Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Who in the @#$&^! wrote SP4?

To: "'[email protected]'" <owner-fw-1-mailinglist-digest@FW1-NOSPAMbeethoven.us.checkpoint.com>, [email protected], "'[email protected]'" <[email protected]>, [email protected]
Subject: [FW1] Who in the @#$&^! wrote SP4?
From: "Johnson, Doug (ISS Atlanta)" <[email protected]>
Date: Wed, 18 Jul 2001 08:21:42 -0400
Sender: [email protected]

Okay...so I'm installing SP4 to allow us to do IKE over TCP for SecuRemote
(about time!) and I start by putting it on my management server and one of
my perimeter firewalls.  Big mistake!

Load on my firewall shoots up to 3 - 4 (about 75-95% utilization on my dual
CPU Sun box) and starts dropping packets.  After a day of troubleshooting
and testing, not to mention wasted time with Checkpoint's "support" team, we
regress both machines to SP3 by *REINSTALLING* and restoring our config
files.  Note I say reinstalling, since the backout script fails horribly,
except to remove the indicator that SP4 is loading and therefore preventing
any further attempts to do a 'patchrm'.

So a few weeks go by, and things are back to normal.  We try installing SP4
along with the RDP and format string hotfixes to our management station
only, trying to troubleshoot a SR problem.  Looks great - we now see IKE_tcp
drops where before nothing appeared in the log viewer (did I mention I
haven't installed policy yet?).  So the next time my script runs that loads
policy on all the firewalls, about half fail with either a

"<firewall> is not defined as firewalled" error, or a
"Failed to open file '/opt/CPfw1-41/tmp/<firewall_name>.fwrl.conf': No such
file or directory" error.

Of course, the firewalls listed as "not defined as firewalled" ARE defined
as firewalls.  When I try to load policy using the GUI to any of these, the
error changes to the one about the missing file
firewall.domain.com.fwrl.conf.  So I spend a day troubleshooting this and
find out the following "change" to SP4:

The management server, when creating a policy file to push to a firewall
module, creates the file from the <policy_name>.pf and names it by doing an
'nslookup <firewall_ip_addr>' and using this for the filename (plus the
.fwrl.conf addition).  However, when fw_readfiles tries to find the file, it
uses the name of the firewalled object (from objects.C) plus the .fwrl.conf
addition.  If the two don't match, it can't find the file.  In our case, our
/etc/hosts file had both <firewall> and <firewall>.domain listed for the IP
address and our /etc/nsswitch.conf file defines host lookups as files first,
then DNS.  For example...

#/etc/hosts
1.2.3.4	firewall	firewall.domain.com

#/etc/nsswitch.conf
hosts		files dns

So, here is what happens if you try to install policy (my comments are in
parenthesis)...

Downloading Security Policy /opt/CPfw1-41/conf/Policy_1.pf to
firewall.domain.com
Failed to open file '/opt/CPfw1-41/tmp/firewall.fwrl.conf': No such file or
directory
	(nslookup resolves 1.2.3.4 to 'firewall', not 'firewall.domain.com')
fw_readfiles:cannot open firewall.domain.com.fwrl.conf: No such file or
directory
	(the GUI object is called 'firewall.domain.com')
Failed to Download Security Policy on firewall.domain.com: No such file or
directory
Installing Security Policy on firewall.domain.com failed

As you can see, the program creates the file using one method, and then
looks for it using another.  By the way, don't bother looking in your
/<firewall_dir>/tmp directory - these .fwrl.conf files are created and then
deleted.  Interesting that the program can find them to delete them, but not
find them to load them.  If you want to see what the file is that is being
created, you have to start a policy load and then sit in that tmp directory
doing "ls -al *.conf" over and over again - it will appear for about 2-3
seconds.

Of course this was all academic - as soon as I fixed this problem (making
sure the /etc/host file *only* had reverse lookup entries that matched the
GUI firewall object names) and we loaded policy, load shot up on my firewall
again.  I had to rebuild the management server AGAIN (the patch backout
failed AGAIN) and reinstall policy - load drops to normal in less than 5
minutes.

We're currently talking to Checkpoint about this (yeah, right), but they
won't even admit there is a problem with the service pack yet.  They want us
to reinstall SP4 to firewall and mgmt. server, get and fwinfo, regress both
back to SP3, get and fwinfo, and send them to them.  Too bad we actually
WORK FOR A LIVING and need our firewalls (and consequently our office) up
and running.

Oh...just for the record, these are Enterprise level Sun boxes with lots of
RAM and dual CPUs.  My first firewall was 3.0 (before 3.0b) back in 1998, so
I have a small clue about what I'm doing.  :-)

Doug Johnson
Sr. Network Engineer
<mailto:[email protected]>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Securemote installation
Next by Date: RE: [FW1] Licences with Fullcluster and FW-1
Previous by thread: RE: [FW1] Solved - Hybrid IKE breaks Site-to-Site VPN?
Next by thread: RE: [FW1] Who in the @#$&^! wrote SP4?
Index(es):
- Date
- Thread