Are you allowing control connections via implied rules?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On
Behalf Of Corrado Motta
Sent: Tuesday, July 27, 2010 9:23 AM
To: [email protected]
Subject: [FW-1] VPN: Remote module central managed
I Guru
We need your help.
Situation:
A) All the FW are NGXR65_70 on SPLAT
B) Design:
Mngmnt----------FW (cluster HA)----- Internet---- remoteFW (managet from Mngmnt)
C) NAT Rules
Original Paket
TraslatedPaket Instal ON
remoteFW --> Mngmnt (ANY) =Original -> External IP FW (cluster
HA) remoteFW
Mngmnt ---> remoteFW(ANY) External IP FW (cluster HA)-->
=Original FW (cluster HA)
remoteFW(ANY) -->
--> External IP FW (cluster HA) =Original ->Mngmnt
FW (cluster HA)
D) Security Rules:
remoteFW ---> External IP FW (cluster HA) Any Accept Instal ON
(remoteFW, FW (cluster HA))
Mngmnt -->FW (cluster HA) Any Accept Instal
ON ( FW (cluster HA))
Any --> remoteFW Any Accept
Instal ON (remoteFW)
Symptoms
In this config I'm seeing the Logs, I'm Managing the remoteFW and the
local without problem.
Now, If I try to configure (initilize) a VPN ("Meshed" or "Star", any diff.)
without changing anything else,
afterI the "Install Policy", I will loose the control of the remoteFW
Maybe do you know why?
Some logs:
Number: 18930
Date: today
Product: System Monitor
Origin: Managmnt
Type: Alert
Action:
Information: System Alert message: RemoteFW is disconnected
Object: RemoteFW
Event: Exception
Parameter: status_connection
Condition: is 8
Current value: 8
Number: 29600
Date: today
Product: VPN-1 Power/UTM
VPN Feature: IKE
Interface: daemon
Origin: remoteFW
Type: Log
Action: Key Install
Encryption Scheme: NA
Information: Validation log: Certificate defaultCert
cannot be validated.
Reason: Could not retrieve CRL.
DN: CN=xxxxxxxxxxxxxxxxxxxxxxx3psve6
Instruction: If this log persists,
contact the CA administrator.
Subproduct: VPN
And no way to end the "Install Policy Process". To control again the
remote FW, I have to :
- reset the SIC on the remote module
- delete the VPN config on the Mngmnt
- reset the SIC on the Mngmnt and Initialize it gain.
Any Idea?
Tnx in advance
Corrado
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
