NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] How to convert Single Gateway to Distributed config?

Can you push policy to the enforcement point from the management console (as
opposed to the fetch which is failing for you)?

Chris

-----Original Message-----
From: Nico De Ranter [mailto:[email protected]]
Sent: Monday, October 22, 2001 10:33 AM
To: [email protected]
Subject: Re: [FW-1] How to convert Single Gateway to Distributed config?


On Mon, Oct 22, 2001 at 09:33:18AM -0400, David A. Gianna wrote:
> You can't split the management off of a Single Gateway firewall -- the
license
> is for "management of a single enforcement point."
> An upgrade is needed if you have a single gateway for 25- to 250-users.

I have a license for an Enterprise Center with unlimited users. However the
machine
was setup as "everything-on-one-box". Migrating the license for the seperate
management
station was no problem.  However the communication between the two is a
problem.
The firewall-module fails to get it's config from the management box. Don't
know why yet :-(

Nico

>
> If, however, you have an Enterprise Center (unlimited-users, mgmt, with or
> without encryption license), you may do this.
> But you have to visit the CheckPoint Licensing Center to migrate the
license.
> You need the original Cert Key, the IP address of the firewall,
> and the IP address of the MANAGEMENT CONSOLE. So, you must split the
license
> before you can split the installation.
>
> If there is any doubt, do an FW PRINTLIC to verify the features. If you
have
> v4.1 (2000), then you will find your Cert Key in the output "CK-x yyyy
zzzz"
>
>
> Dave Gianna, MS, CCSE, CCSI, NSA, ACE/ADM
> Technical Sales Engineer
> Security Technologies Group
>> Westcon, Inc. <http://www.westcon.com/online/>
> 520 White Plains Road
> Tarrytown, NY 10591
>
> ====================================================
> "Sing bird of prey, Beauty begins at the foot of you
> Do you believe the manner?
> Cold stainless nail, Torn through the distance of man
> As they regard the summit ..."
>                        -- Jon Anderson/Yes
> ====================================================
>
>
>
>
> |--------+---------------------------------->
> |        |          Richard Marshall        |
> |        |          <richard.marshall@NETDOC|
> |        |          TOR.CO.UK>              |
> |        |                                  |
> |        |          10/22/01 08:59 AM       |
> |        |          Please respond to       |
> |        |          Mailing list for        |
> |        |          discussion of Firewall-1|
> |        |                                  |
> |--------+---------------------------------->
>
>---------------------------------------------------------------------------
-|
>   |
|
>   |       To:     [email protected]
|
>   |       cc:     (bcc: David Gianna/Westchester/Westcon/US/WestconGroup)
|
>   |       Subject:     Re: [FW-1] How to convert Single Gateway to
Distributed |
>   |       config?
|
>
>---------------------------------------------------------------------------
-|
>
>
>
>
>
> Hi,
>
> I used to have a similar problem (though not caused by splitting the
> managment off). Even though the control.maps looked the same it turned out
> that the formatting of the files was affecting them. I seem to remember
that
> i tried to use a control.map created on IPSO on an NT machine and it
> completly threw it, but on the IPSO it was fine.
>
> hope this is of some help.
>
> rich
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Nico
> De Ranter
> Sent: 22 October 2001 12:29
> To: [email protected]
> Subject: [FW-1] How to convert Single Gateway to Distributed config?
>
>
> Hi,
>
> I have a firewall running as "single gateway" on Solaris (sparc).
> I will need to manage a second firewall so I prefer to split the
> management module to a separate machine. According to the VPN-1/FW-1
> administration Guide (p.71) this should be possible by either
> reinstalling the firewall as "distributed setup" or "alternatively, you
> can creconfigure by manually modifying $FWDIR/conf/master...".
> Since reinstalling the firewall will mean too much downtime, I tried
> the second solution. After doing an "fw putkey" on both machines
> and restarting the management module I get the following output when
> trying to restart the firewall:
>
> ------------------
> FireWall-1: Starting fwd
> FireWall-1:  Starting fwm (Remote Management Server)
>
> FireWall-1: Fetching Security Policy from 192.168.1.1 10.1.1.1 localhost
> Trying to fetch Security Policy from 192.168.1.1:
> FW: Received new control security key from 192.168.1.1
> Authentication for command fetch failed
> Fetching Security Policy from 192.168.1.1 failed
> Trying to fetch Security Policy from 10.1.1.1:
>
> Installing Security Policy policy on all.all@charon
> Fetching Security Policy from 10.1.1.1 succeeded
>
> FireWall-1: Starting cpmad (Malicious Activity Detection)
> FireWall-1 started
> -----------------
>
> Apparently the firewall can reach the management server but I
> always get "Authentication for command fetch failed". (Note: I checked
> lib/control.map on both machines, both contain the same encryption
schemes,
> both servers run the same version of the firewall with the same encryption
> options)
>
> Any suggestions? Anybody done this before?
>
> Thanks in advance,
>
> Nico
>
> ---------------------------------------------------------
>  "It has been said that there are only two businesses that
>   refer to customers as users: illegal drug trade and
>                the computer industry."
> ---------------------------------------------------------
> Nico De Ranter
> Sony Service Center (SDCE/VPE-B)
> Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
> 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> e-mail: [email protected]
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.