Explorer

LOST SMS Virtual Machine

Jump to solution

Hello gentlemen,

We've lost our SMS Virtual Machine and have no backups and no way to recover it. We have 2 Security Gateways in ClusterXL. Gateways are working fine but we are unable to change anything in policy because of the lack of SMS.

1. Is there any way to recover policy (access rules, objects, exceptions etc.) from gateways and import it to SMS?

2. If first option is impossible what is the safest method of reinstalling SMS in our situation ? By safest I mean anything which allows us to save as much as possible from working configuration and  has minimal impact on our production environment?

Thank you for all your answers, I hope there is a solution other then creating everything from scratch.


0 Kudos
1 Solution

Accepted Solutions
Danny
Champion
Champion

Step1: Backup your gateways now

Step2: Install ccc on your gateways to check what IP your SMS had and what the security policy‘s name was, VPN gateways IP addresses, VPN topology, interface topology and much more

Step3: Set up a new SMS VM with the same IP it had before

Step4: Create a cluster object with the two cluster nodes that you have

Step5: Establish SIC to the new SMS using this procedure.

Step6: Read in the entire cluster topology

Step7: Recreate the rules using the $FWDIR/state/local/FW1/local.rule file on your gateways.

Step8: Install the new security policy

Step9: Check if everything is fine. In case it‘s not, restore the backup from Step1 and rework your security policy before trying again from Step5

View solution in original post

7 Replies
_Val_
Admin
Admin

Depending on the version, the answer might be different. Best is to request Check Point Professional Services to help you out.

0 Kudos
cosinus93
Explorer

Version is 80.30.

0 Kudos
Danny
Champion
Champion

Step1: Backup your gateways now

Step2: Install ccc on your gateways to check what IP your SMS had and what the security policy‘s name was, VPN gateways IP addresses, VPN topology, interface topology and much more

Step3: Set up a new SMS VM with the same IP it had before

Step4: Create a cluster object with the two cluster nodes that you have

Step5: Establish SIC to the new SMS using this procedure.

Step6: Read in the entire cluster topology

Step7: Recreate the rules using the $FWDIR/state/local/FW1/local.rule file on your gateways.

Step8: Install the new security policy

Step9: Check if everything is fine. In case it‘s not, restore the backup from Step1 and rework your security policy before trying again from Step5

cosinus93
Explorer
Thank you so much for such detailed solution.

I have one question about local.rule file.
As I understand there is no way to recreate rules from this file other than manually (any script etc.)?
0 Kudos
Danny
Champion
Champion

Unfortunately such tool hasn't been created yet. I'm planning to do this later this year and add it to ccc.

0 Kudos
_Val_
Admin
Admin

Did you, by any chance, opened a support request and sent CPINFO file from your management to Check Point TAC in the past?

0 Kudos
cosinus93
Explorer

First of all, thank you for all the answers.

Unfortunately we have never sent CPINFO to CheckPoint TAC.

0 Kudos