Changing IP on management server - How long do I h...

cdooer · ‎2023-07-19

Hey everyone, We need to change the IP on our management server, and had initially been told by TAC that reestablishing SIC wouldn't be required, since the certificate was based on DNS name, which wasn't changing. Now I'm reading that SIC does need to be reestablished, since the management server IP is stored in the $CPDIR/registry/HKLM_registry.data file. BUT...the documentation also says this;

Symptoms
- SIC establishment is lost between gateway and mgmt server over time.
- No SIC connectivity to gateway

Since it says "over time", does anyone know what the trigger is that will cause SIC to start failing? Trying to plan this out, want to make sure I know exactly what's going to happen, and when.

Thx,
dp

PhoneBoy · ‎2023-07-19

Where precisely are you seeing this "over time" statement?

You should be able to re-establish SIC with the relevant gateways after changing the IP on the management by performing an Install Policy action to all gateways.
This will update the management IP on all the relevant gateways and re-establish connectivity.

Remember that the management is also the Internal Certificate Authority.
Part of that functionality is gateways checking on the validity of certificates issued by the ICA.
If the IP is different, then the Certificate Revocation List is not available.
At least for VPN, this will cause VPNs to start failing after 24 hours or so.

Jim_Holmes · ‎2023-07-19

I have personally never seen this happen, not that it means it doesn't happen. I just always make sure to do an install database before I push the policy. It was my understanding that the Masters was all it was checking, and that is object-based. @PhoneBoy isn't the CRL pulled from the VPN certificate and not the SIC certificate?

Aka, Chillyjim

cdooer · ‎2023-07-19

They state this in this article, https://support.checkpoint.com/results/sk/sk103356.

So are we all in agreement that SIC will automatically happen after I change the management IP, install database, then push a policy? Wondering if that file on the gateway automatically updates itself with the new IP?

the_rock · ‎2023-07-19

Thats my experience, BUT, that does not always guarantee SIC wont need to be reset.

Bob_Zimmerman · ‎2023-07-20

I suspect the "over time" might be talking about automatic renewal of the SIC certificates. Eventually, the cert will get close to expiring and will try to renew itself. Not sure which method it uses to get the management's IP to try to renew the cert, but if it doesn't try the new IP, the SIC cert will eventually expire. Doesn't disrupt traffic, but it does prevent policy installation and other things which depend on SIC.

the_rock · ‎2023-07-19

You are referring to below:

https://support.checkpoint.com/results/sk/sk103356

In my experience, last time I did this, worked fine, no SIC reset, but then 3 times before that, it was needed...so, I have no clue in the world why its inconsistent : - )

cdooer · ‎2023-07-20

I did just have a look on one of my VPN gateways, and that HKLM_registry.data file shows that it was updated 20 mins ago, even though no policy was pushed to it. Wonder if that file automatically updates on a certain interval, as the gateway is communicating with the management server?

the_rock · ‎2023-07-20

Thats most likely true...I will let someone else confirm, but it would make logical sense.

Andy

the_rock · ‎2023-07-20

Just checked my lab and though I never modified this file, shows today's date, so Im 100% sure its all automatic. Never knew that was the case, so thank you for bringing that point up 👍

Andy

[Expert@quantum-firewall:0]# cd /opt/CPshrd-R81.20/registry/
[Expert@quantum-firewall:0]# stat HKLM_registry.data
File: 'HKLM_registry.data'
Size: 143613 Blocks: 288 IO Block: 4096 regular file
Device: fc01h/64513d Inode: 35062378 Links: 1
Access: (0660/-rw-rw----) Uid: ( 0/ admin) Gid: ( 0/ root)
Access: 2023-07-20 10:06:59.652972485 -0400
Modify: 2023-07-20 10:06:59.482972476 -0400
Change: 2023-07-20 10:06:59.503972477 -0400
Birth: -
[Expert@quantum-firewall:0]#

the_rock · ‎2023-07-20

I verified 100% based on test on 4 different VMs and 4 different CP versions *R80.30, R80.40, R81.10 and R81.20) that HKLm_registry.data file gets "refreshed" every 60 seconds...thats what it shows when I ran watch -d stat command on the file

Not sure if TAC would have any other official answer, but thats result I get.

Andy

JozkoMrkvicka · ‎2023-07-20

can you try to cut the connection between gateway and management? Wondering if that file is refreshed only in case there is communication between GW and management.

Do you also see if there is some difference in regards to content of the file ? Is the content always the same, or some timestamps are updated within the file itself ? You can use "diff" command to compare the file before refresh (make a copy) and after refresh.

Kind regards,
Jozko Mrkvicka

the_rock · ‎2023-07-20

Content is exactly the same every time I check it.

Andy

cdooer · ‎2023-07-20

Hmm...what happens when you change the IP on your management server? Hehehe

the_rock · ‎2023-07-20

I did that test today in my lab and all worked fine, no need to even do SIC reset. File content was the same.

cdooer · ‎2023-07-20

That file contains the IP of the management server though, so I assume that this entry at least changed?

the_rock · ‎2023-07-20

Yes...I changed it back since and its updated accordingly

Andy

[Expert@quantum-firewall:0]# grep -i 172.16.10.203 /opt/CPshrd-R81.20/registry/HKLM_registry.data
:ICAip (172.16.10.203)
[Expert@quantum-firewall:0]#

Are you a member of CheckMates?

Changing IP on management server - How long do I have before I have to redo SIC