When monitoring a Check Point Management Server and its firewalls with SecureTrack, sometimes an issue is found after upgrading Check Point.
The error message regarding a device is "Inconsistent SSL data stored in db for device...".
To solve this problem, a backup needs to be done first (!).
A first approach to solve this issue is to renew the certificate of the Check Point Management. This can be done using these steps:
TOS Classic:
Go to Menu > Settings > Administration > Monitoring. Select the device delivering the message and select "Edit configuration". Go through the first steps using "Next". In step 4 the user name and password are provided for the connection to the Check Point Management. Provide these data and press "Establish connection". By doing so, the certificate is going to be replaced. After going through the remaining steps with "Next", save the modified configuration. This should solve the problem.
TOS Aurora:
Go to Menu > Monitoring > Manage Devices. Select the device delivering the message and select "Edit configuration". Go through the first steps using "Next". In step 4 the user name and password are provided for the connection to the Check Point Management. Provide these data and press "Establish connection". By doing so, the certificate is going to be replaced. After going through the remaining steps with "Next", save the modified configuration. This should solve the problem.
If the steps shown above don't solve the problem, direct access to the database is necessary. This is officially supported for TOS Classic only. If you need this procedure for Aurora, please contact AERAsec directly.
First, find the Management-ID of the problematic Check Point Management device. This can be done via WebUI (see also here) or via CLI with administrative permissions (e.g. root or using the sudo command). These steps will help:
- # st stat
This command will deliver the Management ID <id> of the device. It's needed in the next steps.
- # psql -Upostgres securetrack -c "select certificate_id from management_certificate where mgmt_id =<id>"
The output should deliver (at least) two certificate IDs (if there is only one, the message would not be shown).
Example for the output:
certificate_id
------------------
6
28
- Now, the certificate with the lowest id (i.e. the id of the oldest certificate) needs to be deleted. This is done with the command
# psql -Upostgres securetrack -c "delete from management_certificate where mgmt_id = <id> and certificate_id = 6"
DELETE 1
- The corresponding device now needs to be restarted using
# st restart <id>
This procedure should solve the issue. If not, please contact Tufin Support.