Monday, February 1, 2016

RMA Firewall

Author: dk
Date: 1/21/2016
This the procedure to RMA or rebuild a VPN cluster.

1.backup the following:
license
fwkern.conf
show configuration -(remove the SNMP stuff for interfaces -it would not import)
ace files
track.ttm file

2. install R77.20
vi create config -paste show configuratoin
load configuratation config

3. Web wizard via https://myvpn-fwa.mydomain.com:4434
fw uninstall (otherwise it will stuck at 99%)

4. install Take 91
reboot

5. reset sic
push policy (which create /var/ace directory)
copy ace file
copy track.ttm file
copy fwkern.conf file (important for ClusterXL to function)

6. reboot
install GA fw1
install GA Sim
-------------------------------------------------

1.
Get the license file
[Expert@myvpn-fwb:0]# cd $CPDIR/conf
[Expert@myvpn-fwb:0]# pwd
/opt/CPshrd-R77/conf
[Expert@myvpn-fwb:0]# cat $CPDIR/conf/cp.license
Sign {
LICENSE 100.210.70.250 never CPAP-SG1260X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-URLF CPSB-APCL CPSB-AV CPSB-ABOT-L CPSB-ASPM CK-00-1C-7F-36-A8-
05
RMA -Rebuild a Checkpoint VPN Cluster
Thursday, January 21, 2016
3:45 PM
Firewall Page 1
05
}= 76sdQuNjnhC4AGzuG4ZwfdTixxBbbv9JBsk Index=3 Version=0
[Expert@myvpn-fwb:0]##


2.
Get any special Kernel config
[Expert@myvpn-fwb:0]# find / -name fwkern.conf
/var/opt/fw.boot/modules/fwkern.conf
[Expert@myvpn-fwb:0]#
[Expert@myvpn-fwb:0]# cat /var/opt/fw.boot/modules/fwkern.conf
fwha_mac_magic=218
fwha_mac_forward_magic=217
[Expert@myvpn-fwb:0]#


3.
Get any local.arp files
[Expert@myvpn-fwb:0]# fw ctl arp
No proxy ARP entries

4.
Validate number of routes
[Expert@myvpn-fwb:0]# netstat -rn | wc -l
298
[Expert@myvpn-fwb:0]#

5.
Get a copy of the trac_Client1.ttm file (for vpn clients)
[Expert@myvpn-fwb:0]# find ./ -name trac_client_1.ttm
./var/opt/CPsuite-R77/fw1/conf/trac_client_1.ttm
./home/scp/trac_client_1.ttm
[Expert@myvpn-fwb:0]#

6. get a copy of the show configuration file

7. Get a copy of the /var/ace directory
sdconf.rec -Generated by the ACE SERVER and copied to the /var/ace directory
sdopts.rec -Allows you to force the ACE AGENT to use a specific IP address when generating its hash
sdstatus.12 -Automatically created at point of communication between the ACE AGENT and SERVER
securid -Automatically created at point of successful communication between the ACE AGENT and SERVER
Firewall Page 2
Posted by at