arp -a
which will show you the IP Address to MAC Address mapping. You can then run
arp -d <IP Address>
to delete the entry for the old MAC address. The server should then see the new MAC address associated with that IP address, which you can confirm with arp -a again. The command may vary depending on the operating system. This works for Windows.
Ray Pesek, CISSP
From: Alan Choyna <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] Directories/Files required for configuring redundant Nokia IP440 firewall Date: Fri, 2 Jan 2004 11:50:18 -0600
Thanks for your assistance gents.
l did a fresh install of IPSO 3.5FCS10 and FW-1 4.1 SP6, and then copied over the backup l made on the production firewall.
After the restore all things seemed fine, except the output of the cpconfig page on Voyager was incorrect, and the modded files in the lib dir had not been taken across (even with the full backup).
After copying over the modded lib files, and then running cpconfig from the command line, all seems to be working fine now.
The only problem now is when l swap over the firewalls. It seems that the servers and switches do not recognize the new firewall as the MAC address has changed.
When l reboot the switches some of the servers seems to work, but some do not seem to connect to the new firewall at all, even after 10 minutes.
Can can anyone advise me on what l can do to get the servers to work with the new firewall quickly (this is a large commercial website that cannot afford any downtime)?
Thanks,
Alan.
At 05:24 AM 12/19/2003, [EMAIL PROTECTED] wrote:Good idea, Joe! Obviously thats the way to do it!
Huiqi
Joe <[EMAIL PROTECTED]> Sent by: Mailing list for To: [EMAIL PROTECTED] discussion of Firewall-1 cc: <[EMAIL PROTECTED] Subject: Re: [FW-1] Directories/Files required for configuring redundant KPOINT.COM> Nokia IP440 firewall
18/12/2003 09:07 Please respond to Mailing list for discussion of Firewall-1
Hi Alan,
i agree that you should install the same versions for IPSO and FW-1.
Then you can perform a backup over the voyager and transfer the backup file to an ftp-server. but be careful that only authorized people have access to it! This should be done periodicaly.
If a failure occurs you can put the backup-file on the cold stand-by machine an perform a restore from the voyager. Keep in mind, that you have to put the license manually to the cold-standby machine.
The transfer of the backup-files could also be done over scp by a cronjob.
HTH.
Joe
Alan Choyna wrote:
> Thanks for the replies Greg and Huigi, > > What l meant to say was that we don't have a management station, just the > IP440. It would be sweet if we had one, so we could just push the policy. > > As Greg recommends, l will load ipso 3.5-FCS10 on the redundant firewall, > as well as FW1 4.1 SP6. > > Having done that, l guess l will check the conf and lib directories to see > which files l should bring over. > > I will copy over almost every file from the state and database directories, > files l have modded in the lib directory, and as for the conf dir, l will > bring over the following files: > The most recent *.W policy file > All *.conf files > auth.C > cp.license > cp.macro > default.W > external.if > fgrulebases.fws > fwauth.NDBBKP > fwmusers > gui-clients > logviewer.C > objects.C > rulebases.fws > > Bringing over these files, l may not have to run cpconfig (gui-clients, > fwmusers) or install the license strings (cp.license) hopefully. > > Have l missed anything? Have l assumed incorrectly? > > Thanks, > > Alan. > > > At 06:00 AM 12/16/2003, [EMAIL PROTECTED] wrote: > >> Agree with Greg's point about the IPSO version. >> >> I wouldn't manually copy any files - when you say "no management console" >> do you mean the IP440 is just an enforcement module? If thats the case >> then I would just load IPSO, load CP and run cpconfig on the standby. >> Then >> push the policy from the management station to it. Obviously you'll >> either >> need to take the first firewall off-line or build a test lab as the two >> firewalls have the same IP address. >> >> Huiqi >> >> >> >> "Pendergrass, Greg" >> <[EMAIL PROTECTED]> To: >> [EMAIL PROTECTED] >> Sent by: Mailing list for cc: >> discussion of Firewall-1 Subject: >> Re: [FW-1] Directories/Files required for configuring redundant >> <[EMAIL PROTECTED] N okia >> IP440 firewall >> KPOINT.COM> >> >> You have to match the version of IPSO with the version of checkpoint you >> want to run. IPSO 3.7 is for NG-AI only, so run a version compatible with >> checkpoint 4.1 SP6, which is IPSO 3.5. >> >> Since this unit is going to be a cold-swap you want to match software >> versions exactly so there will be nothing to chance when it is used. >> >> GP >> >> -----Original Message----- >> From: Alan Choyna [mailto:[EMAIL PROTECTED] >> Sent: 16 December 2003 05:18 >> To: [EMAIL PROTECTED] >> Subject: [FW-1] Directories/Files required for configuring redundant >> Nokia IP440 firewall >> >> >> Hey guru's, >> >> l'm in the process of building a redundant (cold swap) firewall for >> one of >> my clients. >> >> Our client just has the one Nokia IP440 firewall with no management >> console, and since they don't wish to pay for a 2nd license, the >> redundant >> firewall will be cold swap. >> >> The original and the new redundant FW's are both Nokia IP440's, the >> original with ipso 3.5-FCS10 the redundant will come with ipso 3.7. With >> the exception of the original IP440 having the disk mirroring option, >> they >> are both physically configured identically. >> >> What l intend to do is ensure that they both have the same version of FW >> (4.1 sp6), and then copy across the conf, database and state directory >> files from the original FW to the new FW's equivalent directories, as >> well >> as any files modified in the lib directory. Then l apply the licences to >> the new Firewall. >> >> Does this sound correct? Have l missed anything? Can anyone forsee any >> problems l may encounter? >> >> Your advice will be greatly appreciated. >> >> Another way l could do this would be to take one of the mirrored disks >> from >> the original IP440 (it came with the mirroring option), and place it >> in the >> new firewall. The only thing stopping me from doing this is the doubt >> regarding how the mirroring is done (software vs hardware). As the >> redundant firewall does not come with the mirroring option, would this >> method work? Does anyone know how the mirroring is done? >> >> If l could do that, then l would place the disk from the redundant >> firewall >> into the original firewall when it realizes that a disk is missing >> (emulating a disk failure) and requests a replacement disk. >> >> Thanks in advance. >> >> Alan > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > >
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
Alan C. Choyna Senior Consultant
Pathfinder Associates, LLC
<http://www.pathfinderassoc.com/>http://www.pathfinderassoc.com Internet Strategy Business Consultants <mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>.com
Business telephone (312) 372-1058. Mobile (773) 255-6662
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Tired of slow downloads? Compare online deals from your local high-speed providers now. https://broadband.msn.com
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
