Search
	display results
words begin exact words any words part
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] How to convert Single Gateway to Distributed config?

To: [email protected]
Subject: Re: [FW-1] How to convert Single Gateway to Distributed config?
From: Chris Arnold <[email protected]>
Date: Mon, 22 Oct 2001 11:12:57 -0400
Comments: To: Nico De Ranter <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
OK, your putkeys are messed-up.

www.phoneboy.com will solve your problem if you search for "putkey."

Chris

-----Original Message-----
From: Nico De Ranter [mailto:[email protected]]
Sent: Monday, October 22, 2001 11:08 AM
To: Chris Arnold
Cc: 'Mailing list for discussion of Firewall-1'
Subject: Re: [FW-1] How to convert Single Gateway to Distributed config?


How do I do that?  If I use the GUI to connect to the management console and
do an install on the firewall I get:

Downloading security policy ... to charon
Authentication for command load failed
Failed to Download Security Policy on charon: Unauthorized action
Installing Security Policy on charon failed


Nico

On Mon, Oct 22, 2001 at 11:01:01AM -0400, Chris Arnold wrote:
> Can you push policy to the enforcement point from the management console
(as
> opposed to the fetch which is failing for you)?
>
> Chris
>
> -----Original Message-----
> From: Nico De Ranter [mailto:[email protected]]
> Sent: Monday, October 22, 2001 10:33 AM
> To: [email protected]
> Subject: Re: [FW-1] How to convert Single Gateway to Distributed config?
>
>
> On Mon, Oct 22, 2001 at 09:33:18AM -0400, David A. Gianna wrote:
> > You can't split the management off of a Single Gateway firewall -- the
> license
> > is for "management of a single enforcement point."
> > An upgrade is needed if you have a single gateway for 25- to 250-users.
>
> I have a license for an Enterprise Center with unlimited users. However
the
> machine
> was setup as "everything-on-one-box". Migrating the license for the
seperate
> management
> station was no problem.  However the communication between the two is a
> problem.
> The firewall-module fails to get it's config from the management box.
Don't
> know why yet :-(
>
> Nico
>
> >
> > If, however, you have an Enterprise Center (unlimited-users, mgmt, with
or
> > without encryption license), you may do this.
> > But you have to visit the CheckPoint Licensing Center to migrate the
> license.
> > You need the original Cert Key, the IP address of the firewall,
> > and the IP address of the MANAGEMENT CONSOLE. So, you must split the
> license
> > before you can split the installation.
> >
> > If there is any doubt, do an FW PRINTLIC to verify the features. If you
> have
> > v4.1 (2000), then you will find your Cert Key in the output "CK-x
yyyy
> zzzz"
> >
> >
> > Dave Gianna, MS, CCSE, CCSI, NSA, ACE/ADM
> > Technical Sales Engineer
> > Security Technologies Group
> >> > Westcon, Inc. <http://www.westcon.com/online/>
> > 520 White Plains Road
> > Tarrytown, NY 10591
> >
> > ====================================================
> > "Sing bird of prey, Beauty begins at the foot of you
> > Do you believe the manner?
> > Cold stainless nail, Torn through the distance of man
> > As they regard the summit ..."
> >                        -- Jon Anderson/Yes
> > ====================================================
> >
> >
> >
> >
> > |--------+---------------------------------->
> > |        |          Richard Marshall        |
> > |        |          <richard.marshall@NETDOC|
> > |        |          TOR.CO.UK>              |
> > |        |                                  |
> > |        |          10/22/01 08:59 AM       |
> > |        |          Please respond to       |
> > |        |          Mailing list for        |
> > |        |          discussion of Firewall-1|
> > |        |                                  |
> > |--------+---------------------------------->
> >
>
>---------------------------------------------------------------------------
> -|
> >   |
> |
> >   |       To:     [email protected]
> |
> >   |       cc:     (bcc: David
Gianna/Westchester/Westcon/US/WestconGroup)
> |
> >   |       Subject:     Re: [FW-1] How to convert Single Gateway to
> Distributed |
> >   |       config?
> |
> >
>
>---------------------------------------------------------------------------
> -|
> >
> >
> >
> >
> >
> > Hi,
> >
> > I used to have a similar problem (though not caused by splitting the
> > managment off). Even though the control.maps looked the same it turned
out
> > that the formatting of the files was affecting them. I seem to remember
> that
> > i tried to use a control.map created on IPSO on an NT machine and it
> > completly threw it, but on the IPSO it was fine.
> >
> > hope this is of some help.
> >
> > rich
> >
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:[email protected]]On Behalf Of Nico
> > De Ranter
> > Sent: 22 October 2001 12:29
> > To: [email protected]
> > Subject: [FW-1] How to convert Single Gateway to Distributed config?
> >
> >
> > Hi,
> >
> > I have a firewall running as "single gateway" on Solaris (sparc).
> > I will need to manage a second firewall so I prefer to split the
> > management module to a separate machine. According to the VPN-1/FW-1
> > administration Guide (p.71) this should be possible by either
> > reinstalling the firewall as "distributed setup" or "alternatively, you
> > can creconfigure by manually modifying $FWDIR/conf/master...".
> > Since reinstalling the firewall will mean too much downtime, I tried
> > the second solution. After doing an "fw putkey" on both machines
> > and restarting the management module I get the following output when
> > trying to restart the firewall:
> >
> > ------------------
> > FireWall-1: Starting fwd
> > FireWall-1:  Starting fwm (Remote Management Server)
> >
> > FireWall-1: Fetching Security Policy from 192.168.1.1 10.1.1.1 localhost
> > Trying to fetch Security Policy from 192.168.1.1:
> > FW: Received new control security key from 192.168.1.1
> > Authentication for command fetch failed
> > Fetching Security Policy from 192.168.1.1 failed
> > Trying to fetch Security Policy from 10.1.1.1:
> >
> > Installing Security Policy policy on all.all@charon
> > Fetching Security Policy from 10.1.1.1 succeeded
> >
> > FireWall-1: Starting cpmad (Malicious Activity Detection)
> > FireWall-1 started
> > -----------------
> >
> > Apparently the firewall can reach the management server but I
> > always get "Authentication for command fetch failed". (Note: I checked
> > lib/control.map on both machines, both contain the same encryption
> schemes,
> > both servers run the same version of the firewall with the same
encryption
> > options)
> >
> > Any suggestions? Anybody done this before?
> >
> > Thanks in advance,
> >
> > Nico
> >
> > ---------------------------------------------------------
> >  "It has been said that there are only two businesses that
> >   refer to customers as users: illegal drug trade and
> >                the computer industry."
> > ---------------------------------------------------------
> > Nico De Ranter
> > Sony Service Center (SDCE/VPE-B)
> > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
> > 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> > e-mail: [email protected]
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
> ---------------------------------------------------------
>  "It has been said that there are only two businesses that
>   refer to customers as users: illegal drug trade and
>                the computer industry."
> ---------------------------------------------------------
> Nico De Ranter
> Sony Service Center (SDCE/VPE-B)
> Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
> 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> e-mail: [email protected]
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
Prev by Date: Re: [FW-1] How to convert Single Gateway to Distributed config?
Next by Date: Re: [FW-1] How to convert Single Gateway to Distributed config?
Previous by thread: Re: [FW-1] How to convert Single Gateway to Distributed config?
Next by thread: Re: [FW-1] How to convert Single Gateway to Distributed config?
Index(es):
- Date
- Thread