[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] How to convert Single Gateway to Distributed config?
OK, your putkeys are messed-up. www.phoneboy.com will solve your problem if you search for "putkey." Chris -----Original Message----- From: Nico De Ranter [mailto:[email protected]] Sent: Monday, October 22, 2001 11:08 AM To: Chris Arnold Cc: 'Mailing list for discussion of Firewall-1' Subject: Re: [FW-1] How to convert Single Gateway to Distributed config? How do I do that? If I use the GUI to connect to the management console and do an install on the firewall I get: Downloading security policy ... to charon Authentication for command load failed Failed to Download Security Policy on charon: Unauthorized action Installing Security Policy on charon failed Nico On Mon, Oct 22, 2001 at 11:01:01AM -0400, Chris Arnold wrote: > Can you push policy to the enforcement point from the management console (as > opposed to the fetch which is failing for you)? > > Chris > > -----Original Message----- > From: Nico De Ranter [mailto:[email protected]] > Sent: Monday, October 22, 2001 10:33 AM > To: [email protected] > Subject: Re: [FW-1] How to convert Single Gateway to Distributed config? > > > On Mon, Oct 22, 2001 at 09:33:18AM -0400, David A. Gianna wrote: > > You can't split the management off of a Single Gateway firewall -- the > license > > is for "management of a single enforcement point." > > An upgrade is needed if you have a single gateway for 25- to 250-users. > > I have a license for an Enterprise Center with unlimited users. However the > machine > was setup as "everything-on-one-box". Migrating the license for the seperate > management > station was no problem. However the communication between the two is a > problem. > The firewall-module fails to get it's config from the management box. Don't > know why yet :-( > > Nico > > > > > If, however, you have an Enterprise Center (unlimited-users, mgmt, with or > > without encryption license), you may do this. > > But you have to visit the CheckPoint Licensing Center to migrate the > license. > > You need the original Cert Key, the IP address of the firewall, > > and the IP address of the MANAGEMENT CONSOLE. So, you must split the > license > > before you can split the installation. > > > > If there is any doubt, do an FW PRINTLIC to verify the features. If you > have > > v4.1 (2000), then you will find your Cert Key in the output "CK-x yyyy > zzzz" > > > > > > Dave Gianna, MS, CCSE, CCSI, NSA, ACE/ADM > > Technical Sales Engineer > > Security Technologies Group > >> > Westcon, Inc. <http://www.westcon.com/online/> > > 520 White Plains Road > > Tarrytown, NY 10591 > > > > ==================================================== > > "Sing bird of prey, Beauty begins at the foot of you > > Do you believe the manner? > > Cold stainless nail, Torn through the distance of man > > As they regard the summit ..." > > -- Jon Anderson/Yes > > ==================================================== > > > > > > > > > > |--------+----------------------------------> > > | | Richard Marshall | > > | | <richard.marshall@NETDOC| > > | | TOR.CO.UK> | > > | | | > > | | 10/22/01 08:59 AM | > > | | Please respond to | > > | | Mailing list for | > > | | discussion of Firewall-1| > > | | | > > |--------+----------------------------------> > > > >--------------------------------------------------------------------------- > -| > > | > | > > | To: [email protected] > | > > | cc: (bcc: David Gianna/Westchester/Westcon/US/WestconGroup) > | > > | Subject: Re: [FW-1] How to convert Single Gateway to > Distributed | > > | config? > | > > > >--------------------------------------------------------------------------- > -| > > > > > > > > > > > > Hi, > > > > I used to have a similar problem (though not caused by splitting the > > managment off). Even though the control.maps looked the same it turned out > > that the formatting of the files was affecting them. I seem to remember > that > > i tried to use a control.map created on IPSO on an NT machine and it > > completly threw it, but on the IPSO it was fine. > > > > hope this is of some help. > > > > rich > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[email protected]]On Behalf Of Nico > > De Ranter > > Sent: 22 October 2001 12:29 > > To: [email protected] > > Subject: [FW-1] How to convert Single Gateway to Distributed config? > > > > > > Hi, > > > > I have a firewall running as "single gateway" on Solaris (sparc). > > I will need to manage a second firewall so I prefer to split the > > management module to a separate machine. According to the VPN-1/FW-1 > > administration Guide (p.71) this should be possible by either > > reinstalling the firewall as "distributed setup" or "alternatively, you > > can creconfigure by manually modifying $FWDIR/conf/master...". > > Since reinstalling the firewall will mean too much downtime, I tried > > the second solution. After doing an "fw putkey" on both machines > > and restarting the management module I get the following output when > > trying to restart the firewall: > > > > ------------------ > > FireWall-1: Starting fwd > > FireWall-1: Starting fwm (Remote Management Server) > > > > FireWall-1: Fetching Security Policy from 192.168.1.1 10.1.1.1 localhost > > Trying to fetch Security Policy from 192.168.1.1: > > FW: Received new control security key from 192.168.1.1 > > Authentication for command fetch failed > > Fetching Security Policy from 192.168.1.1 failed > > Trying to fetch Security Policy from 10.1.1.1: > > > > Installing Security Policy policy on all.all@charon > > Fetching Security Policy from 10.1.1.1 succeeded > > > > FireWall-1: Starting cpmad (Malicious Activity Detection) > > FireWall-1 started > > ----------------- > > > > Apparently the firewall can reach the management server but I > > always get "Authentication for command fetch failed". (Note: I checked > > lib/control.map on both machines, both contain the same encryption > schemes, > > both servers run the same version of the firewall with the same encryption > > options) > > > > Any suggestions? Anybody done this before? > > > > Thanks in advance, > > > > Nico > > > > --------------------------------------------------------- > > "It has been said that there are only two businesses that > > refer to customers as users: illegal drug trade and > > the computer industry." > > --------------------------------------------------------- > > Nico De Ranter > > Sony Service Center (SDCE/VPE-B) > > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > > e-mail: [email protected] > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > --------------------------------------------------------- > "It has been said that there are only two businesses that > refer to customers as users: illegal drug trade and > the computer industry." > --------------------------------------------------------- > Nico De Ranter > Sony Service Center (SDCE/VPE-B) > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: [email protected] > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|