NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] RE: Problem Fetching Security Policy



Good Lord, Chris,
BE CAREFUL!!!!  -  Ha ha, got your attention, didn't I.  Please be very careful when
making those changes to the control.map
The black hat briefings used just such a misconfigured control.map to install policy
from an alternate management station using simple address spoofing.

The issue is not encryption or no, because from 4.0 sp5 and 4.1 sp0, fwa and fwa1
will work with or without an encryption license.  The source of the problem is more
likely the hostname/ip address combination on the nokia box.  In previous versions
of code (havent done this for about 10 months,)  the nokia would use the source ip
address that correllates to its own hostname, so in an example

10.1.1.5(FWMGT)----------10.1.1.5(FWMODULE)38.100.240.5

Firewall will talk on the interface closest to the module(all platforms), but if the
hosts file on the appliance says
38.100.240.5    FWMODULE
the authentication process can fail.  First validate the proper relative addresses
in clients and masters, and in worst case, set the console scrolling on and issue an
fw load -d policyname.W FWMODULEip
Look for the line that says "Actual authentication I would perform is" and look just
above this.  Your error message and solution will be right there.

Paranoidly yours,
CryptoTech

Chris Arnold wrote:

> Never mind.  I figured it out.  I added the IP addresses with no putkey
> authentication to $FWDIR/lib/control.map and all seems well.
>
> Chris
>
> -----Original Message-----
> From: Chris Arnold
> Sent: Tuesday, December 05, 2000 12:09 AM
> To: Firewall_Mailing_List (E-mail)
> Subject: Problem Fetching Security Policy
>
> Hello, all.  I'm setting up a couple of Nokias (IPSO 3.2.1) with FW-1 (v4.1
> SP2) and have run into a snag.  I have an existing FW and enterprise
> management console running on Solaris (10.1.1.1).  I want to manage the
> Nokias from this console.
>
> When I start the FW on the Nokia the messages are:
>
> fw1[admin]# fwstart
> FireWall-1: Loading kernel module...
> FW-1: Driver installed
> Module loaded as ID 0
> FireWall-1: Starting fwd
> FireWall-1: Starting snmpd
> snmpd: Opening port(s):
>         Port 260 binded successfully
> SNMPD: server running
>
> FireWall-1: Fetching Security Policy from 10.1.1.1
> Trying to fetch Security Policy from 10.1.1.1:
> Authentication for command fetch failed
> Fetching Security Policy from 10.1.1.1 failed
>
> FW-1: fetch failed status 1
> IP forwarding has been disabled.
> Use ipsofwd to enable forwarding.
> FireWall-1 started
> fw1[admin]#
>
> I did a "putkey -p my-password 10.1.1.1" on the Nokia (the EMC is reachable)
> and restarted the FW.
> I did a "putkey -p my-password 10.1.2.1" on the EMC (the Nokia is reachable)
> and restarted the FW.
> I added */none to both the CLIENT and SERVER defs of $FWDIR/lib/control.map
> on both machines for testing purposes.
>
> The only thing I can think of is the fact that there is no encryption module
> license on the EMC yet.  I also noticed that I can't get any of the
> interfaces listed on the Nokia withing the Windows policy editor like I can
> under Solaris.  Any thoughts?
>
> Thanks,
>
> Chris
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.