What l meant to say was that we don't have a management station, just the IP440. It would be sweet if we had one, so we could just push the policy.
As Greg recommends, l will load ipso 3.5-FCS10 on the redundant firewall, as well as FW1 4.1 SP6.
Having done that, l guess l will check the conf and lib directories to see which files l should bring over.
I will copy over almost every file from the state and database directories, files l have modded in the lib directory, and as for the conf dir, l will bring over the following files: The most recent *.W policy file All *.conf files auth.C cp.license cp.macro default.W external.if fgrulebases.fws fwauth.NDBBKP fwmusers gui-clients logviewer.C objects.C rulebases.fws
Bringing over these files, l may not have to run cpconfig (gui-clients, fwmusers) or install the license strings (cp.license) hopefully.
Have l missed anything? Have l assumed incorrectly?
Thanks,
Alan.
At 06:00 AM 12/16/2003, [EMAIL PROTECTED] wrote:
Agree with Greg's point about the IPSO version.
I wouldn't manually copy any files - when you say "no management console" do you mean the IP440 is just an enforcement module? If thats the case then I would just load IPSO, load CP and run cpconfig on the standby. Then push the policy from the management station to it. Obviously you'll either need to take the first firewall off-line or build a test lab as the two firewalls have the same IP address.
Huiqi
"Pendergrass, Greg" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by: Mailing list for cc: discussion of Firewall-1 Subject: Re: [FW-1] Directories/Files required for configuring redundant <[EMAIL PROTECTED] N okia IP440 firewall KPOINT.COM>
You have to match the version of IPSO with the version of checkpoint you want to run. IPSO 3.7 is for NG-AI only, so run a version compatible with checkpoint 4.1 SP6, which is IPSO 3.5.
Since this unit is going to be a cold-swap you want to match software versions exactly so there will be nothing to chance when it is used.
GP
-----Original Message----- From: Alan Choyna [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 05:18 To: [EMAIL PROTECTED] Subject: [FW-1] Directories/Files required for configuring redundant Nokia IP440 firewall
Hey guru's,
l'm in the process of building a redundant (cold swap) firewall for one of my clients.
Our client just has the one Nokia IP440 firewall with no management console, and since they don't wish to pay for a 2nd license, the redundant firewall will be cold swap.
The original and the new redundant FW's are both Nokia IP440's, the original with ipso 3.5-FCS10 the redundant will come with ipso 3.7. With the exception of the original IP440 having the disk mirroring option, they are both physically configured identically.
What l intend to do is ensure that they both have the same version of FW (4.1 sp6), and then copy across the conf, database and state directory files from the original FW to the new FW's equivalent directories, as well as any files modified in the lib directory. Then l apply the licences to the new Firewall.
Does this sound correct? Have l missed anything? Can anyone forsee any problems l may encounter?
Your advice will be greatly appreciated.
Another way l could do this would be to take one of the mirrored disks from the original IP440 (it came with the mirroring option), and place it in the new firewall. The only thing stopping me from doing this is the doubt regarding how the mirroring is done (software vs hardware). As the redundant firewall does not come with the mirroring option, would this method work? Does anyone know how the mirroring is done?
If l could do that, then l would place the disk from the redundant firewall into the original firewall when it realizes that a disk is missing (emulating a disk failure) and requests a replacement disk.
Thanks in advance.
Alan
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
