10/22/2018 Reset SIC without restarting the firewall process

WWW.CHECKPOINT.COM WELCOME: NGUYEN ANH TUAN |  SIGN OUT

SELL MARKET LEARN SUPPORT MY CHECK POINT

Support Center > Search Results > SecureKnowledge Details

Search Support Center

Reset SIC without restarting the firewall process

Rate This My Favorites Email Print

Solution ID sk86521
Product Security Gateway
Version R75, NGX R65, R76, R77, R77.10, R77.20, R77.30, R80.10
OS SecurePlatform, SecurePlatform 2.6, Gaia, Gaia Embedded, Solaris, IPSO 6.2, IPSO 6.1, IPSO 6.0, IPSO 4.x, IPSO 3.x, Windows
Platform / Model All
Date Created 31-thg 10-2012
Last Modified 06-thg 9-2018

Symptoms
SIC has to be reset on Security Gateway.

User does not want to load the 'InitialPolicy'.

User does not want to stop passing traffic.

User does not want to restart Check Point services ('cpstop;cpstart').

Solution
The normal way of resetting SIC is to automatically restart Check Point services (cpstop;cpstart ). This requires a maintenance window for some environments.

In addition, since SIC was reset, the Security Gateway will load the 'InitialPolicy', which in some cases, mandates console access to the Security Gateway.

Perform the following procedure:

Note:

This procedure is not supported on SMB appliances. In SMB, the SIC related process (CPD) is integrated into the FW process, so it cannot be restarted separately.

1. On the Security Gateway (not 61000), run these commands:

A. [Expert@HostName]# cp_conf sic init New_Activation_Key norestart

B. [Expert@HostName]# cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"

C. [Expert@HostName]# cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

2. In 61k Security Gateway Mode:

A. [Expert@HostName]# g_all cp_conf sic init New_Activation_Key norestart

B. [Expert@HostName]# gexec -f -b all -c 'cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"'

C. [Expert@HostName]# gexec -f -b all -c 'cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"'

3. In SmartDashboard:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86521 1/2
10/22/2018 Reset SIC without restarting the firewall process
A. Click on the Security Gateway object.

B. Click on 'Communication'.

C. Click 'Reset' and confirm.

D. Enter the New_Activation_Key (that was used in the 'cp_conf sic init ...' command on Security Gateway).

E. Click on 'Initialize'.

F. Install policy, if needed.

Notes:

Make sure you are resetting SIC to the same Management Server IP address. Using this procedure, the firewall still has the last installed policy.

If the user has a "Stealth Rule" or a "Cleanup Rule", the current policy may only allow for communication between the Gateway and IP address of Management
Server.

If changing the IP address of the Management Server, this traffic will be dropped on the Stealth or Cleanup Rule.

If a change of the IP address of the Management Server is needed, first create a Dummy host with the new IP of the Management Server and add this object to the
"Fetch Policy" of the gateways and all affected rules. Install the policy. After the SIC reset tidy the rules to remove unwanted access to the old manager IP. If control
connections are disabled, ensure the policy is updated with the new management IP address.  Follow sk40993 (How to change the IP Address of a Security
Management) for changing the IP.

Related solutions:

sk65764 - How to reset SIC

Note: If performing this operation on R65 gateways, please be aware that the operation must be completed within 10 minutes. If not, the gateway may reset Check Point
processes, resulting in traffic loss.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback Please rate this document [1=Worst,5=Best]

Enter your comment here

Comment 

©1994-2018 Check Point Software Technologies Ltd. All rights reserved.

Copyright | Privacy Policy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86521 2/2