|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Error message when compiling a policy - S/Key and FWA1
Sure Jonathan, In early releases of Firewall-1 (fw 4.0 sp4 and back) you could not use fwa1 session encryption if your enforcement point did not have a vpn(something) string. This was changed in 4.0 sp5 and anything later. If the other box does not give the error, then chances are someone has hacked at the control.map file (a common nokia recommendation, but serious mistake.) Your skey failure may be related to how the box sees itself. On the nokia platform when doing skey authentication, the nokia box will force its' communications with management to have keys with the ip address referenced by the local hostname. So if you had a box with 200.1.1.1 outside, 10.1.1.1 inside, and management 10.1.1.2 -- and the hostname on the nokia box reflected the external ip address, then skey transfers would fail because the nokia would insist that it was NOT 10.1.1.1, but only 10.1.1.2 Solutions: Get a vpn license upgrade 4.0 sp5 or higher change the hostname through the voyager interface to reflect the ip address of the nic closest to the management station. Do not change any firewall objects within the gui as this could cause some serious problems. CryptoTech [email protected] wrote: > Hi Everyone, > > I have recently taken over a few Firewalls and was met with a (ghastly!) error > message when I tried to install a policy for the first time. I hope someone can > point me in the right direction...... > > The error message is..... > > Installing Security policy C:winnt/blah on NokData1 > succeeded - (phew!) > > Installing Security policy C:winnt/blah on NokData2 > Warning: Using S/Key Authentication instead of FWA1: No encryption license > Authentication for command load failed > Failed to install security policy :Unauthorised action > > I've checked the license and it looks fine. > I have found reference to this message on Phoneboy at: > http://www.phoneboy.com/fw1/faq/0036.html but this refers to the warning message > on startup instead of when pushing the policy. > > My setup is 2 Nokia440's on FW1 4.0 SP3 with VRRP and NT4 SP5 Management Module. > > Hope someone has an idea, > > Regards, > > Jonathan > > Jonathan Jackson > Network Security Analyst > AMP Group > London > Tel +44> email: [email protected] > > ___________________________________________________________________________ > The information contained in this e-mail is confidential and may be legally > privileged. It is intended solely for the use of the individual or entity to > whom it is addressed and others explicitly authorised to receive it. If you > have received this e-mail in error, please destroy it and delete it from your > computer. Any disclosure, copying or distribution of the information is > strictly prohibited and may be unlawful. No responsibility can be accepted to > any end users for any action taken on the basis of the information. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
