NG FAQ - Problem with Internal CA

*Platform:*	any platform for Next Generation
*Product:*	Check Point Next Generation after upgrade
Problem:	After upgrading from Check Point VPN-1 4.1 to Next Generation everything seems ok and working - the objects are there and even the rulebase might install and work. But, creating a certificate for a User or Administrator doesn't work. The result is just an error. The same happens when creating a new Firewall with VPN-1 Pro installed.
*Workaround/Fix:*	This problem occurs, when an Internal CA has been created in version 4.1 by using the command fw internalca_create for e.g. using the Hybrid Mode for users of SecuRemote/SecureClient. The ICA of version 4.1 isn't compatible with the ICA of NG. Check Point points out, that an upgrade isn't supported. If you have seen the problem mentioned above, you should redo the upgrade. But before, you will have to modify the file $FWDIR/conf/objects.C used in version 4.1 after having the Firewall stopped with fwstop. After having made a backup of this file, you'll have to edit it. First of all, find the declaration of your Internal CA. It looks like :servers (servers ... : (avir ... ) : (MgmtInternalCA :color (black) :type (ca) :comments ("This CA is for use in IKE Hybrid Mode") :ca_type (internal) :cacertificate () :crl_ldap (false) :crl_http (true) :dn ("OU=Management,O=AERAsec,C=de") :cacertsignkey (961e2b53225a5339e6738684) ) ) You'll have to remove it by changing this part to :servers (servers ... : (avir ... ) ) Then, your Internal CA is "destroyed". The reference to this ICA is still configured for Network Objects like Firewalls or Users. They have to be removed manually. An example for this modification is given here for a Firewall. The original configuration looks like :netobj (netobj :default Any ... : (MyFirewall ... :if-1 ( :ipaddr (10.10.10.10) :netmask (255.255.255.0) ... ) :certificates ( : (my_MgmtInternalCA :dn ("CN=myFirewall,O=aerasec,C=de") :ca ( :type (refobj) :refname ("#_MgmtInternalCA") ) :serial_num (20) :status (signed) :pkisignkey (a8122ddfed70ba9f51c95d67) ) ) ) For removing the certificate, this has to be changed to :netobj (netobj :default Any ... : (MyFirewall ... :if-1 ( :ipaddr (10.10.10.10) :netmask (255.255.255.0) ... ) :certificates () ) This you'll have to do for all objects, a certificate has been created. After having saved the modified file $FWDIR/conf/objects.C, a copy of this modified file should be made. Then, you restart the Firewall with fwstart and install the rulebase again. Have a look at the file $FWDIR/conf/objects.C again and check that your modification is still in there. If not, you propably didn't stop the Firewall before editing the file (that's why it's good to have a backup of the modified file). After these steps, you make the uprade again. At your Management-Server running NG you should see all objects and all your rules. Then, try to generate a certificate for a User and define a Network Object with VPN-1 Pro installed. It should work then. Please note, that users of SecuRemote/SecureClient using certificates will at least have to make an Topology Update to get the new certificate of the Gateway. And remember, if you have used certificates for users, you will have to renew them because the (old) CA has been removed.

Check Point VPN-1/FireWall-1

Problem with Internal CA after upgrading from 4.1 to NG