Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Loss license after adding an IP address to an internal Interface

To: [email protected]
Subject: [FW-1] Loss license after adding an IP address to an internal Interface
From: Yves Belle-Isle <[email protected]>
Date: Tue, 11 Dec 2001 16:29:04 -0500
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hello everyone,

Yesterday afternoon i had the bad idea to add a subnet
to an existing internal interface. (192.168.43.0/24)

I did this (FW-1 Gateway/50 4.1 SP4 on NT server 4.0 SP6A):

Add a new "Interface" to my Firewall object as:
    192.168.43.1 mask 255.255.255.0 and
    redifine the antispoofing rules for all the
    subnets defined as Interface for that particular
    interface. This is on the EMPCI3 physical interface
Add an object in that subnet DMZ-TEST as 192.168.43.2
Add a static NAT public address object for it 205.x.y.2
Add 2 manual entry for NAT between 192.168.43.2 and 205.x.y.2
Save the rule
Compile and install the rule

All was OK up to that point as far as the
FW-1 was up and running appling all my policies...

P.S. I don't need any entry in local.arp as the router
     in front of the FW-1 route all trafic for 205.x.y.0/24
     to 205.a.b.190, the external address of the FW-1.

Next:

Add the 192.168.43.1 mask 255.255.255.0 to the Interface
via the Windows NT Network Properties

The only thing remaining: To do a route add 205.x.y.2 mask 255.255.255.255 192.168.43.3 -p
                          after the reboot...

When i rebooted the system i got those error message in
my system event log and the FW-1 did not load the policies:
(I concanated multi part messages)

   FW1: FwSetDefaultPolicy: no boot policy specified!
   FW1: Attached to \Device\EMPCI2
   FW1: Attached to \Device\EMPCI3
   FW1: Attached to \Device\EMPCI4
   FW1: Attached to \Device\EMPCI1
   FW1: Informatory: the current VPN-1 & FireWall-1 license allows only 25 internal hosts.
   FW1: If this is different from the license you intended to purchase,
        ensure that you have the correct license
   FW1: See http://license.checkpoint.com/license_center_faq.html for troubleshooting.
   FW1: FW-1: No valid license
   FW1: FW-1: No valid license

I should normally receive those messages when i boot or start FW-1:

   FW1: FwSetDefaultPolicy: no boot policy specified!
   FW1: FwSetDefaultPolicy: no boot policy specified!
   FW1: Attached to \Device\EMPCI2
   FW1: Attached to \Device\EMPCI3
   FW1: Attached to \Device\EMPCI4
   FW1: Attached to \Device\EMPCI1
   FW1: FW-1: only 50 internal hosts allowed
   FW1: FW-1: setting external interface to EMPCI1


P.S. My 50 user license is "bounded" to the external
     interface IP address which is 205.a.b.190 (On EMPCI1)
     not to an IP address of one of the three internal interfaces

So i had to finish later, gets lots of grief from unhapy users
and to reload my last nigh backup of the firewall configuration
to restart it...

So to resume the fact i added in Windows NT an IP address to
an existing internal Interface (EMPCI3) made my license
bounded to the EMPCI1 interface to became invalid.

Anyone already saw that behavior ?

Note: Right now i implemented what i wanted to do using an
      other method which did not needed to add a new subnet to
      an existing interface but which use an existing subnet
      of that interface, with the same change needed to the
      FW objects and policies and it work.

      When i was using an evaluation license i initially
      activated, in the network properties of NT, only
      three interface, when i tried to activate the forth
      one i got the same problem. When i rebuilded the
      firewall and installed my permanent license i take
      care to configure all the four interface with all
      there subnets before i installed FW-1 so i did not
      have problem. I was thinking it was an "evaluation
      license" limitation, but right now i know it is not...




------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================

References:
- Re: [FW-1] Looking for a good reporting tool
  - From: Jeffrey Shuron <[email protected]>

Prev by Date: [FW-1] Need Help SMTP security Server MailBox Unavailable
Next by Date: Re: [FW-1] sniffing network
Previous by thread: Re: [FW-1] Looking for a good reporting tool
Next by thread: Re: [FW-1] Looking for a good reporting tool
Index(es):
- Date
- Thread