This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2021-07-15 05:48 PM

Management SIC Issue

Hello,

Having an issue establishing SIC with a new open server secondary management server deployed on VMWare.

The primary management and secondary management reside in different networks.

The primary and secondary management are assigned an internal IPs.

The secondary management has been deployed from R80.40 ISO image, FTW has been run, JHF installed matching the primary management, time zone has been configured to match primary management.

I added a new checkpoint object to the SMS, assigning NPM (secondary server) and logging & status roles. I've configured NAT on the object to add automatic address translation rules (static), translating to a unique external IP and installed on the firewalls the server sits behind, apply for security gateway control connections has been selected. 

I've reset SIC on the SMS and secondary management. 

I can ping the internal IP on the secondary management from the primary management but can't telnet to it. 

I can see the outbound traffic leaving the primary management, getting caught by an implied rule by the firewall the primary management sits behind and accepted, but there is no traffic logs from the peer firewall the secondary sits behind. I've run a tcpdump on the firewall the secondary sits behind and the traffic is not hitting that device. 

We have another secondary management configured in a similar way and SIC is working to that device. 

There is an active site-to-site IPSEC VPN between the sites. 

Regards,

Simon

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-07-16 07:01 AM

After creating the object representing the secondary SMS, you need to publish your changes and reinstall policy on any firewalls/clusters that the SIC initiation traffic needs to pass through.  This will ensure that the IP of the secondary SMS is included in the firewall implied rules allowing this type of control traffic, which is probably why you can ping the secondary SMS but not telnet to it.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Simon_Macpherso
Advisor
‎2021-07-18 05:59 PM
In response to Timothy_Hall

Hi Timothy,

Thanks for your response.

What you've stated above was already done.

There were two issues here

One was the routing hadn't been done correctly on the router at the edge of the network where the secondary management server resides, so I couldn't route to the the new external IP from the primary management. 

The second issue was the static NAT rules needed to be added.

The document below 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I notice the this document it states to NOT check 'apply for security gateway control connections' in the automatic NAT settings.  on both primary and secondary servers.

Why would this be?

The setting is enabled on our primary management and I have enabled it on the secondary. 

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events