4 Replies Latest reply on Aug 24, 2015 7:41 AM by lnurmi

    Stonegate firewall issue

    scs-dan

      Hi All, apologies if this post is in the wrong place. I've just moved to a position at a company and the usual situation has happened, inherited a firewall with no documentation. The product is a Stonegate firewall FW1200 and I only have the credentials for one user but when ever I try to log in I get the attached error. I'm aware that the version is massively out of date and the product is EOL but I need access to the rules. We are due to decommission the beast soon but in the mean time there are a few issues I need to get sorted.

       

      Thank you for any input, please let me know if there is any further detail that is required.

       

      firewall issue.png

        • 1. Re: Stonegate firewall issue
          scs-dan

          Just to add, this is the error when pressing accept. I've followed these steps but it repeats and comes back to this. The machine with the client on has been restarted and jave updated.

           

          firewall issue 2.png

          • 2. Re: Stonegate firewall issue
            thyvarin

            Hi,

             

            The warning about CA is not error but tells that management client doesn't know the CA and thus doesn't trust it. At first login it's normal to see message like this. Once you accept the fingerprint, next time you won't see the warning. Once you get logged into SMC, you can verify the internal CA fingerprint in "Configuration" --> "Administration" --> "Other Elements" --> "Internal Certificate Authorities" --> open the active CA properties. Please note thought that these instructions are for latest SMC versions 5.9 and 5.8. You are using very old version 4.3 so instructions might not apply.

             

            The actual problem is shown in the second screenshot -- management server certificate has expired back in April and there's even instructions shown in the message. So first thing you need to do is renew the management certificate. Most likely also log server certificate has expired and needs to be renewed. To renew the management server certificate, stop the management server process and then run <smc_home>\bin\sgCertifyMgtSrv.bat script like message tells. Once you've renewed the management server certificate, start the management server. Once management server is running, you should be able to login, and then you can also renew log server certificate. First thing is to stop the log server service, and then renew log server certificate by running <smc_home>\bin\sgCertifyLogSrv.bat script. You'll need SMC superuser credentials to do this so when you credentials are asked, use the credentials that you would use when logging into SMC.

             

            BR,

            Tero

            • 3. Re: Stonegate firewall issue
              scs-dan

              Thanks Tero.

               

              After trying your suggestion above I've got another error. I've stopped the management service and tried to run the script but then facing this error.

               

              firewall Management Cert issue.png

               

              I also tried to run the Log Cert but also ran into this.

              firewall Log Cert issue.png

               

               

              Do you know if there is allocation for any further trouble shooting tips or logs for me to look into?

               

              Thanks.

              • 4. Re: Stonegate firewall issue
                lnurmi

                Hi,

                 

                the Log Server re-certification fails since the management is not running. Why the management re-certification fails, you can check from CERTIFY_MGT_<timestamp>.txt files in <smc install>/tmp folder.

                 

                Based on the version I wouldn't be surprised if the system is over 10 years old, that would mean the CA has expired too. Version 4.3 has no mechanism to renew the CA, so if the CA has expired you'd need to upgrade to version 5.1 or newer and then run the recertify script.

                 

                BR,

                Lauri