Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Summary: Problems with ACE 5.0 after upgrade from 3.3.1

To: Firewall One List <[email protected]>
Subject: [FW1] Summary: Problems with ACE 5.0 after upgrade from 3.3.1
From: Greg Polanski <[email protected]>
Date: Wed, 29 Aug 2001 21:20:46 -0500
Sender: [email protected]

PROBLEM SUMMARY  In ACE 5.0 Master and Checkpoint FW1, 
or ACE 3.3.1 or 4.0 client, an "Acting Server" must be defined 
in the 5.0 sdconf.rec and put on the ACE agent/client.


PROBLEM SUMMARY  In ACE 5.0 and multi-NIC agent/client,
the hostname, which is the primary address, MUST be the 
NIC that is used to communicate with the ACE master
when using ACE 5.0 agent/client software.


FIX-WORKAROUND  --  Assign Acting Servers  (preferred)
	Assign Acting Servers for the FW agent/client on ACE 5.0 master
	Generate Config File (sdconf.rec) 
	Copy sdconf.rec to FW agent/client
	rm /var/ace/securid or /opt/ace/data/securid
	generate node secret via authentication

Tested FW1 SP4, ACE 5.0 Server,  I was able to demonstrate that
SecuRemote works when "Assign Acting Server".  
This is the preferred fix since Checkpoint is probably not 
using the ACE 5.0 libraries. 

I demonstrated that the ACE 3.3.1 sdshell
and the ACE 4.0 sdshell work when the Acting Server is defined.
It also works whether the hostname is the external or the
internal interface of the firewall.

In my 3.3.1 environment, the hostname is the external interface
and the interface used communicating with the ACE master is
the internal interface/secondary address.

This does NOT work for ACE 5.0 agent/client software.



FIX-WORKAROUND -- Move hostname to internal interface.
	Associate the hostname with the interface that
	is used to communicate with the ACE master.

I demonstrated that ACE authentication works with 5.0 sdshell
when the hostname is on the internal interface.
This is the only workaround that works for ACE 5.0 agent/client software.

BUT, the firewall users older libraries, to the firewall will
authenticate, repeatedly, if Acting Server is defined.





After upgrading my ACE master (Securid)  from v 3.3.1 to 5.0
SecuRemote authentication at the firewalls failed. 
I also used /opt/ace/prog/sdshell on the firewall to 
test the authentication in a simpler (non-firewall) environment
and to generate the node secret.  

The problem is that ACE 5.0 sdshell works ONCE to generate
the node secret, but fails on the second or later use,
because the node secret is not correct.

08/29/2001 22:58:38U --------/diamond2                 ---->/
08/29/2001 17:58:38L Node verification failed          t-hedron.adc.com



greg



_______________________________________________________________
Greg Polanski                    mailto:[email protected]
ADC Telecommunications, IncMSFAX
PO Box 1cell/pager
Minneapolis, MN  [email protected]
_______________________________________________________________


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Next Proxy?
Next by Date: RE: [FW1] Put License problem
Previous by thread: [FW1] Re: Checkpoint 4.1, SP3/4 load issues on Sun information an d resoluti on of possible undocumented bug.
Next by thread: [FW1] Firewall-1 reporting module add license error
Index(es):
- Date
- Thread