Hi everybody, I work for an italian national institution and we recently are experiencing a small log problem. Let me briefly explain our configuration:
3 Firewalls : it's a 2 bastion defense system with 2 front end FW and 1 back end. They're based on IBM Risc 6000, 256 MB, OS AIX 4.3.3, FW-1 CP 4.1 SP 3. The back end FW is an EPC (management + FW with unlimited hosts license) whereas the front end FWs are 2 modules (unlimited as well). The reason for the expensive licensing choice is not easily explainable, just do not consider it. One of the front end FW has got 7 NIC and one of them (of course) is directly linked to the management. Let's call this interface "en2". This interface does not send any log messages to the management since a couple of months; we do not yet tried with a reboot, because I thought to write here before. In particular this is what I found: 1) if I ping from the internal network one of the interfaces I just record the echoes request and reply passing through the back end FW (the management), no log are produced from en2. 2) If I ping an object which is placed outside the front end FW (like a router or another system) I see entries in the log file coming from the back end FW and from the external interface of the front end FW, but nothing is still coming from en2. By the way, the ping succeed, as expected, but it is not logged by en2, though tracking was enabled on its firewall. I do not use implied rules, I explicitly permit the echoes "up and down" flow. I used tcpdump to monitor the en2 activity and no FW1_LOG packets (TCP 257) have been produced, whereas a similar monitoring on the other frontend FW gives the expected results (echoes request and reply + TCP 257 flow directed towards the management) The antispoofing rules have been set correctly (since a similar configuration on the other FW works properly) Do you have any idea ? Are there any parameters I should look into, maybe in the "conf" or "lib" directory conf files ? Thanks in advance and sorry for my English and my FW-1 ignorance as well Best regards Alessio Pierotti - Rome =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
