Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
IZoom
Contributor
Jump to solution

Initialize SIC from Gateway

Hi guys,

 

I am going to do some checkups for various entities. I have central management with public IP. The end entities have probably own firewall, usually DHCP public address, or even worse they are behind several hide NAT. Simply said there is not possible to open connection from MGMT to Checkup device.

 

In ideal case I would like to bring checkup device to end customer, configure one interface with access to internet, rename the GW according the Customer Name, create SIC from gateway in DAIP mode and collect logs on MGMT (finally I'll do Checkup report with filter to Origin).

 

In worst case I am able to create SIC for DAIP in my office and then bring Checkup device to end customer. What is exactly written in SIC certificate? Is it possible to rename gateway in management without reinitialize SIC. I would like to filter report based on Origin? (there is no way to reinitialize SIC when GW is moved between end customers).

 

0 Kudos
1 Solution

Accepted Solutions
IZoom
Contributor

Thank you man. This was my initial idea -> but it's a public sector, no data/metadata can be posted outside organization. This option has been prohibited by layers. Therefor no Horizon or SMart-1 cloud is applicable.

Even checkup is working with SMB with DAIP without issues, I have already smart-1 6000L box and couple of full size FW (6200,7000, and bigger)

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

I believe the object name is partially there in the SIC certificate.
Having said that, renaming the gateway should not affect an existing SIC connection.

0 Kudos
the_rock
Legend
Legend

Its been a while since I did this, but I recall in the old days it used to give warning that you had to detach a license to rename the object. Might be different now, but will try tomorrow in my R81.20 lab.

0 Kudos
Blason_R
Leader
Leader

Renaming the gateway would not cause affect on SIC however it would definitely cause an issue on IPsec vpn if that is part of any community. I guess CP wont allow you do that.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend

I knew there had to be more to it than I thought. As a matter of fact, yes, you DO have to reset sic...please see below steps.

https://community.checkpoint.com/t5/General-Topics/How-to-change-Security-Gateway-name/td-p/33310

0 Kudos
IZoom
Contributor

Thank you guys for reply.

Actually I don't need to rename gateway, it is enough to rename object in mgmt to be able track down logs based on origin. I can live with uncleared data on device when moving between customers 😀 (I hope renaming object will not trigger log entries edit)

 

Back to my initial issue: So there is no way, how to establish SIC from GW, when there is not possible to connect from mgmt server -> GW. 

 

When there is not possible to open connection from MGMT to GW (only opposite way) - do this affect functionality of GW in DAIP mode? (I do only checkups, so there is only initial rulebase fetch once; I take care only about log forward from GW to mgmt server).

0 Kudos
PhoneBoy
Admin
Admin

Keep in mind the certificate for SIC is issued by the management server.
When you do reset SIC from a gateway, all you’re doing is removing the existing certificate and establishing the shared secret that will be used when the management connects.
Even the “reset SIC on gateway without a restart” procedure ultimately does this (removes SIC certificate, resets shared secret). 
Management must always initialize SIC with the gateway.

In a DAIP scenario (where the gateway object is marked as having a Dynamic IP), you specify the current IP address of the gateway when establishing SIC.
For gateways that are truly behind NAT and marked as DAIP, there is a somewhat different communication mechanism (inherited from the SMB devices).
In either case, ultimately, the gateway must be able to reach the management server IP. 

0 Kudos
IZoom
Contributor

well,

When I am behind several NAT and there is no way to connect from MGMT to GW (only from GW to MGMT), I have to use another approach. Anyway I am sad that in DAIP is not supported TE/TEX/CA,... I am wondering that last message from RnD is 2 years old (it is not supported), while on SMB I am using it without issues.

 

Finally I left the Idea of central management in this case and I'll configure stand alone boxes.

0 Kudos
PhoneBoy
Admin
Admin

When Check Point SEs run Security Checkups, they typically use a locally managed gateway.
In fact, we even offer a Blink image for it: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Granted, it needs to be a larger box due to the need for Management + SmartEvent.

A couple other options for this involving the cloud:

0 Kudos
Nir_Naaman
Collaborator

With Horizon NDR, the issue is moot - you don't need a management server so no SIC.

See: https://community.checkpoint.com/t5/Horizon-NDR/Horizon-NDR-Deployment-Guide/m-p/157374#M70.

Step 1: Install gateway with R81.10 or R81.20, latest jumbo.

Step 2: Define a sensor object on Horizon NDR, GENERATE REGISTRATION KEY, and run the provided command on your gateway.

Step 3: Attach the gateway to a customer's SPAN port, and wait for logs to accumulate.

Step 4: On the REPORTS tab, click "+ REQUEST", select report type, and submit. After a few minutes you'll get your report.

Step 5: Move the gateway to another customer's site, and repeat from Step 3.

Note: It's best if you provision a separate NDR subdomain for each customer, so that the reports don't contain residual information from the previous one.

0 Kudos
IZoom
Contributor

Thank you man. This was my initial idea -> but it's a public sector, no data/metadata can be posted outside organization. This option has been prohibited by layers. Therefor no Horizon or SMart-1 cloud is applicable.

Even checkup is working with SMB with DAIP without issues, I have already smart-1 6000L box and couple of full size FW (6200,7000, and bigger)

0 Kudos
Nir_Naaman
Collaborator

If it's a one-off, then this would indeed be overkill, but I would note that Horizon NDR is a completely portable application, in fact is also being used by some defense sector customers that are completely isolated from the Internet (with data diodes transferring ThreatCloud updates into their Private ThreatCloud). So perfectly suitable for public sector applications.

0 Kudos
the_rock
Legend
Legend

Well, keep in mind that as that link I sent you states, even renaming it may require SIC reset. As a matter of fact, I tried doing this in both R81.10 and R81.20 and would NOT let me rename it even in smart console without SIC reset. I had to 100% follow steps from link in my previous post.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events