Re: [FW-1] Difference between fetch and push

[Dan Hitchcock <DHitchcock@FW1-NOSPAMBREAKWATERSECURITY.COM>]

Title: RE: [FW-1] Difference between fetch and push

The specific answer:

In a fetch, your module requests the latest installed (or attempted install) from the management server, which provides the last compiled policy from the $FWDIR/state directory on the management server.  No compilation is performed in a fetch - the management server simply gives it the last compiled policy for that module.

In a "push," the policy is compiled and pushed to the module.  This policy is also moved to the state directory, such that it will be the policy provided to the module at the next "pull" (fetch).

If you save a policy but do not push it, the compiled policy in the state directory is unchanged, such that you will still "pull" (fetch) the older policy from the management server.

HTH - please post again if this isn't clear!

Dan Hitchcock
CCNP, CCSE, MCSE
Security Analyst
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure.  If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited.  If you think you have received this email message in error, please email the sender at dhitchcock@breakwatersecurity.com

-----Original Message-----
From: Juan Concepcion [mailto:juanconcepcion@EARTHLINK.NET]
Sent: Saturday, October 13, 2001 6:54 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Difference between fetch and push

All depends in a fetch, if you haven't saved your changes, the firewall will
not pick-up the changes you've made to the policy and will only enforce what
was there before.  In a push the rules and changes are automatically saved
before any attempt is made to push out to the firewalls.  I find it strange
that one firewall picked up your change and the other didn't but that's
basically the difference between a push/fetch.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@beethoven.us.checkpoint.com]On Behalf Of mikecc
Sent: Friday, October 12, 2001 4:48 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] Difference between fetch and push

Hello,

I noticed something today that I never noticed before.  I had to
reboot a firewall and when the firewall came back up I was on the
console and did a "fw fetch" to get the latest policy from the Management
server, which happens to be a Provider-1 CMA.

All appeared ok, I even did a fw stat after the fact to see that
it got the proper policy.

However, one of the rules was not working the way we expected.  I
had made a change maybe an hour before to this particular rule, I
included the VRRP pair (of which the firewall I rebooted was a member
of) in the Install On colomn.  Prior to this change the rule did
not do what we wanted, it was just something I had to tweak.

So while running on the secondary after I fixed the rule, everything
worked fine.  But it appeared that when I did a fetch from the newly
restored master firewall it did not get that Install On change.

When I returned to my desk and pushed the policy out to the newly
restored Firewall the rule worked perfectly.

Is there a difference between what happens in a fetch and what happens
when a policy is pushed?

Mike

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================