Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Akram_wasim
Explorer

Problem in facing SIC Management to Branch office firewall

Hi All,

 Currently i build my  Home lab for CCSA R.76 .

When i try to add or link Management and Branch Firewall SIC is not establishing

Note : HQ F-W and Management SIC established working fine no problem with that,,.please help  #CCSA .76

Can some one help me to resolve my problem 

@cbtnuggets R76

Below are the topology :

CBT.jpeg

0 Kudos
26 Replies
Norbert_Bohusch
Advisor

I assume routes are ok.

I think you have not pushed policy to HQ-FW1 after creating object of Branch-FW2 with correct IP.
This is necessary for HQ-FW1 to create relevant implied rules to allow Mgmt/GW-communication!
0 Kudos
Akram_wasim
Explorer

HI Norbort,

Thanks for reply,
I have one management , for the first gateway (HQFW) SIC is established.
In rule base table , I allow any source any destination is accept which mean from management to FW-2 need to form SIC but in my case ,SIC is not established ...Please help
0 Kudos
Norbert_Bohusch
Advisor

Routes are ok?

Can you reach gw2 from mgmt using SSH for example?

What are you seeing in log?

Have you tried capturing packets on gw1 using tcpdump/fw monitor?

0 Kudos
Akram_wasim
Explorer

from Management i added routes to 10.1.1.111

on GW 1 i added routes to 192.168.1.1 outside ,so i taught from management we can able to reach GW2 ..

whether i need to add routes from GW2 to Management, Is it necessary ?? Please reply
0 Kudos
Akram_wasim
Explorer

I havent verified logs and but

From management to GW2 when i ping 192.168.1.111 its unreachable..

So which means there is problem with routes ? Correct me if i am wrong..
0 Kudos
Vladimir
Champion
Champion

Because this is the lab an you are trying to determine if your routing is OK, do the following:

In your SmartConsole go to Global Policy Properties and enable ICMP as well as "Log Implied Rules".

SSH into your branch gateway (or open an emulated console) and perform "fw unloadlocal".

Its default policy will be blocking ICMP.

 

Then verify that your routing is working and that you are getting ICMP responses where expected.

Configure Static NAT for the Management Server object to translate its internal IP into one of the available IPs in 192.168. network.

 

Cheers,

Vladimir

0 Kudos
Akram_wasim
Explorer

 

Vladimir,

Still facing same issue ,Unable to for SIC between Management to B-FW

Unable to ping Management 

help..

unable to ping Management.PNGBFW routes.PNG

 

SIC issue.PNG

 

 

Thanks

 

 

 

 

 

0 Kudos
Norbert_Bohusch
Advisor

You have no route on your gateway! As management is not in a directly attached network, you need to add correct routing!

0 Kudos
Vladimir
Champion
Champion

@Akram_wasim , your management server's IP is not in your FW2 routing table.

If you want to ping it, provided the static NAT is assigned to the Management server's object, you should be able to ping the IP you are NATing it to, i.e. one in the 192.168.1.*/24 range.

Otherwise, provided you have ICMP enabled in Global properties, you should add a route to 10.1.1.25/255.255.255.255 to your BQF or specify the route to the entire 10.1.1.0/24 network with the next hop being external IP of your primary gateway.

 

0 Kudos
Akram_wasim
Explorer

can you help how to add route in B-FW ,Seriously i cant do it .Please help
0 Kudos
Vladimir
Champion
Champion

If you are using WebUI, it is self-explanatory.

If you are trying to do this via Clish:

 

On your Management server (where SMS is the hostname of your management server):

SMS> set static-route default nexthop gateway address 10.1.1.111 on

SMS>save config 


On your HQ-FW1:

HQ-FW1> set static-route 10.2.2.0/24 nexthop gateway address 192.168.1.222 on

HQ-FW1> set static-route 172.16.2.0/24 nexthop gateway address 192.168.1.222 on
HQ-FW1>save config 


On your Branch-FW2:

BQFW> set static-route 10.1.1.0/24 nexthop gateway address 192.168.1.111 on


BQFW> set static-route 172.16.1.0/24 nexthop gateway address 192.168.1.111 on
BQFW>save config 

0 Kudos
Akram_wasim
Explorer

Hi,

 

Added all route as per instruction you had given to me  but same issue nothing has changed ,able to ping FW2 to Manager

 

Br-Fw routes.PNGHq-fw routes.PNGManager routes.PNG

Above are current routing table after you shared me new routes ,i added everything and enable icmp in the global properties ,,i done everything ,, This is so headache,, i am unable to figure out.

0 Kudos
Vladimir
Champion
Champion

Show the route on your management server.

Have you created the firewall objects, defined their topology, configured security policy for the HQ-FW, published it and installed?

If not, you cannot expect this to work unless you perform "fw unloadlocal" on both firewalls.

Please show a screenshot of your policy here.

Please show the "Network" property of both firewall objects here.

 

0 Kudos
Vladimir
Champion
Champion

P.S. In your management server's screenshot, the routes shown are NOT the one I have wrote you to add:

On your Management server (where SMS is the hostname of your management server):

SMS> set static-route default nexthop gateway address 10.1.1.111 on

SMS>save config 

VS. yours:

image.png

Your management server cannot know how to reach the 10.2.2.0/24 network, your HQ-FW does.

0 Kudos
Akram_wasim
Explorer

Policy.png

0 Kudos
Akram_wasim
Explorer

Vladimir ,

This is current scenario 

Manager to FW 1 - Ping working

FW1 to Fw 2 ping working

Fw2 to FW 1 Ping working

FW2 to Manager Ping working

 

real problem exist  " Manager to FW 2 Ping not working"

Is it because of VMnet setting or i really dont know mate.


I can see all routes in the routing table

Policy also install

 

why i dont know SIC is not establish FW2  to Manager ,when though all policy and routes available ,,why ??

 

Help ..

0 Kudos
Akram_wasim
Explorer

Hi Vladimir

Same issue

1. I have enabled the ICMP in Global properties

2. add default routes from BFW to FW1 external IP 

 

I am unable to ping ..

 

Pic 1 : Add static Nat from Manager to 192.168.1.112

Pic 2 : routing table FW 2Static Nat from manager to 192.168.1....PNGRouting Table.PNG

0 Kudos
Vladimir
Champion
Champion

Can you ping from BQFW the IP of 192.168.1.112?

Have you enabled the "Log Implied Rules" in Global properties to see where your ICMP traffic is going in the logs?

You either use static NAT and refer to the Management server by its' NATed IP (the most common scenario in practice), or in your lab environment, do not NAT, but rely on static routes.

 

As shown in your screenshot below, the Static NAT is being applied to the "Security Gateway control connections".

This means that you should be able to establish SIC with BQFW even in the absence of ICMP, if your routing is correct.

Try performing "fw unloadlocal" on the BQFW and ping and trace route to it from your management server to see where things are breaking down.

Additionally, verify that on your Management Server the default route is configured to use FW1 internal interface as it's gateway.

0 Kudos
Akram_wasim
Explorer

Can you ping 192.168.1.222 from your HQ-FW1?  

Answer : No

Can you ping 192.168.1.111 from your Branch-FW2?  

Answer : No

Can you ping your 10.1.1.111 from your management server?

Answer : No

What do you see in logs when looking for ICMP traffic?

I dont know how to check ICMP logs in Checkpoint ,Can you share me the command in CLISH 

 

In Logs and monitor i cant find any icmp traffic

0 Kudos
Akram_wasim
Explorer

OK Vladimir ,I will check and come back if there is any issue..

Thanks
0 Kudos
Akram_wasim
Explorer

manager routes

 

Managment route.PNG

0 Kudos
Vladimir
Champion
Champion

Can you ping 192.168.1.222 from your HQ-FW1?

Can you ping 192.168.1.111 from your Branch-FW2?

Can you ping your 10.1.1.111 from your management server?

What do you see in logs when looking for ICMP traffic?

 

0 Kudos
Akram_wasim
Explorer

Now i am to ping Management -FW1-FW2 eachother

But SIC not forming ,,Still something is missing 

0 Kudos
Vladimir
Champion
Champion

When you configured the branch firewall, have you configured it as a standalone or as a gateway only?

If it is configured correctly, as a gateway only and if you did not restrict its management in Gaia, reset SIC via cpconfig on the branch firewall, verify that its object configured properly, and re-initialize SIC for it.

0 Kudos
Akram_wasim
Explorer

I have some doubt whether i am setup VMnet setting correctly 

 

Do you have any idea of Vmwareworkstation Vmnet detting

 

in my case Management - Vmnet 1 

FW1 - Vm1 ,vmt 2 ,vmnet 3

FW2 - Vmnet1 ,Vmnet2,Vmnet3

0 Kudos
Akram_wasim
Explorer

I have one doubt,, I am almost there ,,

 
when i configured B-FW i select only Gateway ,,
 
My quiz ,,Can one management server SIC support two gateways ??
 
Whether SIC password need to be same on both GW ?
 
Now I am ping FW1  to FW2
 
But cant ping  from FW2 to Management and also FW1
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events