[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] How to convert Single Gateway to Distributed config?
Hi, I used to have a similar problem (though not caused by splitting the managment off). Even though the control.maps looked the same it turned out that the formatting of the files was affecting them. I seem to remember that i tried to use a control.map created on IPSO on an NT machine and it completly threw it, but on the IPSO it was fine. hope this is of some help. rich -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nico De Ranter Sent: 22 October 2001 12:29 To: [email protected] Subject: [FW-1] How to convert Single Gateway to Distributed config? Hi, I have a firewall running as "single gateway" on Solaris (sparc). I will need to manage a second firewall so I prefer to split the management module to a separate machine. According to the VPN-1/FW-1 administration Guide (p.71) this should be possible by either reinstalling the firewall as "distributed setup" or "alternatively, you can creconfigure by manually modifying $FWDIR/conf/master...". Since reinstalling the firewall will mean too much downtime, I tried the second solution. After doing an "fw putkey" on both machines and restarting the management module I get the following output when trying to restart the firewall: ------------------ FireWall-1: Starting fwd FireWall-1: Starting fwm (Remote Management Server) FireWall-1: Fetching Security Policy from 192.168.1.1 10.1.1.1 localhost Trying to fetch Security Policy from 192.168.1.1: FW: Received new control security key from 192.168.1.1 Authentication for command fetch failed Fetching Security Policy from 192.168.1.1 failed Trying to fetch Security Policy from 10.1.1.1: Installing Security Policy policy on all.all@charon Fetching Security Policy from 10.1.1.1 succeeded FireWall-1: Starting cpmad (Malicious Activity Detection) FireWall-1 started ----------------- Apparently the firewall can reach the management server but I always get "Authentication for command fetch failed". (Note: I checked lib/control.map on both machines, both contain the same encryption schemes, both servers run the same version of the firewall with the same encryption options) Any suggestions? Anybody done this before? Thanks in advance, Nico --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|