NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Creating offline backup with FW4.1



Title: Creating offline backup with FW4.1
When you have switched over to the backup firewall, did you account for the fact that your routers or switches might have cached your fw's MAC addresses.   Depending on your ARP cache timeout settings and how long you left the new fw in for, everything might have worked if you just re-published the ARPs or flushed the caches.
However, if you didn't copy over the correct files, that is a moot point.  Copying over files will work, you just need to get the right ones.  I would guess that your initial copying over of all 3 directories was a correct thing to do, and that the reason the failover didn't work was ARP caching.   If you plan on copying over only individual files, the important rulebase files are the .W files and the rulebases.fws file.    Or you can go the route of just copying over the .W files and running fw m -g *.W to recreate the rulebases.fws file.  Also, verify with a 'fw stat' that all NICs have a policy applied to them. 
Double check all your routes, and remember that if you have Static Nat rules, the MAC address you are ARPing with is probably changing, so your ARP statements will differ.
If you are able to push policy and view it in the log, the rest is layer 2 and 3.   You should be able to, since you said this a standalone fw+mgmt station, configure everything off the network, view the policy, push the policy, all while disconnected from the network.  Once that is working, swap out fw's and start testing. 
 
Good Luck
Jason
-----Original Message-----
From: Erickson, Karen [mailto:[email protected]]
Sent: Thursday, August 23, 2001 1:27 PM
To: '[email protected]'
Subject: [FW1] Creating offline backup with FW4.1

    We have a production firewall and are trying to create a backup firewall that is not connected to the network but could be put into production if the other one goes down.  I have not been able to make this work.  Has anyone done this successfully and are there any reason why this would not work?

    This is what I have tried so far (sorry for the length-just thought I'd provide what I have):
    We are using FW-1 SP3 on both machines with NT 4.0 SP 6a.  The management console and firewall module are on the one machine and each have 3 NICs, one to the DMZ, one external and one internal.  NT sets the numeric order of the NICs-I don't know if this is important.

    The production firewall was an upgrade to FW4.1, whereas the backup was a straight install of FW4.1.  The backup firewall also has 3 NICs that have the same IPs and will be connected to the network the same way.  I have tested the NICs on the backup to make sure they can route correctly and are assigned to the appropriate segment of the network.

    After installing the firewall software on the backup I copied over the conf, state and database file from the production firewall.  The same files were backed up every week from the production to the backup firewall.  Initially I was able to install the policy.  I then tried to test the backup by taking the production firewall off the network and connecting the backup.  Did not work.  I could not get to the DMZ, the external or internal network.

    I contacted our reseller for a solution and they initially recommended I copy the entire FW4.1 directory to an ftp server and then copy it over to the backup.  This did not work because the firewall was using certain files so they could not be copied to the ftp server.  The next suggestion was a backup of only specific files in the conf directory.  I tried this and now am no longer able to install the policy.  I copy over the Standard.W and Standard.pf files to the backup and as soon as I try to install the policy the contents of both files appear to be deleted (Standard.W is at 23KB and immediately goes to 1KB and Standard.pf is 39KB and goes to 0 ). I get error message "Failed to generate Security Policy Script for rulebase C:\winnt\FW4.1\conf\Standard.W"

    Any idea why the Standard.W and Standard.pf files are deleted as soon as I install the policy.

Has anyone successfully created a  backup firewall that is offline and brought it up when the production firewall went down.  If so, how?



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.