[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] RE: Problem Fetching Security Policy
Good Lord, Chris, BE CAREFUL!!!! - Ha ha, got your attention, didn't I. Please be very careful when making those changes to the control.map The black hat briefings used just such a misconfigured control.map to install policy from an alternate management station using simple address spoofing. The issue is not encryption or no, because from 4.0 sp5 and 4.1 sp0, fwa and fwa1 will work with or without an encryption license. The source of the problem is more likely the hostname/ip address combination on the nokia box. In previous versions of code (havent done this for about 10 months,) the nokia would use the source ip address that correllates to its own hostname, so in an example 10.1.1.5(FWMGT)----------10.1.1.5(FWMODULE)38.100.240.5 Firewall will talk on the interface closest to the module(all platforms), but if the hosts file on the appliance says 38.100.240.5 FWMODULE the authentication process can fail. First validate the proper relative addresses in clients and masters, and in worst case, set the console scrolling on and issue an fw load -d policyname.W FWMODULEip Look for the line that says "Actual authentication I would perform is" and look just above this. Your error message and solution will be right there. Paranoidly yours, CryptoTech Chris Arnold wrote: > Never mind. I figured it out. I added the IP addresses with no putkey > authentication to $FWDIR/lib/control.map and all seems well. > > Chris > > -----Original Message----- > From: Chris Arnold > Sent: Tuesday, December 05, 2000 12:09 AM > To: Firewall_Mailing_List (E-mail) > Subject: Problem Fetching Security Policy > > Hello, all. I'm setting up a couple of Nokias (IPSO 3.2.1) with FW-1 (v4.1 > SP2) and have run into a snag. I have an existing FW and enterprise > management console running on Solaris (10.1.1.1). I want to manage the > Nokias from this console. > > When I start the FW on the Nokia the messages are: > > fw1[admin]# fwstart > FireWall-1: Loading kernel module... > FW-1: Driver installed > Module loaded as ID 0 > FireWall-1: Starting fwd > FireWall-1: Starting snmpd > snmpd: Opening port(s): > Port 260 binded successfully > SNMPD: server running > > FireWall-1: Fetching Security Policy from 10.1.1.1 > Trying to fetch Security Policy from 10.1.1.1: > Authentication for command fetch failed > Fetching Security Policy from 10.1.1.1 failed > > FW-1: fetch failed status 1 > IP forwarding has been disabled. > Use ipsofwd to enable forwarding. > FireWall-1 started > fw1[admin]# > > I did a "putkey -p my-password 10.1.1.1" on the Nokia (the EMC is reachable) > and restarted the FW. > I did a "putkey -p my-password 10.1.2.1" on the EMC (the Nokia is reachable) > and restarted the FW. > I added */none to both the CLIENT and SERVER defs of $FWDIR/lib/control.map > on both machines for testing purposes. > > The only thing I can think of is the fact that there is no encryption module > license on the EMC yet. I also noticed that I can't get any of the > interfaces listed on the Nokia withing the Windows policy editor like I can > under Solaris. Any thoughts? > > Thanks, > > Chris > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|