[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] How to convert Single Gateway to Distributed config?
On Mon, Oct 22, 2001 at 09:33:18AM -0400, David A. Gianna wrote: > You can't split the management off of a Single Gateway firewall -- the license > is for "management of a single enforcement point." > An upgrade is needed if you have a single gateway for 25- to 250-users. I have a license for an Enterprise Center with unlimited users. However the machine was setup as "everything-on-one-box". Migrating the license for the seperate management station was no problem. However the communication between the two is a problem. The firewall-module fails to get it's config from the management box. Don't know why yet :-( Nico > > If, however, you have an Enterprise Center (unlimited-users, mgmt, with or > without encryption license), you may do this. > But you have to visit the CheckPoint Licensing Center to migrate the license. > You need the original Cert Key, the IP address of the firewall, > and the IP address of the MANAGEMENT CONSOLE. So, you must split the license > before you can split the installation. > > If there is any doubt, do an FW PRINTLIC to verify the features. If you have > v4.1 (2000), then you will find your Cert Key in the output "CK-x yyyy zzzz" > > > Dave Gianna, MS, CCSE, CCSI, NSA, ACE/ADM > Technical Sales Engineer > Security Technologies Group >> Westcon, Inc. <http://www.westcon.com/online/> > 520 White Plains Road > Tarrytown, NY 10591 > > ==================================================== > "Sing bird of prey, Beauty begins at the foot of you > Do you believe the manner? > Cold stainless nail, Torn through the distance of man > As they regard the summit ..." > -- Jon Anderson/Yes > ==================================================== > > > > > |--------+----------------------------------> > | | Richard Marshall | > | | <richard.marshall@NETDOC| > | | TOR.CO.UK> | > | | | > | | 10/22/01 08:59 AM | > | | Please respond to | > | | Mailing list for | > | | discussion of Firewall-1| > | | | > |--------+----------------------------------> > >----------------------------------------------------------------------------| > | | > | To: [email protected] | > | cc: (bcc: David Gianna/Westchester/Westcon/US/WestconGroup) | > | Subject: Re: [FW-1] How to convert Single Gateway to Distributed | > | config? | > >----------------------------------------------------------------------------| > > > > > > Hi, > > I used to have a similar problem (though not caused by splitting the > managment off). Even though the control.maps looked the same it turned out > that the formatting of the files was affecting them. I seem to remember that > i tried to use a control.map created on IPSO on an NT machine and it > completly threw it, but on the IPSO it was fine. > > hope this is of some help. > > rich > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of Nico > De Ranter > Sent: 22 October 2001 12:29 > To: [email protected] > Subject: [FW-1] How to convert Single Gateway to Distributed config? > > > Hi, > > I have a firewall running as "single gateway" on Solaris (sparc). > I will need to manage a second firewall so I prefer to split the > management module to a separate machine. According to the VPN-1/FW-1 > administration Guide (p.71) this should be possible by either > reinstalling the firewall as "distributed setup" or "alternatively, you > can creconfigure by manually modifying $FWDIR/conf/master...". > Since reinstalling the firewall will mean too much downtime, I tried > the second solution. After doing an "fw putkey" on both machines > and restarting the management module I get the following output when > trying to restart the firewall: > > ------------------ > FireWall-1: Starting fwd > FireWall-1: Starting fwm (Remote Management Server) > > FireWall-1: Fetching Security Policy from 192.168.1.1 10.1.1.1 localhost > Trying to fetch Security Policy from 192.168.1.1: > FW: Received new control security key from 192.168.1.1 > Authentication for command fetch failed > Fetching Security Policy from 192.168.1.1 failed > Trying to fetch Security Policy from 10.1.1.1: > > Installing Security Policy policy on all.all@charon > Fetching Security Policy from 10.1.1.1 succeeded > > FireWall-1: Starting cpmad (Malicious Activity Detection) > FireWall-1 started > ----------------- > > Apparently the firewall can reach the management server but I > always get "Authentication for command fetch failed". (Note: I checked > lib/control.map on both machines, both contain the same encryption schemes, > both servers run the same version of the firewall with the same encryption > options) > > Any suggestions? Anybody done this before? > > Thanks in advance, > > Nico > > --------------------------------------------------------- > "It has been said that there are only two businesses that > refer to customers as users: illegal drug trade and > the computer industry." > --------------------------------------------------------- > Nico De Ranter > Sony Service Center (SDCE/VPE-B) > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: [email protected] > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|