Check Point - Reset SIC without restarting the firewall process - sk86521

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi welcome to my channel my name is magnus and in today's video we're going to reset the sick of the security gateway and i'm sure most of you already know how to do this but we are not going to do it the ordinary way we are going to do it the way that we don't need to do cp stop we don't need to do well more or less have a failover of traffic but i will just show you how this works if we have it and if we do it ordinary way so i have a normal cluster here with two gateways and we can see if we double click on one of the of one of the gateways we can see communication just establish test sick and we get communicating so that's all good and i'm also logged into the boxes so we can see that they are active and standby so we did check on gateway number one and gateway number one is the active node so if we do like this we do a watch command here instead so we can see that it's actually failing over and it's good to spell it correct cp [Music] cp h a okay so now this is updating and we are on the standby member and we are going to reset uh the sick on the first member let's do a ping as well so we ping through the gateways and to reset sick well that we're doing clich so exit and then we do cp config and here we have the ability for uh secure internal communication number five and we want to re-initiate the communication yes and it says here that this will run cp stop meaning the box will it will not reboot but it will stop all the checkpoint processes so do we want to do this yes and i just add a activation key i do shake point one two three like that and then eleven when i do exit here now we should see that this is failing over and become the active and in worst case you will also see that it's affecting the traffic so resetting sit by doing this way uh it will load the initial policy it will restart all the services you will have a failover so more or less you would need to do it on the service window so to avoid this and let's see if we are back up and running i think maybe we're kicked out no not yet so what do we need to do to get back up up and running here because this is lost well if we go back here take uh like this the gateway number one and we do edit common communication that's sick it's failing okay so we need to reset it here as well and then we need to do checkpoint one two three check point two three and initialize and now it's first established okay okay now we need to publish and we also need to install the policy and if we open this one uh we can go into expert i will do watch here if we're quick enough you see it's not even started that it's in in a cluster so this is also something that the gateway will be aware of now when it gets the policy so let's get back this up to the normal now it's in in it now it will become standby and depending on your priority it will become active as well so we have the priority to to change because uh we want always the the first member to become active this is something that you can change if you want to and we also see here that policy installation failed okay what did fail well that's the threat prevention policy if we do like this install policy again and we can only install the threat prevention policy if we want to do that then everything will be green so this is a standard so this is the the normal way to to do it but the drawback of this is that it becomes an outage all right so can we do this another way yes so there is an sk for this and that's the sk here so sk 86521 that's the sk for resetting the sick without resetting the firewall process so um sick has to be reset on gateway you don't want to load the initial policy you don't want to stop the traffic and you don't want to restart the shipment services so what could a reason be why you want to do this well that's obvious you don't want the maintenance window you don't want an outage and when it's a reason when you can use this well if you want to change management station if you want to change ip of your management station if you want to move gateways from one normal management station to a cma within an mds this is perfect so let's try this all right so everything is hunky-dory so let's see the pros that's on how to do this so here's the process so more or less we need to do this one and we can do like this and we will do it on the active member so we will do it on the gateway number one this one and i'll do clear and maybe i can zoom a bit so we do like this and we do yeah we can do one vpn one two three so vpn one two three this is the seek key so let's do like this enter and after we have run this command we need to run two more commands so here is still the process it can do like this so copy name is referring to something no it's not referring to something so let's do like this paste and let's just wait or it kicked out just needed to press ok or enter one time and do this one as well all right so let's see what is the next step uh we are not running security gateway but we are running in smart console so let us see if this actually changed the key and we can do like this yeah you see here now we lost the communication so there is no communication verified that the seek is is working more or less and just verify here we still have the traffic going through number one so this hasn't changed and we haven't lost any pings because the traffic haven't changed so let's do like this and then communication and we can just test think here and it's failing and then we do reset yes and then we do vpn123 vpn123 initialize trust established closed closed okay so this will turn green and we will do publish we still need to i think we still need to push the policy let's see if it says anything in the in the process it says install the policy if needed so i don't know let's see if we actually need to do that communication test now it's communicating so this will turn green even without us not pushing the policy so maybe i should just wait so we get it in the video so it's actually in green and you trust me i don't know but this is pretty cool so this is something that i have used myself when i have moved vsx clusters to different cmas when we have changed ip addresses when we have done larger migration work and we don't really want to have like well we don't want to have an extra maintenance window we don't want to do additional work by resetting failing over i mean if it's a really small environment maybe it doesn't matter but if you have a v6 and it's a 50 customers on it you don't really want to well you don't really want to reset the whole box and have a failover maybe you want maybe it's multiple cluster members so you need to do it several times maybe you need to do it in a specific order because you have not enough performance in the boxes and so on so this is an sk that you should be aware of and it will be handy to be aware of it and if you work long enough with checkpoint this is something you definitely will use so the sk as i said is the 86521 technical level expert yeah maybe so maybe i shouldn't put this in the ccsa video siri i will put this in a i don't know troubleshooting or ccse so you see here yellow here uh so it's complaining on licenses so it's actually okay everything else um so you see we didn't need to push the policy but yet to well show it we can push the policy so now the policy has been installed everything is successful we didn't need to push it twice because it already has the policy and as you did see we didn't change any uh any status and that you can see here because the member was changed due to higher priority of the remaining cluster so so this is the first failover that we didn't do and more or less we only needed to run three commands so um well i hope to see in the next one take care bye
Info
Channel: Magnus Holmberg
Views: 504
Rating: undefined out of 5
Keywords: ccsa, ccse, checkpoint, check point, cyber security, network, secuirty, firewall, checkpoint training, r80, r80.40, checkpoint firewall, checkpoint firewall training videos, #compliance, r81, ccsa training, r80.10, r80.20, r80.30, check point vsx, network design, r81.10, cyber security course
Id: t1hxRHEW_hU
Channel Id: undefined
Length: 12min 24sec (744 seconds)
Published: Fri Aug 19 2022
Related Videos
Check Point R81.X - Crash Course - SmartConsole Part2
Magnus Holmberg
405
Check Point Firewall R81 | Upgrade R80.40 mgmt and log to R81
Magnus Holmberg
10K
Site to Site VPN between Checkpoint Firewall
NETWORKERSHOME
871
Check Point Firewall - fw monitor
Magnus Holmberg
10K
QA - Can you make a troubleshooting video?
Magnus Holmberg
390
Check Point R81 | How to enable LLDP
Magnus Holmberg
549
Training upgrade Check Point Cluster with MVC to R81.10
Magnus Holmberg
515
Check Point Firewall R80.x - Training Lab 10 | Adding dedicated log server with some troubleshooting
Magnus Holmberg
6.1K
Check Point Firewall Secure internal communication | SIC
Magnus Holmberg
6.2K
Check Point R81 | Central Deployment Jumbo hotfix
Magnus Holmberg
2.3K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.