RMA Do’s and Don’ts for Check Point Firewalls

While reviewing our customers Check Point firewalls I’ve identified a pattern that keeps repeating itself: many issues tend to happen post an RMA.

The pattern that we observe is the following:

1. Two members of a firewall cluster are monitored successfully, alerts being issued, etc.
2. At some point, one member disappears (which indeni issues an alert for, of course).
3. Later, a new machine suddenly appears and is clearly not the old one (different SSH host key, serial number, etc.).
4. This new machine joins the cluster but there is a whole set of configuration issues.

Since this keeps happening again and again, I would like to point out some common mistakes that are made when RMAing a Check Point firewall and installing the replacement device into production .

• Lack-of or wrong licenses – it depends on what licenses you use, but it’s possible that the licenses you had attached to the old device won’t be applicable to the new device. Keep in mind that the out-of-the-box replacement is usually provisioned with a 15-day trial license that will allow all services during that period. Once the trial period passes the device will stop to provide service.  Make sure to run cplic print -x and validate that the licenses are what you expect them to be. Trial licenses will appear as blank output from cplic.
• Device-level configurations missing/mismatching – I highly recommend that you go over each of the following and make sure they are either identical to the other cluster  member or similar (where appropriate):
  • Routing tables (netstat -rn, show route)
  • CoreXL and SecureXL (fw ctl multik stat, fw ctl affinity, fwaccel stat)
  • Any .def and .conf files you may have manually edited, such fwkern.conf, ipassignment.conf, etc.
  • OS-level files, such as /etc/hosts, NTP, DNS, etc.
  • Interfaces (IP addresses, subnet in use, etc.)
• Mismatching Firewall Policy – sounds crazy, but we run into this more than we’d expect. Somehow new devices are added to a cluster while running a different policy to the currently active member. Remember that policy isn’t just the rule base, it’s also the IPS signatures, VPN settings, etc.

While there are many backup solutions out there, including our own, backing up isn’t the entire solution. It is just the first step. A good backup makes sure you have the content you need in order to rebuild the box. However, no backup solution provides you with complete 1-click recovery. So please make sure to go over the above checklist.

Using indeni to identify the above,  as well as hundreds of more possible issues, will  ensure that your next RMA procedure goes flawlessly. For us, it’s all about avoiding outages by pin-pointing issues before they turn critical. It takes less than an hour to install indeni and we’ll be happy to help you do it (contact our support).