When I originally installed FP3 fresh in 2003, it installed a 20-year
certificate. How old is their installation?
Go to http://<smartcenterIP>:18264 and download the root certificate and
look at its characteristics to see if that's what happened.
Ray
From: Sergio Alvarez <seralvar AT GMAIL DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] "fingerprint was changed"
Date: Fri, 27 Oct 2006 09:49:19 -0600
Hello,
I have a customer that experimented a an unusual event at the beginning of
this week, at some point he found out it was not possible to get connected
to the SmartCenter from any of the machines they usually use to work with
SmartConsole, because the SC is installed on a Windows 2003 machine, he
decided then to go to the servers room and try form the machine itself with
the same results, so he just went ahead and rebooted the machine. All
services came up fine but there was a strange event when trying to get
connected via SmartConsole again, a message came up saying the fingerprint
of the SC had changed and asked to verify the new one.
Searching on the SecureKnowledge I found sk31891, that says this situation
can occur because of the following reasons:
This behaviour is by design. CPD process regenerates the SIC certificate
automatically.
The possible causes for fingerprint change are:
- ICA regenerated (either through corruption or fwm sic_reset).
- Licensing changes.
- IP address or object name of SmartCenter server was changed.
- Internal Certificate past 75% of its lifetim
The only one of those that makes sense on my customer's environment is the
last one, but the document says nothing about actions that should be taken
after such event occurs.
Given the situation, I think there is nothing we should be concerned about
and I guess the issue will just not occur with regularity but I still feel
is weird that they had to reboot the SmartCenter for everything to get back
to normal, I would expect for CheckPoint to reallize it is usually not that
simple on a production environment and for a situation like the Internal
Cetificate reaching 75% of its lifetime, to be resolved in another manner.
Has anyone seen something like this before? Could anybody tell me if
everything here could be considered normal?
Thanks in advance for any comments on this issue.
Regards
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
Try the next generation of search with Windows Live Search today!
http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-us&source=hmtagline
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
