[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Réf. : [FW-1] locked out of gui client



Hello

HYPOTHESIS : your management console and firewall module are on the SAME
machine...

So => no other problems as of now... (ex : vpn, auth, .....)

1) First on your module : %FW1%/bin/fw unloadlocal = > this will reenable
control communications as a standard but drop all other connections !!!
MAKE SURE YOU WILL NOT DISTURBE YOUR PROD BEFORE DOING IT, get someone to
sign it before you act ! Your firewall still functions as per the last
security policy loaded.
To get the n-1 version on the module you can do a fw fetch localhost.

2) Then in your management console you have
either to recreate a control rule to reenable service CPMI running on port
18191
SRC = gui, DST = FW/MNGT, Serv = CPMI, Action = Accept, LOg = Track
ore reenable the implicits

3) You have to retest your SIC status in your fw object (just in
case...:-))

3) Reinstall policy , it should be ok.

In the future, I strongly advise you to go  methodically through each line
of the implied rules,
understand them,
then explicitely enable those that make sense for you
(that's what we do during our classes)

It will help you suppress both :
- potential security risks created by implied rules (fw1_topo,
cp_exnet_resolve, icmp,.....)
- possible productive issues created by suppressing blindly the implied
rules

Comments anyone ?

Ivan






Matt Ryanczak <[email protected]>
Envoyé par : Mailing list for discussion of Firewall-1
<[email protected]>
11/11/2002 21:57
Veuillez répondre à Mailing list for discussion of Firewall-1


        Pour :  [email protected]
        cc :
        Objet : [FW-1] locked out of gui client

Greetings FW-1 Gurus. We had a bit of a snafu here at our office and I
was hoping that you might be able to help.

We're running FW-1 NGsp2 on a Sun E220 w/ Solaris 8

We've accidentally disbaled our access to the firewall using the Policy
editor. Specifically, we went into the Implied Rules of the Global
Properties and disabled the "Accept VPN-1 & Firewall-1 Control
Connections" check box. Now we cannot get into the firewall. I reckon we
should have made a rule to allow access from our internal network first.

Can anyone tell me how to either roll back the last policy update or
perhaps edit the conf by hand and restart the FW-1 to give us access?

Thanks in advance,
Matt Ryanczak
[email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================