Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Markus_Kress
Contributor

Renew sic on a VSX Cluster

Jump to solution

Hey there, we just migrated one of our management server to a server with new hostanme and new ip. As the old management server is also still in use, we had to change ip and name of the new one. 

Now we want to renew the sic of managemnt server (fwm sic_reset), thus we have also to renew the sic to the gateways. Now the question: Is there a recommended way to do that for vsx gateways and vsx cluster? I think resetting sic for vsx with cpconfig is not a good idea. Do I have to reset the sic per VS or can it be done for hole gw/cluster?

Any help is appreciated.

0 Kudos
2 Solutions

Accepted Solutions
Markus_Kress
Contributor

Hello PhoneBoy,

In my last post I forgot to write which releases we use:

Old management server: R77.30 (server still in use, will soon upgraded to R80.20)

New Management server: R80.20 (server has new hostname and ip)

Cluster/Gatewaysm: still on R77.30

 

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
On a regular Security Gateway, it is possible to reset SIC without an outage. See Tim Hall’s presentation at CPX last year: https://community.checkpoint.com/t5/Member-Exclusive-Content/Best-of-CheckMates-CLI/m-p/39515

I don’t know if that works on VSX, though.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
As fwm sic_reset resets the ICA, thus breaking SIC for everything, you typically want to avoid doing that.

If the new management station was created from a migrate export/import of your old one, all you need to do is push policy from your new management station as the ICA and all the certificate trusts should still be intact.
0 Kudos
Markus_Kress
Contributor

Hi phoneboy,

thank you for your reply.

Yes you are right. Normally we should avoid to break the ICA. But the old management server is still online and used. What we have done, we splitted the manager into two. Means we now have two management server each of it serves some of the gateways/cluster, which were managed before by only one server.

I know, we could use all the old stuff (ICA and SIC certificates) on both servers, but we don‘t want to get into future trouble with that. That was the reason for the sic_reset on the new server. 

Example: We use QRadar as SIEM system. When not creating a new ICA on the new server we will have two lea connection from our QRadar. One to each management server, but with the same credentials (hostname is the same, only IP is different). That works for now, but who knows if that is a recommended configuration. So we decided to create on one server the new ICA.

We figured out, to reconnect a vsx cluster from the old to the new management server, we have to do a fresh install on each of the both cluster gateways and then do a vsx_util reconfigure - that works. But that means we have an Outage. 

Do you have a more comfortable idea, maybe without outage? Or only short outage?

Thank you in adavance,

Markus

0 Kudos
PhoneBoy
Admin
Admin
On a regular Security Gateway, it is possible to reset SIC without an outage. See Tim Hall’s presentation at CPX last year: https://community.checkpoint.com/t5/Member-Exclusive-Content/Best-of-CheckMates-CLI/m-p/39515

I don’t know if that works on VSX, though.

View solution in original post

0 Kudos
Markus_Kress
Contributor

Hello PhoneBoy,

In my last post I forgot to write which releases we use:

Old management server: R77.30 (server still in use, will soon upgraded to R80.20)

New Management server: R80.20 (server has new hostname and ip)

Cluster/Gatewaysm: still on R77.30

 

View solution in original post

0 Kudos