[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Who in the @#$&^! wrote SP4?
Doug, I run a similar configuration to you: 2 firewalls (CP2000) on Sun E250s with dual CPUs and 512MB RAM each, with management on an Ultra 10 w/ 512MB RAM (I also run this same configuration on another network, so it's really 4 firewall modules and 2 management servers). I installed SP4 and both hotfixes this week and have had absolutely no change to CPU load, nor any problem pushing policies. What version of Solaris are you running? SP4 is *supposed* to support Solaris 8, but I haven't seen anyone openly admit to success yet (which is why I'm holding off upgrading to Solaris 8). I would recommend making sure you have Solaris 7 with the latest patches, and if you have a spare box (big IF), try rebuilding your firewall from scratch, install all the Service Packs in order, and see if you still have the problems. I've worked with FW-1 for over three years (since 3.0b), and have seen cases where installing the builds/service packs in production machines leads to problems. You occasionally have to just rebuild a box from scratch and then put it up on the network. Not an optimal solution, but it gets the job done. Good Luck! Dan ---------------------------------------------------------------------------- - Daniel R. (Dan) Dunn, EE, CCSA/CCSE Principal INFOSEC Engineer, GRC Int'l (an AT&T company) OSD-ITD Firewall Administrator p:, ext 500 The opinions expressed by the author are entirely his own, and do not reflect those of AT&T, GRCI, Inc., or their subsidiaries, nor do they reflect policy, opinion, or endorsement by the US Department of Defense or any of its agencies. >-----Original Message----- >From: Johnson, Doug (ISS Atlanta) [mailto:[email protected]] >Sent: Thursday, July 19, 2001 2:10 AM >To: '[email protected]'; >[email protected]; >'[email protected]'; >[email protected] >Subject: [FW1] Who in the @#$&^! wrote SP4? > > > >Okay...so I'm installing SP4 to allow us to do IKE over TCP >for SecuRemote >(about time!) and I start by putting it on my management >server and one of >my perimeter firewalls. Big mistake! > >Load on my firewall shoots up to 3 - 4 (about 75-95% >utilization on my dual >CPU Sun box) and starts dropping packets. After a day of >troubleshooting >and testing, not to mention wasted time with Checkpoint's >"support" team, we >regress both machines to SP3 by *REINSTALLING* and restoring our config >files. Note I say reinstalling, since the backout script >fails horribly, >except to remove the indicator that SP4 is loading and >therefore preventing >any further attempts to do a 'patchrm'. > >So a few weeks go by, and things are back to normal. We try >installing SP4 >along with the RDP and format string hotfixes to our management station >only, trying to troubleshoot a SR problem. Looks great - we >now see IKE_tcp >drops where before nothing appeared in the log viewer (did I mention I >haven't installed policy yet?). So the next time my script >runs that loads >policy on all the firewalls, about half fail with either a > >"<firewall> is not defined as firewalled" error, or a >"Failed to open file >'/opt/CPfw1-41/tmp/<firewall_name>.fwrl.conf': No such >file or directory" error. > >Of course, the firewalls listed as "not defined as firewalled" >ARE defined >as firewalls. When I try to load policy using the GUI to any >of these, the >error changes to the one about the missing file >firewall.domain.com.fwrl.conf. So I spend a day >troubleshooting this and >find out the following "change" to SP4: > >The management server, when creating a policy file to push to >a firewall >module, creates the file from the <policy_name>.pf and names >it by doing an >'nslookup <firewall_ip_addr>' and using this for the filename (plus the >.fwrl.conf addition). However, when fw_readfiles tries to >find the file, it >uses the name of the firewalled object (from objects.C) plus >the .fwrl.conf >addition. If the two don't match, it can't find the file. In >our case, our >/etc/hosts file had both <firewall> and <firewall>.domain >listed for the IP >address and our /etc/nsswitch.conf file defines host lookups >as files first, >then DNS. For example... > >#/etc/hosts >1.2.3.4 firewall firewall.domain.com > >#/etc/nsswitch.conf >hosts files dns > >So, here is what happens if you try to install policy (my >comments are in >parenthesis)... > >Downloading Security Policy /opt/CPfw1-41/conf/Policy_1.pf to >firewall.domain.com >Failed to open file '/opt/CPfw1-41/tmp/firewall.fwrl.conf': No >such file or >directory > (nslookup resolves 1.2.3.4 to 'firewall', not >'firewall.domain.com') >fw_readfiles:cannot open firewall.domain.com.fwrl.conf: No such file or >directory > (the GUI object is called 'firewall.domain.com') >Failed to Download Security Policy on firewall.domain.com: No >such file or >directory >Installing Security Policy on firewall.domain.com failed > >As you can see, the program creates the file using one method, and then >looks for it using another. By the way, don't bother looking in your >/<firewall_dir>/tmp directory - these .fwrl.conf files are >created and then >deleted. Interesting that the program can find them to delete >them, but not >find them to load them. If you want to see what the file is >that is being >created, you have to start a policy load and then sit in that >tmp directory >doing "ls -al *.conf" over and over again - it will appear for >about 2-3 >seconds. > >Of course this was all academic - as soon as I fixed this >problem (making >sure the /etc/host file *only* had reverse lookup entries that >matched the >GUI firewall object names) and we loaded policy, load shot up >on my firewall >again. I had to rebuild the management server AGAIN (the patch backout >failed AGAIN) and reinstall policy - load drops to normal in >less than 5 >minutes. > >We're currently talking to Checkpoint about this (yeah, >right), but they >won't even admit there is a problem with the service pack yet. > They want us >to reinstall SP4 to firewall and mgmt. server, get and fwinfo, >regress both >back to SP3, get and fwinfo, and send them to them. Too bad >we actually >WORK FOR A LIVING and need our firewalls (and consequently our >office) up >and running. > >Oh...just for the record, these are Enterprise level Sun boxes >with lots of >RAM and dual CPUs. My first firewall was 3.0 (before 3.0b) >back in 1998, so >I have a small clue about what I'm doing. :-) > >Doug Johnson >Sr. Network Engineer ><mailto:[email protected]> > > >=============================================================== >================= > To unsubscribe from this mailing list, please see the >instructions at > http://www.checkpoint.com/services/mailing.html >=============================================================== >================= > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|