NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] How to convert Single Gateway to Distributed config?

On Mon, Oct 22, 2001 at 09:33:18AM -0400, David A. Gianna wrote:
> You can't split the management off of a Single Gateway firewall -- the license
> is for "management of a single enforcement point."
> An upgrade is needed if you have a single gateway for 25- to 250-users.

I have a license for an Enterprise Center with unlimited users. However the machine
was setup as "everything-on-one-box". Migrating the license for the seperate management
station was no problem.  However the communication between the two is a problem.
The firewall-module fails to get it's config from the management box. Don't know why yet :-(

Nico

>
> If, however, you have an Enterprise Center (unlimited-users, mgmt, with or
> without encryption license), you may do this.
> But you have to visit the CheckPoint Licensing Center to migrate the license.
> You need the original Cert Key, the IP address of the firewall,
> and the IP address of the MANAGEMENT CONSOLE. So, you must split the license
> before you can split the installation.
>
> If there is any doubt, do an FW PRINTLIC to verify the features. If you have
> v4.1 (2000), then you will find your Cert Key in the output "CK-x yyyy zzzz"
>
>
> Dave Gianna, MS, CCSE, CCSI, NSA, ACE/ADM
> Technical Sales Engineer
> Security Technologies Group
>> Westcon, Inc. <http://www.westcon.com/online/>
> 520 White Plains Road
> Tarrytown, NY 10591
>
> ====================================================
> "Sing bird of prey, Beauty begins at the foot of you
> Do you believe the manner?
> Cold stainless nail, Torn through the distance of man
> As they regard the summit ..."
>                        -- Jon Anderson/Yes
> ====================================================
>
>
>
>
> |--------+---------------------------------->
> |        |          Richard Marshall        |
> |        |          <richard.marshall@NETDOC|
> |        |          TOR.CO.UK>              |
> |        |                                  |
> |        |          10/22/01 08:59 AM       |
> |        |          Please respond to       |
> |        |          Mailing list for        |
> |        |          discussion of Firewall-1|
> |        |                                  |
> |--------+---------------------------------->
>   >----------------------------------------------------------------------------|
>   |                                                                            |
>   |       To:     [email protected]                 |
>   |       cc:     (bcc: David Gianna/Westchester/Westcon/US/WestconGroup)      |
>   |       Subject:     Re: [FW-1] How to convert Single Gateway to Distributed |
>   |       config?                                                              |
>   >----------------------------------------------------------------------------|
>
>
>
>
>
> Hi,
>
> I used to have a similar problem (though not caused by splitting the
> managment off). Even though the control.maps looked the same it turned out
> that the formatting of the files was affecting them. I seem to remember that
> i tried to use a control.map created on IPSO on an NT machine and it
> completly threw it, but on the IPSO it was fine.
>
> hope this is of some help.
>
> rich
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Nico
> De Ranter
> Sent: 22 October 2001 12:29
> To: [email protected]
> Subject: [FW-1] How to convert Single Gateway to Distributed config?
>
>
> Hi,
>
> I have a firewall running as "single gateway" on Solaris (sparc).
> I will need to manage a second firewall so I prefer to split the
> management module to a separate machine. According to the VPN-1/FW-1
> administration Guide (p.71) this should be possible by either
> reinstalling the firewall as "distributed setup" or "alternatively, you
> can creconfigure by manually modifying $FWDIR/conf/master...".
> Since reinstalling the firewall will mean too much downtime, I tried
> the second solution. After doing an "fw putkey" on both machines
> and restarting the management module I get the following output when
> trying to restart the firewall:
>
> ------------------
> FireWall-1: Starting fwd
> FireWall-1:  Starting fwm (Remote Management Server)
>
> FireWall-1: Fetching Security Policy from 192.168.1.1 10.1.1.1 localhost
> Trying to fetch Security Policy from 192.168.1.1:
> FW: Received new control security key from 192.168.1.1
> Authentication for command fetch failed
> Fetching Security Policy from 192.168.1.1 failed
> Trying to fetch Security Policy from 10.1.1.1:
>
> Installing Security Policy policy on all.all@charon
> Fetching Security Policy from 10.1.1.1 succeeded
>
> FireWall-1: Starting cpmad (Malicious Activity Detection)
> FireWall-1 started
> -----------------
>
> Apparently the firewall can reach the management server but I
> always get "Authentication for command fetch failed". (Note: I checked
> lib/control.map on both machines, both contain the same encryption schemes,
> both servers run the same version of the firewall with the same encryption
> options)
>
> Any suggestions? Anybody done this before?
>
> Thanks in advance,
>
> Nico
>
> ---------------------------------------------------------
>  "It has been said that there are only two businesses that
>   refer to customers as users: illegal drug trade and
>                the computer industry."
> ---------------------------------------------------------
> Nico De Ranter
> Sony Service Center (SDCE/VPE-B)
> Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
> 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> e-mail: [email protected]
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.