[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Rule Installation Problem
Jeff: I had this problem once and to fix it, I had to clear out the "state" directory and push out the rulebase again. I'll try to provide more details. In my environment, the routing is extremely complex. We have what is known as a Multiple Entry Point network - there are numerous Internet connections and we always have issues with asymetric routing - a packet comes in one firewall, and tries to go out another one (so it gets dropped because it's not in the state table). Now our firewall management server sits on a management network, along with DNS servers, HP openview servers, etc. Each firewall gateway has numerous interfaces. The external interface has an IP address that is routable - 205..xx.xx. The internal interface is something like 10.1.1.1. When we were setting up this network, sometimes we would push the policy out (from the UNIX command line) to the 10.1.1.1 address, and other times we would use the GUI to push it out to the 205..xx.xx address, which is the IP address used in the General Tab of the network object definition for the remote gateway. What we found was that the firewall would get confused about which policy to grab when it was stopped and restarted. If you look in the /etc/fw/state directory, you'll see a bunch of files created when you push out a policy. Because we sometimes used the 206 address, and other times used the 10.1.1.1 address, the state directory on the management server had a set of files associated with both IP addresses and the remote firewall got confused about which policy to load from the management station. What we did to fix this was to go into /etc/fw/state and delete everything (well, we were move conservative and we just moved everything into a temporary directory for later deletion). We had to do this both on the management server and the remote firewalled gateway. After the /etc/fw/state directory was empty on both management server and remote gateway, we pushed a policy out and the problem went away. I had contacted Checkpoint Tech Support, but they were clueless. The engineer assured me that this scenario was absolutely impossible and that we had nothing to worry about (thank goodness we sprung for that Gold Support). He did not understand the fundamentals of how files are created in the state directory and how gateways determine what ruleset to load when they fetch it from the management station. So I figured it out myself, and now pass this on to you in hopes that it will help you out of your situation. Hope this helps. Joel At 11:34 AM 2/9/01 -0800, Jeffrey Zabel wrote: > >I'm having a problem modifying rules then reinstalling them. What happens >is I modify the rule set and reinstall them is visually I see the new rules. >BUT in actuality the old rules are still applying. My question is how do I >force the newly created rule set in over the old? It has worked properly >for a long time. This issue just arrived this morning. PLEASE HELP. > >THX, >Jeff > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|