Re: [FW-1] Changing firewall object IP address

[Manuel Antonio Cabrera Silva <mcabrera@FW1-NOSPAMCOSAPISOFT.COM.PE>]

Hi Lisa, maybe you can help me with Stonebeat implementation that has all
certificates expired, even the CA certificate. Since all certificates are
expired, I can't monitor the cluster with the GUI, and the command "sbfc
status" returns:

sbfc verify error: Certificate has expired
ssl handshake failed

However the cluster is working and I try to generate and deploy new
certificates for all modules, clients and GUI, but I still can't monitor the
cluster. Do you know any procedure to make it work again?

Thanks for your help,

Manuel Cabrera

-----Original Message-----
From: Lisa Lorenzin [mailto:Lisa.Lorenzin@BCBSNC.COM]
Sent: Tuesday, November 06, 2001 7:51 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Changing firewall object IP address


Mike,

I suggest you get a copy of the Stonebeat manual and read it thoroughly
before you go making any changes to the config on those firewalls.
Currently, they are set up exactly the way Stonebeat recommends; changing
the config in the way you're proposing is unnecessary (there are better
solutions to the problem you're trying to solve), unsupported by Stonebeat
(AFAIK), and likely to cause you other, larger problems.

Stonebeat classifies the external and internal interfaces as ONICs
(Operative interfaces), and the management interface as a CNIC (Control
interface).  The control interface can also be the heartbeat interface, or
you can have two separate interfaces there (one for heartbeat and one for
control).  We usually just used one CNIC for both heartbeat and control.

Unless something has changed in Stonebeat HA since
the last time I set it up, you have to have the CNIC separate from the
ONICs.  The manual clearly states that CNICs are dedicated to communication
between the firewalls and/or the management station, and that the IP address
of the firewall's hostname should be bound to the CNIC.

The people who originally set up the HA weren't crazy - they were following
directions.  I'm not a Stonebeat guru, but I've set it up about a half-dozen
times, and that has always been the recommended config.

If you can't work out the proper rules / routing to access the logs on the
management station from your internal network, one way around that is add a
second interface to the management station and connect that NIC to the
internal network...  (But you'll have to determine whether that poses
security risks in your environment.  Getting Checkpoint training and setting
up the access via the firewall rules is a much better option.)

BTW, the reason that the heartbeat / control net is on registered (by which
I assume you mean "not RFC1918") addresses may be to support your VPN
connectivity - if your VPN connections terminate to the IP address of the
firewall's hostname, the IP addresses used on the CNIC have to be routable
since they're the endpoint for the VPN.  We've had to do that in the past,
too...

It sounds like you have a standard Stonebeat HA with VPN support setup - I
strongly recommend that you either get Stonebeat training or at least read
the manual before you try to administer it, let alone make changes to it.
What you're suggesting, to move the firewall IP off the CNIC, will at the
very least break your VPNs as currently configured, and may well cause
problems with your HA communication (and hence your failover), too.

Hope this helps,

Lisa

Standard disclaimer:  the content of this message represents my personal
views, not those of my employer.

>>> MHawkins@TULLIB.COM 11/05/2001 12:18:49 >>>
Thanks for the reply but I have to change the architecture because I have
done what you said and I cannot use the GUI client to get the logs from a
management server on the heartbeat network either. I've checked the rule
base very, verycarefully - it's not the rules stopping it from working.

I hear you on the backup issue. I'm quite good a doing the backups before I
change stuff!

The real problem is that the heart beat network is a registered address.
Crazy people did the original install. I'm left to pick up the pieces.

Thanks again,

Mike H

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================