[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] no SIC when computer hw clocks are not in sync
Will, Thanks for your solution, I installed the NTP protocol to sync the time of the gateway that runs the enforcement module with the server that runs the checkpoint mgmt module, and I can confirm that SIC does communicate now. Probably NTP can be handy anyway for analysis of logfiles that are time sync'd. Anyone who sees NTP as a potential security risk? ;) I used some old Asus mobo with an expired CMOS power lithium cell. NTP will now set the hwclock at boot time. I'll cc this email to some people involved with FW-1 as well as support at checkpoint ;) Grtz -- hansb +-----------------------------------------------------+ | Hans Bayle <[email protected]> | | Technical Consultant | | | | Zinopsys BV | | phone +31 20 6123614 | | mobile +31 6 53948140 | | fax +31 20 6123849 | | [email protected] | +-----------------------------------------------------+ -----Original Message----- From: Will Zegeer [mailto:[email protected]] Sent: Wednesday, September 26, 2001 11:52 PM To: '[email protected]'; [email protected] Cc: Erik Esmeijer Subject: RE: [FW1] (2) Bad SIC status between NT4.0 and Linux RH6.2 Hans, Check your time and date on both management and module - they should match. I had the same error and this was the cause. Hope this helps- Will -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, September 26, 2001 5:25 AM To: [email protected] Cc: Erik Esmeijer Subject: [FW1] (2) Bad SIC status between NT4.0 and Linux RH6.2 Hi, (1) Im evaluating Checkpoint NG with a distributed setup: - management server and management clients on Windows NT Workstation SP6a - enforcement module on Linux Redhat 6.2, kernel 2.2.19 normal communication between the two machines is ok, but when I use the Policy editor on the management host, and enter the Linux box as a gateway, it is possible to establish a trust under the Communication button, but testing the SIC status is not possible: Sic status from <host>: Not Communicating Internal SSL authentication error [ alert from peer bad certificate ] *** Contact Check Point Support *** (2) Also, when using secure update, It is not possible to attach a central license for the enforcement module. I right-click the Linux gateway that has the enforcement module installed and that I had to enter in the policy editor first, then I choose Attach Licenses... A dialog box will popup, and I select one of my licenses, and click on the Attach button. NOTHING HAPPENS. no error, nothing. (3) In both cases (1) and (2), when I run tcpdump at the Linux gateway on the interface that is connected to the management host, I will see some traffic between: linuxgw.zinopsys.nl.18191 > mgmthst.zinopsys.nl.1144 mgmthst.zinopsys.nl.1144 > linuxgw.zinopsys.nl.18191 etc.. At the same time, on the console will be logged: FW-1: cannot write to host_table My wild guess is, that checkpoint modules have an internal host_table which are needed for both SIC communication and plugging in the licenses. If, for some reason ???? the module can't write to the host_table, It also won't communicate with remote modules. Anyone who can tell me what a host_table is, where I can find it, and help it to behave in a better way? (BTW, latest hotfixes are installed on both machines) Grtz -- hansb +-----------------------------------------------------+ | Hans Bayle <[email protected]> | | Technical Consultant | | | | Zinopsys BV | | phone +31 20 6123614 | | mobile +31 6 53948140 | | fax +31 20 6123849 | | [email protected] | +-----------------------------------------------------+ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 7.0.4 mQGiBDtVZSIRBADlhMHgAHggPJSHY2x1L47zxwj3seca9hdJGEmlXnNBcD3nwTrf Zm7g03cTAj3Nm1Rbdz55kZ9fs7ijYlvDAGWSkOQix7+ZWNQN4m255WNWzq/osff6 n8PNluJbmNvMQjUsYpsfFYoYVhPsWcQZwyuaDnHfnm/EO2n3uTmWEz5jLQCg/+wQ Cub/dg/Ci54D2G64KfImsDMD/2jskzfN6i1UCBV6l3GPyKBasHpKwSa2ETHvYc+N 8S90ncKykTUJwjK2hyXXGUEpCxYyTno0QEFiPMVBPBUXOUtxiUvCNZ/Jb/2zsgxk H1mJDYhrMNHkImsquEr3uHmxDcFifYLzF8d717XoThdv9t+YVK22wXdan8CaD956 Ibl/A/0SJZJB467jPc/o2lheDGN/RBGJOBxvoT58s7JpyTllj4incRC3/A8HHqco h/7RyY7IkKd7O4csPMhuLb8nvqNDJzhxSOYX1SFUcHUqLvwcRxK+vgf//ns3rzCY jvWkks3N6DtYnxOfJxEkyU5EQkOopGYMCfGqRFcefmE89HZAmbQjSGFucyBCYXls ZSA8aGFucy5iYXlsZUB6aW5vcHN5cy5ubD6JAFUEEBECABUFAjtVZSIFCwMCAQoC GQEFGwMAAAAACgkQk36sqCmCr74JHQCgqNQqt5kXe+L7DTzm3CU9MeS24/UAnRpu mO41wVIEs2ab0djwsIPt3jGkuQQNBDtVZSIQEAD5GKB+WgZhekOQldwFbIeG7GHs zUUfDtjgo3nGydx6C6zkP+NGlLYwSlPXfAIWSIC1FeUpmamfB3TT/+OhxZYgTphl uNgN7hBdq7YXHFHYUMoiV0MpvpXoVis4eFwL2/hMTdXjqkbM+84X6CqdFGHjhKlP 0YOEqHm274+nQ0YIxswdd1ckOErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHId OHX79sFzxIMRJitDYMPj6NYK/aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRP yvMX86RA6dfSd7ZCLQI2wSbLaF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJX twh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xk hkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58 yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4 DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/ POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlL IhkmuquiXsNV6z3WFwACAhAAx5mt74u1Lm1KgkN/fywCNOE4QqOOXlkyxrKzfANB 50IzhcCF+B5siyzdXwnaAv0elFjiooGXQqN5h/IGKW1LbohEfaeJWk1KHfFb4KAj 9GWuKBA/EdOro0S9/kiYEyvgy8ybN0jJ0mmgQygwoq30LXxwkj2F3rYi82LMQyvC WTUq9Vv9nsmr/KmvQZlA7VkjDV+8OZqddjs1HQP0A4Ot7F7jEOhQDsKx6iNOPjEs wbzIjf1hDwDOrm2O791mIeixKCO3nKLyuAYulXc5jn/BbZeloqLZVfgB8oAgisiK oCwE9ksBP8pZ1+cC2GvRgnPSC+8MvmoB640swxdzaR6wxn+EzoYsL8gVotf6pIPn xVPNm9Ob/UvF7veIybmTxsDYjpXQqPz3KauAISc93U89rAMLRhPDK/mqo47lYlYD XXH8izOfqgCnmrhC4hwgkjwDQlfphyTiU4a0GNPqX1hzwebAljP6PXPHaV9iKWrD lByQbi1lg4EIdardziOK8sKaN9g1FYi5CUZKj5Y8t9zM0Qv+QA1H6+HdY2eO45hf x/Vdcdn8fGEGVbXUWR4RHAktgn1qMe647fIkgIZHgBNA0M9Jc7O3bq7ckq61d3yy GWgVDk3PbPunPRO6pTvQ47n5Ay7/G0DmjoTS5cxxVscrEJhf/Hr+GD0UGUIDZlcK YMuJAEwEGBECAAwFAjtVZSIFGwwAAAAACgkQk36sqCmCr76/5ACdH/bvSyZM+Vtl oBfp567hCoSa3EwAoMqdkXW0Tr5m7tsuW7JTJHUutpt3 =PFQh -----END PGP PUBLIC KEY BLOCK----- BEGIN:VCARD VERSION:2.1 N:Bayle;Hans FN:Hans Bayle TEL;WORK;VOICE:+31-20-6123614 TEL;HOME;VOICE:+31-20-6898343 TEL;CELL;VOICE:+31-6-53948140 TEL;WORK;FAX:+31-20-6123849 ADR;WORK:;;Baarsjesweg 277-III;Amsterdam;;1058 AD;Netherlands LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Baarsjesweg 277-III=0D=0AAmsterdam 1058 AD=0D=0ANetherlands EMAIL;PREF;INTERNET:[email protected] REV:20010919T154316Z END:VCARD
|