[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Copying FW-1 to another machine
There is a set procedure to follow for moving between one dissimilar Firewall server to another; if you are experiencing problems with your current Firewall. If you are using the same Version and Build(SP) coping all FW1 directoies will work. You will have to modify the local.arp with the correct gateway MAC address. Static routes will have to be manually updated or the correspopning NT registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Persis tentRoutes key moved from one to the other(not recommended) Note:If this is a NT domain server you will need to delete the old server name and rejoin the domain on the new server from a workgroup. Here are some recommended steps if the above method gives you trouble. Backup the following files: (These are small enough for a single floppy. Put the State, Conf, and Database Dir's on separate floppies). The files in particular are; $FWDIR/conf/objects.* $FWDIR/conf/*.W $FWDIR/conf/*.pf $FWDIR/conf/*.fws $FWDIR/conf/fwauth.NDB* $FWDIR/state/*.* $FWDIR/database/*.* Additionally "to transfer the User database from the old Firewall-1 to the new Firewall-1, execute: $FWDIR/bin/fw dbexport -f outfile.txt then, $FWDIR/bin/fw dbimport -f outfile.txt". Then do this step by renaming the old and new objects.c to the new firewall as object1.c and object2.c and at the Command Prompt. fw confmerge object1.C object2.C > objects.C .Please note that the greater than > is required. This merges the old and the new Firewall objects.c into a single merged file. You will also need to verify static routes in the routing table, update the local.arp file with the correct MAC address of the NIC gateway. Your Authkeys.C and internalCA.DB keys should also be copied from the old to new server. I will tell you that I have only a few VPN users and when I do a major upgrade it is not to hard for someone to do a dialup into the local RAS server a then to update and rebind SecuRemote to the adapters. There is procedures that vary for NT, Unix, and other platforms. Phoneboy and FW1 archives is a excellent resource to gather information on particular problems. I do not know what platform your Firewall is running on so I hope this info is of some help. I currently have two identical NT servers in which I Ghost clone one to the other. If one fails, which it has, I simple do some of the required steps above, turn on the spare and do some other required NT domain steps, reboot, and people are back in business. Total down time about 5 minutes "ideally". -----Original Message----- From: Matt Lock [mailto:[email protected]] Sent: Wednesday, March 20, 2002 9:17 AM To: [email protected] Subject: [FW-1] Copying FW-1 to another machine Hi I need to rebuild my Firewall (Version 4.1 SP3) and I need to put a temporary Firewall in while I do this. I want to move the existing Firewall Config to another box while I re-build the present machine. I don't want to loose all my Certificate Keys, 4 VPN's and all the rulebase/Nat tables. Can I install the same version of FW-1 and simply copy over the \fw1 directory (with all its sub-directories) to the temporary box ? Here's hoping! Matt. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|