Académique Documents
Professionnel Documents
Culture Documents
Solution ID sk86521
Product Security Gateway
Version R75, NGX R65, R76, R77, R77.10, R77.20, R77.30, R80.10
OS SecurePlatform, SecurePlatform 2.6, Gaia, Gaia Embedded, Solaris, IPSO 6.2, IPSO 6.1, IPSO 6.0, IPSO 4.x, IPSO 3.x, Windows
Platform / Model All
Date Created 31-thg 10-2012
Last Modified 06-thg 9-2018
Symptoms
SIC has to be reset on Security Gateway.
Solution
The normal way of resetting SIC is to automatically restart Check Point services (cpstop;cpstart ). This requires a maintenance window for some environments.
In addition, since SIC was reset, the Security Gateway will load the 'InitialPolicy', which in some cases, mandates console access to the Security Gateway.
Note:
This procedure is not supported on SMB appliances. In SMB, the SIC related process (CPD) is integrated into the FW process, so it cannot be restarted separately.
B. [Expert@HostName]# cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
B. [Expert@HostName]# gexec -f -b all -c 'cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"'
C. [Expert@HostName]# gexec -f -b all -c 'cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"'
3. In SmartDashboard:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86521 1/2
10/22/2018 Reset SIC without restarting the firewall process
A. Click on the Security Gateway object.
B. Click on 'Communication'.
D. Enter the New_Activation_Key (that was used in the 'cp_conf sic init ...' command on Security Gateway).
E. Click on 'Initialize'.
Notes:
Make sure you are resetting SIC to the same Management Server IP address. Using this procedure, the firewall still has the last installed policy.
If the user has a "Stealth Rule" or a "Cleanup Rule", the current policy may only allow for communication between the Gateway and IP address of Management
Server.
If changing the IP address of the Management Server, this traffic will be dropped on the Stealth or Cleanup Rule.
If a change of the IP address of the Management Server is needed, first create a Dummy host with the new IP of the Management Server and add this object to the
"Fetch Policy" of the gateways and all affected rules. Install the policy. After the SIC reset tidy the rules to remove unwanted access to the old manager IP. If control
connections are disabled, ensure the policy is updated with the new management IP address. Follow sk40993 (How to change the IP Address of a Security
Management) for changing the IP.
Related solutions:
Note: If performing this operation on R65 gateways, please be aware that the operation must be completed within 10 minutes. If not, the gateway may reset Check Point
processes, resulting in traffic loss.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86521 2/2