NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] incorrect reply from server (seq or subject mismatch)



I know exactly what you mean man. Yeah what I meant was only keep the last 3
policies in the GUI itself for any one firewall. You know how when you click
"File->Open" in the Policy editor, and you get a big list of all the
policies the management station recognises? Well what I was suggesting was
that you only keep the last 3 policies for any single firewall (or group of
firewalls if you use common policies across multiple firewalls, like in HA
environments), to cut down the size of the .fws file that I suspect is
transferred when you try to save the policy/objects during a policy push.

You can go through that big list in the GUI and "delete" the policies you
don't need - they'll still be stored on the management station, so don't
worry - all that you are doing is removing the policy from the .fws file,
making it smaller and circumventing the GUI timeout problem. If you find
later on that you need to get the management station to re-recognise any of
the "deleted" policies, just drop to a command shell and type "fw fwm -g
policy.W" (this is for NT - I believe unix systems require "fwm -g policy.W"
instead) to force the management station to reapply that policy to the .fws
file.

I'm running several firewalls with over 120 rules with no problems at all
now - when the total size of the .fws grows too large and you can't trim it
any further, you can use the horrible workaround (let's face it, Checkpoint
should just FIX the problem) of waiting till the timeout error message
appears, waiting till the transfer finishes in the background, only then
OKing the error to allow the rest of the transfer to succeed.

Hope this helps,

Scott.

P.S - hope you don't mind me copying the list on this - just in case anyone
else thought my last email wasn't clear enough as well.

-============================-
 Scott McMeekin (x25086)
   Senior Technical Analyst
         IT Telecoms
  The Royal Bank of Scotland
  Phone: +44(0)Email: [email protected]
-============================-

> -----Original Message-----
> From:	Jesus Calvo Hernandez [SMTP:[email protected]]
> Sent:	Tuesday, October 17, 2000 10:43 AM
> To:	McMeekin, Scott
> Subject:	Re: [FW1] incorrect reply from server (seq or subject
> mismatch)
> 
> 
> *** Warning : This message originates from the Internet ***
> 
> Hi Scott
> 
> I do not quite understand what you´re telling me about keeping the last
> three policies; in fact I keep many more on the same directory as the
> current one to be pushed, but the problem always appears and I have to
> retry
> pushing the policy twice or even more times until  I get lucky enough to
> install it properly.
> 
> In my case all our firewall modules are either on the same lan or at the
> opposite side of a frame relay link, so no link bandwithd problem is to be
> considered. Even worst, the problem arises mainly in the firewall module
> on
> the same lan as the management console ????? I must say that my rulebase
> has
> got 125 rules, which is a lot, I know, but we have got that number of
> connections and any attempt to optimize/reduce it has been vain so far.
> 
> So I might think that the problem arises and increases with the number or
> rules on the rulebase. But can it be solved anyhow?
> 
> Thanks for your help in advance and best regards
> 
> Jesus Calvo
> 
> 
> ----- Original Message -----
> From: "McMeekin, Scott" <[email protected]>
> To: "'Jesus Calvo Hernandez'" <[email protected]>;
> <[email protected]>
> Sent: Tuesday, October 17, 2000 12:57 PM
> Subject: RE: [FW1] incorrect reply from server (seq or subject mismatch)
> 
> 
> This is an interesting one I've been wrestling with for some time. The
> management server doesn't store the rulebases seperately (well it does
> actually, as .W files, but the firewall software processes these into a
> combined .fws file). When the .fws file becomes too large, some kind of
> hard
> coded limit within the GUI software appears to kick in and you get
> timeouts
> and the error you mentioned. Sometimes policy pushes from the GUI will
> fail
> as a result.
> 
> What I've worked out (and to be fair, phoneboy's had a resolution for this
> for ages) is that if I keep about the last three policy saves for each
> firewall, I have enough copies to be able to back out the last few
> changes,
> and the problem appears to go away. Having said that, these days I have a
> lot more firewalls, and the problem came back (especially when doing
> policy
> pushes remotely over a modem link). The workaround I use is this: when
> pushing a policy and you get a timeout, watch the modem lights - don't OK
> the message till the activity has stopped. I believe this gives the GUI
> enough time to finish saving the rules/objects etc. When you're happy the
> activity has stopped, OK the error dialog and it'll work fine.
> 
> Until Checkpoint get their finger out and fix this it'll continue to
> blight
> an otherwise superb product. What I can't understand is the fact that this
> problem has been in the GUI software for over a year now. *grumble*
> 
> Scott.
> 
> > -----Original Message-----
> > From: Jesus Calvo Hernandez [SMTP:[email protected]]
> > Sent: Monday, October 16, 2000 7:00 PM
> > To: [email protected]
> > Subject: [FW1] incorrect reply from server (seq or subject mismatch)
> >
> >
> > Hi all
> >
> > From some time ago I´ve been  seeing this message at
> compiling/installing
> > a policy on my firewall module.It happened when I had only one machine
> for
> > managemente and firewall, so I thought it was a load problem. Some time
> > after I upgraded my firewall system  (now I´ve got two machines: one
> > manager and one firewall module) and then it began  working fine again
> for
> > some time.
> >
> > Now that the number of rules have grown I´m watching this blooded
> message
> > again. I think that it can be a problem of load in the firewall module,
> > which is very busy when I try to push the policy from the management
> > console and it does not accept more load.
> >
> > Has anyone ever encountered this problem?
> >
> > If so, has anyone ever resolved it? How can the machine be hardened if
> it
> > is a load problem?
> >
> > Regards and thanks in advance
> 


The Royal Bank of Scotland plc is registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.

The Royal Bank of Scotland plc is regulated by IMRO, SFA and Personal Investment Authority.

This e-mail message is confidential and for use by the addressee only.  If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer.

'Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent.'


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.