Re: 1550 sic establishment to mgmt

Luke_Abrams

Ok maybe someone here has some insight before I lose my mind... I have a new 1550 appliance I have setup.

-It will be setup with DHCP at the remote site. I have it connected to a hotspot via ethernet in my office for the WAN connection to simulate this.

-I have it setup in SmartConsole.

When I go to establish SIC the smart console side shows "Trust established" for the appliance.

When I go to the appliance page it shows "Security Policy Installation: Unable to test the validity of the trusted communication. Reset the SIC in the Management Server and try again." - I have probably 20 times now.

I tried with password, without password, Identify appliance according to = Mac, First to connect. Each time it looks like it works on the Management side but errors on the appliance side.

Any words of wisdom? What am I doing wrong? Am I just impatient and it will eventually show correct on the appliance since it is DHCP on that side?

PhoneBoy

Curious, have you actually tried pushing policy to the gateway?

Luke_Abrams

I have pushed policy, though I think it actually has to pull policy since the remote device WAN connection will be DHCP. I am trying to make sure everything is simulated in how it will actually be setup onsite.

Luke_Abrams

Central MgmtAppliance

It is just strange because doing this over and over, the central management shows trust established, but the appliance keeps showing it isn't.

PhoneBoy

What happens if you do an fw fetch mgmt-ip on the CLI of the SMB gateway?

Luke_Abrams

So I was able to get SIC established by monitoring the gateway that the management server is behind. I found the current IP of the device when it was trying to connect. I added an object to the rules to allow that IP address to communicate.

I then removed the IP address from the rules and just left the dynamic IP device. Once I did this it stops communicating and won't fetch policy either. It drops on the stealth rule for the clusters and management device. I was thinking one SIC is established it would trust the device and connect. But it does not match on the rule to allow the communication. Once it leaves here I do not know what the IP could end up being and it will change.

PhoneBoy

What services are being dropped?
What version/JHF is the management and non-SMB gateways?

Luke_Abrams

It is the 18191? I can't remember the number but it's the one for communication and log.

Management is latest for 81.20 1550 I can't remember but we recently got it so I wouldn't imagine at most one behind.

It seems like it just doesn't recognize the device traffic while it is using dynamic. I thought after sic establishment it would use a cert.

the_rock

I recall this like it happened yesterday, though its been probably 10+ years. I had customer call me saying they were going "insane", sort of same issue like yours, essentially if they reset SIC, it would work, but then when they would push policy, it would work once and then all would break again.

I was able to see very quickly issue was with the proper route missing...something to verify.

Best,

Andy

Luke_Abrams

I have a route for destination of internal network, source any, service any, next hop LAN1. I believe this would be correct. I don't believe I can setup a default route for the internet facing side since the IP is dynamic and it doesn't allow you to set it up with an interface only like WAN.

PhoneBoy

If I recall, there may be a different port used for SMB DAIP gateways.

PhoneBoy

Not sure if these still apply or not:

UDP	9281	SWTP_Gateway - VPN-1 Embedded/SofaWare commands	Connections (encrypted protocol) between Management Server (SMS daemon) and UTM-1 Edge devices
UDP	9282	SWTP_SMS - VPN-1 embedded / SofaWare Management Server (SMS)	Connections (encrypted protocol) between Management Server (SMS daemon) and UTM-1 Edge devices

Lesley

Done step 1?

1. How is SIC established with a DAIP Gateway?

When SIC is established for the first time between the Security Management server and the DAIP Gateway the user is requested to enter the current IP of the DAIP Gateway.

The Security Management initiates the certificate, and then the DAIP Gateway fetches it according to some identification (host name/MAC address)

2. How does the Management server learn about the DAIP Gateway's IP address?

When the DAIP Gateway fetches the policy, there is an infrastructure on the management (RS db) which is responsible to update the DAIP Gateway's IP. You can check it with the command "rs_db_tool -operation list".

Also you used the correct public IP of the management?

Make sure correct ports are open:

https://support.checkpoint.com/results/sk/sk93566

Most likely there is a blocked port. check traffic logs for traffic towards management. do not use source as filter due the fact public IP can change

-------
If you like this post please give a thumbs up(kudo)! 🙂

Luke_Abrams

So I would need to not have my "stealth rule" dropping traffic to the mgmt server if I am reading the article correctly? Currently I have rules before the stealth rule defined that allow traffic from each of my clusters to and from the mgmt server. Then I have a drop rule, dropping all other traffic.

PhoneBoy

Yes, you may need to adjust your stealth rule.

Are you a member of CheckMates?

1550 sic establishment to mgmt