[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Create master rulebase from local
Christine, My apologies. I misunderstood what you meant by local. To attempt a reversal would be painful. If you have many firewalls, and they each protected different networks, then the rules.C files would be different. You probably could bring your world back together, but it would take some work. The differences between the object files are slight. On mine, I found that a section was included on the management station, but was empty on the firewall. It took me a moment, but the reeason this section: :resourcesobj (resourcesobj) was on the fw station object.C, was because at one point I was experimenting with SMTP MIME stripping, but never created a rule for it. So the mgt station has the definition and the fw doesn't need it. Maybe for efficiency?? The rules.C are the actula rules on the fw. If you have a rulebase and some rules have an "Install On" target that is different, then the fw will only receive the rules applicable to it. Your best bet is get a regular backup of the firewall rulebase et'al. To protect yourself see: http://www.phoneboy.com/fw1/faq/0196.html You can use the following to move a mgt console to another system. See: http://www.phoneboy.com/fw1/faq/0397.html Robert >>> Christine Tran <[email protected]> 11/16/00 7:39:27 PM >>> "Robert MacDonald" <[email protected]> wrote: >Date: Thu, 16 Nov 2000 12:45:04 -0500 >Do this. > >Start the GUI on your system. In the management server >field type *local and give any old username and password >you would like. Press enter. > >Voila(extent of my French) your in a local copy of a firewall >policy. This allows you to play, play, play...err test, test, test. > >You can copy your real policy and objects to your local >system and play with them. I don't have those off hand, see >phoneboy. Make a copy of the local just in case. > >Is this what you wanted to know? Uhh... what's that saying, knowledge is the slow realization of the magnitude of one's ignorance? I've never played with *local. What's *local? I just loaded a fresh version of 4.1, nothing's on there yet. fire up the gui, connect to localhost and I get a clean slate, nothing written yet. connect to *local and I get some funky demo-like rulebase, next to the tabs for Security & NAT policy I also get tabs for Bandwidth & Compression Policy, none of which I installed. Where did the gui get this? the state directory where all the local.* are kept is empty. Anyway you've diverted me from the original question. Which was, if one day we reap the IT equivalent of karmic retribution & the management server falls over for good, can I recreate its objects.C and all the rulebase from what's on the firewalls? (they are different boxes) As far as I know, the firewall keeps a copy of the last good policy installed, in state/local.fc, state/local.ojbects, etc. There is also a rules.C and objects.C in the firewall's $FWDIR/database directory. Do I have enough? Usual way: master objects.C + rules.W => rules.pf => rules.fc Can I go backward? local.fc + local.rules.C + local.objects.C => rules.W What's the difference between firewall copy of objects.C & master copy of objects.C? What's rules.C for?? This question is killing me!! CT ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|