NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Error message when compiling a policy - S/Key and FWA1

First the firewalls hostname should always reflect the IP address that it is
licensed for.  While this may not cause any immediate disfunction it will
in the future when you at any point try to establish VPN's or do SecuRemote. 
The error that you are seeing is reflective of a firewall whom you are trying
to push a policy to that include encryption rules when the firewall itself is
not licensed for encryption.  I do agree that your options would be to
acquired a license that will allow you to do encryption, however upgrading
without the encryption license will leave you right where you started.  One
other point is that the first and most important step to successfully setting
up your firewall as an enforcment point following should always be followed: 1.
 When you create the object you should have the ability to click on get and
have the firewall resolve it's own IP address.  It's inability to do this will
cause you inconceivable headaches in the future. 2.  Three things should always
be in sync, your firewalls hostname, the hostname tied to the external IP
through voyager, and the hostname/ip address of the object within the GUI.

If you don't have this synchronization from inception your surely headed for
trouble down the road.

just .02 cents and my experience as a Security Engineer.

Juan Concepcion
CCSA/CCSE

On Wed, 21 Feb 2001, CryptoTech wrote:
> Sure Jonathan,
> In early releases of Firewall-1 (fw 4.0 sp4 and back) you could not use fwa1 session
> encryption if your enforcement point did not have a vpn(something) string.  This was
> changed in 4.0 sp5 and anything later.  If the other box does not give the error,
> then chances are someone has hacked at the control.map file (a common nokia
> recommendation, but serious mistake.)  Your skey failure may be related to how the
> box sees itself.
> 
> On the nokia platform when doing skey authentication, the nokia box will force its'
> communications with management to have keys with the ip address referenced by the
> local hostname.  So if you had a box with 200.1.1.1 outside, 10.1.1.1 inside, and
> management 10.1.1.2 -- and the hostname on the nokia box reflected the external ip
> address, then skey transfers would fail because the nokia would insist that it was
> NOT 10.1.1.1, but only 10.1.1.2
> 
> Solutions:
> Get a vpn license
> upgrade 4.0 sp5 or higher
> change the hostname through the voyager interface to reflect the ip address of the
> nic closest to the management station.  Do not change any firewall objects within
> the gui as this could cause some serious problems.
> 
> CryptoTech
> 
> [email protected] wrote:
> 
> > Hi Everyone,
> >
> > I have recently taken over a few Firewalls and was met with a (ghastly!) error
> > message when I tried to install a policy for the first time. I hope someone can
> > point me in the right direction......
> >
> > The error message is.....
> >
> > Installing Security policy C:winnt/blah on NokData1
> > succeeded - (phew!)
> >
> > Installing Security policy C:winnt/blah on NokData2
> > Warning: Using S/Key Authentication instead of FWA1: No encryption license
> > Authentication for command load failed
> > Failed to install security policy :Unauthorised action
> >
> > I've checked the license and it looks fine.
> > I have found reference to this message on Phoneboy at:
> > http://www.phoneboy.com/fw1/faq/0036.html but this refers to the warning message
> > on startup instead of when pushing the policy.
> >
> > My setup is 2 Nokia440's on FW1 4.0 SP3 with VRRP and NT4 SP5 Management Module.
> >
> > Hope someone has an idea,
> >
> > Regards,
> >
> > Jonathan
> >
> > Jonathan Jackson
> > Network Security Analyst
> > AMP Group
> > London
> > Tel +44> > email: [email protected]
> >
> >   ___________________________________________________________________________
> > The information contained in this e-mail is confidential and may be legally
> > privileged.  It is intended solely for the use of the individual or entity to
> > whom it is addressed and others explicitly authorised to receive it.  If you
> > have received this e-mail in error, please destroy it and delete it from your
> > computer.  Any disclosure, copying or distribution of the information is
> > strictly prohibited and may be unlawful.  No responsibility can be accepted to
> > any end users for any action taken on the basis of the information.
> >
> > ================================================================================
> >      To unsubscribe from this mailing list, please see the instructions at
> >               http://www.checkpoint.com/services/mailing.html
> > ================================================================================
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.