IP Address of the Internal Certificate Authority (ICA) of Security Management Server / Domain Management Server is automatically added to Check Point Registry file ($CPDIR/registry/HKLM_registry.data) on Security Gateway when SIC is first established (between Security Gateway and Management Server).
If the IP Address of Security Management Server / Domain Management Server is changed, and SIC is never manually reset (between Security Gateway and Management Server), then the AutoRenewal of the Certificate will fail.
If you are manually changing the IP Address of Security Management Server / Domain Management Server, then follow the procedure below.
- Check Point recommends to manually reset the SIC between the managed Security Gateways and Management Server as described in sk65764 - How to reset SIC.
- In cluster environment, this procedure must be performed on all members of the cluster.
- On VSX there are many registry files, one per VS context. You need to change them all to point to their respective main or target primary CMAs.
You should verify that the new IP Address of Security Management Server / Domain Management Server was correctly configured in the Check Point Registry file on the managed Security Gateways.
Connect to the command line on the relevant Security Gateway.
Login to Expert mode.
Check the Check Point Registry:
[Expert@HostName]# cat $CPDIR/registry/HKLM_registry.data | grep -i -B 5 icaip
Example of the relevant section:
If the :ICAip attribute contains wrong IP address, then edit the Check Point Registry and reboot the Security Gateway:
[Expert@HostName]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
[Expert@HostName]# vi $CPDIR/registry/HKLM_registry.data
- For immediate sic renewal, run:
$CPDIR/bin/sicRenew (you can add the -d flag to see more debug messages)
Note: The IP address that should be set in the registry when changing the IP address of a Security Management behind NAT is the Security Management NAT IP address (external).