[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Who in the @#$&^! wrote SP4?
Okay...so I'm installing SP4 to allow us to do IKE over TCP for SecuRemote (about time!) and I start by putting it on my management server and one of my perimeter firewalls. Big mistake! Load on my firewall shoots up to 3 - 4 (about 75-95% utilization on my dual CPU Sun box) and starts dropping packets. After a day of troubleshooting and testing, not to mention wasted time with Checkpoint's "support" team, we regress both machines to SP3 by *REINSTALLING* and restoring our config files. Note I say reinstalling, since the backout script fails horribly, except to remove the indicator that SP4 is loading and therefore preventing any further attempts to do a 'patchrm'. So a few weeks go by, and things are back to normal. We try installing SP4 along with the RDP and format string hotfixes to our management station only, trying to troubleshoot a SR problem. Looks great - we now see IKE_tcp drops where before nothing appeared in the log viewer (did I mention I haven't installed policy yet?). So the next time my script runs that loads policy on all the firewalls, about half fail with either a "<firewall> is not defined as firewalled" error, or a "Failed to open file '/opt/CPfw1-41/tmp/<firewall_name>.fwrl.conf': No such file or directory" error. Of course, the firewalls listed as "not defined as firewalled" ARE defined as firewalls. When I try to load policy using the GUI to any of these, the error changes to the one about the missing file firewall.domain.com.fwrl.conf. So I spend a day troubleshooting this and find out the following "change" to SP4: The management server, when creating a policy file to push to a firewall module, creates the file from the <policy_name>.pf and names it by doing an 'nslookup <firewall_ip_addr>' and using this for the filename (plus the .fwrl.conf addition). However, when fw_readfiles tries to find the file, it uses the name of the firewalled object (from objects.C) plus the .fwrl.conf addition. If the two don't match, it can't find the file. In our case, our /etc/hosts file had both <firewall> and <firewall>.domain listed for the IP address and our /etc/nsswitch.conf file defines host lookups as files first, then DNS. For example... #/etc/hosts 1.2.3.4 firewall firewall.domain.com #/etc/nsswitch.conf hosts files dns So, here is what happens if you try to install policy (my comments are in parenthesis)... Downloading Security Policy /opt/CPfw1-41/conf/Policy_1.pf to firewall.domain.com Failed to open file '/opt/CPfw1-41/tmp/firewall.fwrl.conf': No such file or directory (nslookup resolves 1.2.3.4 to 'firewall', not 'firewall.domain.com') fw_readfiles:cannot open firewall.domain.com.fwrl.conf: No such file or directory (the GUI object is called 'firewall.domain.com') Failed to Download Security Policy on firewall.domain.com: No such file or directory Installing Security Policy on firewall.domain.com failed As you can see, the program creates the file using one method, and then looks for it using another. By the way, don't bother looking in your /<firewall_dir>/tmp directory - these .fwrl.conf files are created and then deleted. Interesting that the program can find them to delete them, but not find them to load them. If you want to see what the file is that is being created, you have to start a policy load and then sit in that tmp directory doing "ls -al *.conf" over and over again - it will appear for about 2-3 seconds. Of course this was all academic - as soon as I fixed this problem (making sure the /etc/host file *only* had reverse lookup entries that matched the GUI firewall object names) and we loaded policy, load shot up on my firewall again. I had to rebuild the management server AGAIN (the patch backout failed AGAIN) and reinstall policy - load drops to normal in less than 5 minutes. We're currently talking to Checkpoint about this (yeah, right), but they won't even admit there is a problem with the service pack yet. They want us to reinstall SP4 to firewall and mgmt. server, get and fwinfo, regress both back to SP3, get and fwinfo, and send them to them. Too bad we actually WORK FOR A LIVING and need our firewalls (and consequently our office) up and running. Oh...just for the record, these are Enterprise level Sun boxes with lots of RAM and dual CPUs. My first firewall was 3.0 (before 3.0b) back in 1998, so I have a small clue about what I'm doing. :-) Doug Johnson Sr. Network Engineer <mailto:[email protected]> ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|