[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW state synchronization
I have
done it at least a dozen times already.
1:
Allow FW service between the two modules in your policy.
I'd say, allow everything between
the two modules for the testing environment.
2.
Stop the firewall.
3.
Make sure that the ip addresses in the sync.conf files are on the same subnet
and are directly reachable by each other.
4.
Make sure you run the putkey command for the same addresses that appear in the
sync.conf files.
5. No
need to "(./fw putkey -n myserver IP address destination server IP address
"
Just fw
putkey <the other module's IP>....
please enter
password...
repeat
password.....
....fwstart
6. Do
the same on the other module, make sure you are very accurate when giving the
other module's IP, make sure it's the same IP that appears in the sync.conf
file.
7.
Consult $FWDIR/log/fwd.elg to see if the synchronization is taking place, fw ctl
pstat doesn't give you much information.
Good
luck.
HTH
Michael.
BTW...
RainWall 1.5 needs a certain patch level to run well on Sunos 2.6... Read the
pdf, system requirements....
Besides, make sure you are not using the "new" UDP sync
feature, which was introduced in SP2, either downgrade to SP1 (for the test
environment), or disable the advanced UDP sync feature, and use the old
fashioned TCP sync.....
...snip....
New FW-1 state synchronization In SP2, Check Point added a new way to do state synchronization, which is described on page 5 of the SP2 release notes. This state synchronization mechanism is in Beta, and is NOT the default. As the new sync appears to have some interoperability issues with RainWall, we strongly recommend that you continue to use the old way of doing firewall state synchronization when running with RainWall, as described on page 564 of the Check Point VPN-1/Firewall-1 Administration Guide. We are working with Check Point to address any interoperability issues between the new state synchronization method and RainWall.
snip......
HI everyone, I'm running CP 4.1 SP2 on 2x Solaris 2.6 servers. I tried to implement Rainwall standby solution. As a part of the procedure I needed to state synchronize both firewalls. I have the right IP address in $FWDIR/conf/sync.conf file on both firewalls. I stopped the fw process and tried a dozen times to install a key between both nodes (./fw putkey -n myserver IP adddress destination server IP address as well as ./fw putkey destinationIP address) as well as trace couple files in conf and database directories as this is described in phoneboy. Unfortunately when I started back fw process I still have sync in:off sync out:off when I issued ./fw ctl pstat I'll appreciate any suggestions how I can get around this problem.. thank you Kiril [email protected]
|