Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Anthony_Kahwati
Collaborator

New build of VSX cluster

Jump to solution

Hello all

I am building a new VSX cluster. Is the recommendation to get as much topology in place before or after the conversion to VSX?

Should I be converting it straight away after the first time wizard, or getting as much done as possible beforehand?

Thanks in advance

0 Kudos
1 Solution

Accepted Solutions
Anthony_Kahwati
Collaborator

Hi all

Thanks very much for all of your replies. This is a great forum!

The issue is resolved and it was nothing overly complicated in the end.

We are adopting Cisco's ACI and one of the filters written by our vendor had a typo. The port name was "tcp-18208" but the actual value was tcp/12808. It resulted in there being an issue part way through which must be why it was complaining of a SIC issue part way through the build.

I have 18208 here as:

tcp/18208

FW1_CPRID - Check Point Remote Installation Protocol

Remote Installation of packages in SmartUpdate from Security Management Server / Customer Management Add-on (CMA) / Domain Management Server (by CPRID daemon) to Security Gateway

 

Once that was corrected it just worked and I now have a VSX cluster!

Thanks for all the engagements on this.

 

View solution in original post

0 Kudos
11 Replies
_Val_
Admin
Admin

Install a physical GW, set up management interface only and management routing, then convert to VSX and build VS topology on the VS level. 

If you use bonded interfaces, define bonds before conversion.

Anthony_Kahwati
Collaborator

Thanks

I have been trying to get this set up but the VSX cluster keeps ending with errors... it says there is no SIC connectivity to the two gateways, however, part of this set up process was to initialise SIC (it replied back Trusted).

What could I be missing here? The gateways do not exist in smart console yet, I am adding them as part of the process of creating a VSX cluster. 

THanks in advance

0 Kudos
_Val_
Admin
Admin

Any screenshots and/or video of the process?

Anthony_Kahwati
Collaborator

Hi, sorry, I can't owing to the environment classification (I'll get in trouble) but, if I elaborate, there may be a step I have missed out. Currently the Manager is the only device visible in Smart Console.

Both gateways are reachable and I have previously had them registered as normal gateways in Smart Console, SIC is possible. There's no policies in Smart Console yet.

When they registered in Smart Console I have tried to create 2 new VSX gateways using the Checkpoint Gateway Installation WIzard. It gets all the way to the end but then throws a SIC error. This doesn't make sense given they have already been through SIC in that process and it has stated that trust is initialised.

Anyway, this is a copy of the screenshot (lifted from google images) of what I got when I just tried to create a VSX cluster, introducing the gateways to Smart Console at the same time.

[I WILL POST AN IMAGE IN A SUBSEQUENT MESSAGE - THE FORUM IS NOT HAPPY WITH ME 🙂  )

Owing to it failing I cancelled however it has already converted the gateways to VSX and I can no longer access them by SSH, but I can still SIC to them. They currently do NOT appear in Smart Console as I cancelled the wizard. Even though I can SIC to them I can't introduce them to the manager again as VSX gateways because they still say:

"Installing default policy - [policy name] on [gateway name]

Policy installation failed on gateway. Cluster policy installation failed: See SK125152)

Failed to install default policy on... etc. etc

"

It then lists reasons why a policy install might fail.

I haven't manually created a policy, however, the VSX Gateway wizard creates one to push as part of the add wizard.

Sorry for all the waffle, if I could share screenshots I would.

I hope this is a bit more informative but if not, no problem. I will get hold of our support vendor... was just looking here for an answer if possible. I know it's difficult to expect with limited information. Sorry.

Cheers

0 Kudos
Anthony_Kahwati
Collaborator

This is the image I wanted to share after finally getting to reply... I was being told off for duplicate posts for some reason. Probably down to the corporate browsing infrastructure!

CheckpointFail.png

0 Kudos
_Val_
Admin
Admin

OK. Just take the VSX admin guide and follow it, you are obviously doing it wrong. 

There are two possibilities:

1. Install clean, do not initialize SIC, use GW wizard to setup a VSX GW/cluster.

2. Install as a regular GW and then convert to VSX. Personally, I would not recommend this approach in the first place. 

You are trying to use something in between, and that is why it is not working for you.

Anthony_Kahwati
Collaborator

I have looked at the SK article and it doesn't seem relevant.

0 Kudos
JackPrendergast
Collaborator

If you have previously connected the gateways to smartconsole, then you will need to reset SIC on the gateways themselves.

 

Enter cli on each firewall, type 'cpconfig' into clish and choose the option to reset 'Secure Internal Communication' 

 

It will ask you to type a new SIC key, do this, and then it will cpstop and cpstart.

 

Wait til all processes are back up, head back to smartconsole and try add the gateways again using the new key.

 

As mentioned above, do bonded interfaces first before conversion if you have bonds.

Magnus-Holmberg
Advisor

not sure if its to any help, i made a few VSX videos that are available on youtube.
https://www.youtube.com/playlist?list=PL4Jm1LJEII4ZiVFkjtB1zMyOzn0LUVP21

Regards
Magnus

 

https://www.youtube.com/c/MagnusHolmberg-NetSec
Anthony_Kahwati
Collaborator

Hi all

Thanks very much for all of your replies. This is a great forum!

The issue is resolved and it was nothing overly complicated in the end.

We are adopting Cisco's ACI and one of the filters written by our vendor had a typo. The port name was "tcp-18208" but the actual value was tcp/12808. It resulted in there being an issue part way through which must be why it was complaining of a SIC issue part way through the build.

I have 18208 here as:

tcp/18208

FW1_CPRID - Check Point Remote Installation Protocol

Remote Installation of packages in SmartUpdate from Security Management Server / Customer Management Add-on (CMA) / Domain Management Server (by CPRID daemon) to Security Gateway

 

Once that was corrected it just worked and I now have a VSX cluster!

Thanks for all the engagements on this.

 

View solution in original post

0 Kudos
Bob_Zimmerman
Advisor

Oof. This is the big reason I don't like putting port numbers and such in object names. It means a quick read of the policy can lie to you. Searches also lie to you, since they give you the match without telling you it only matches in the name, not in the actual data which means anything.

0 Kudos