Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DanM1
Participant

Uninstall policy on Security Gateway and Management Server in an MDS env.

Hello all,

I need a little bit of help, please.

What I want to achieve, to uninstall the policy on Security Gateways (GWs) and Management Server (MGMT Server)on an MDS env.

Setup:
- DomainX with two Security Gateways (GWs) installed and of course the Management Server(MGMT Server) - so it's about MDS env.

I have followed the below steps:
- I uninstall the policy on GWs, and I did it using the "fw unloadlocal" command following the steps described here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topic... and on GWs is working as expected;
- my problem is related to the fact that MGMT Server is reporting that GWs have the policy installed, even I uninstall it on GWs using the above step.

After uninstalling the policy on GW, MGMT Server is not synchronized with the GWs. The question is, is there a way to force this sync to happen? in a way that MGMT Server to report that the GWs don;t have anymore the policy installed?

If this is not the correct approach, is there a way to uninstall the policy on this DomainX, in such a way that MGMT Server to report that the policy is not installed?

Thank you,
Dan

4 Replies
G_W_Albrecht
Legend Legend
Legend

Afaik this is not possible - fw unloadlocal only works locally on the GW and the GW can not report this change to the SMS/MDS.

What is the reason for this unorthodox demand ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend

Hm, thats interesting...could you please send a screenshot of it? I tested this on regular management in the lab and if I unload policy on firewall, it does reflect that status in smart console. I really cant speak for MDS, as I had not played much with that in R80.

0 Kudos
the_rock
Legend
Legend

Apologies, @G_W_Albrecht is absolutely correct! I did a test, but silly me, ended up looking at different smart console window (DOH...). Anyway, what happens is actually this...if you run fw unloadlocal, yes, it removes current policy, but in dashboard, you will see red X beside gateway that will say firewall policy not installed if you hover over it, BUT, in the summary on the bottom, it would still show latest installed policy, so my logical assumption is that its by design...maybe @PhoneBoy can give us confirmation.

0 Kudos
PhoneBoy
Admin
Admin

I assume what's showing in SmartConsole is the last policy that was installed to the gateway.
And, in fact, if you run a fw fetchlocal from the gateway, that policy will be the one that is loaded.
The X saying there's an issue on the gateway seems to be the correct behavior.
@DanM1 can you confirm this is what you see on your end?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events