Hello everyone,
Yesterday afternoon i had the bad idea to add a subnet
to an existing internal interface. (192.168.43.0/24)
I did this (FW-1 Gateway/50 4.1 SP4 on NT server 4.0 SP6A):
Add a new "Interface" to my Firewall object as:
192.168.43.1 mask 255.255.255.0 and
redifine the antispoofing rules for all the
subnets defined as Interface for that particular
interface. This is on the EMPCI3 physical interface
Add an object in that subnet DMZ-TEST as 192.168.43.2
Add a static NAT public address object for it 205.x.y.2
Add 2 manual entry for NAT between 192.168.43.2 and 205.x.y.2
Save the rule
Compile and install the rule
All was OK up to that point as far as the
FW-1 was up and running appling all my policies...
P.S. I don't need any entry in local.arp as the router
in front of the FW-1 route all trafic for 205.x.y.0/24
to 205.a.b.190, the external address of the FW-1.
Next:
Add the 192.168.43.1 mask 255.255.255.0 to the Interface
via the Windows NT Network Properties
The only thing remaining: To do a route add 205.x.y.2 mask 255.255.255.255
192.168.43.3 -p
after the reboot...
When i rebooted the system i got those error message in
my system event log and the FW-1 did not load the policies:
(I concanated multi part messages)
FW1: FwSetDefaultPolicy: no boot policy specified!
FW1: Attached to \Device\EMPCI2
FW1: Attached to \Device\EMPCI3
FW1: Attached to \Device\EMPCI4
FW1: Attached to \Device\EMPCI1
FW1: Informatory: the current VPN-1 & FireWall-1 license allows only 25 internal
hosts.
FW1: If this is different from the license you intended to purchase,
ensure that you have the correct license
FW1: See http://license.checkpoint.com/license_center_faq.html for troubleshooting.
FW1: FW-1: No valid license
FW1: FW-1: No valid license
I should normally receive those messages when i boot or start FW-1:
FW1: FwSetDefaultPolicy: no boot policy specified!
FW1: FwSetDefaultPolicy: no boot policy specified!
FW1: Attached to \Device\EMPCI2
FW1: Attached to \Device\EMPCI3
FW1: Attached to \Device\EMPCI4
FW1: Attached to \Device\EMPCI1
FW1: FW-1: only 50 internal hosts allowed
FW1: FW-1: setting external interface to EMPCI1
P.S. My 50 user license is "bounded" to the external
interface IP address which is 205.a.b.190 (On EMPCI1)
not to an IP address of one of the three internal interfaces
So i had to finish later, gets lots of grief from unhapy users
and to reload my last nigh backup of the firewall configuration
to restart it...
So to resume the fact i added in Windows NT an IP address to
an existing internal Interface (EMPCI3) made my license
bounded to the EMPCI1 interface to became invalid.
Anyone already saw that behavior ?
Note: Right now i implemented what i wanted to do using an
other method which did not needed to add a new subnet to
an existing interface but which use an existing subnet
of that interface, with the same change needed to the
FW objects and policies and it work.
When i was using an evaluation license i initially
activated, in the network properties of NT, only
three interface, when i tried to activate the forth
one i got the same problem. When i rebuilded the
firewall and installed my permanent license i take
care to configure all the four interface with all
there subnets before i installed FW-1 so i did not
have problem. I was thinking it was an "evaluation
license" limitation, but right now i know it is not...
------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17 Email: [EMAIL PROTECTED]
Responsable des Systemes Tel: (819) 379-3446
Sogi Informatique Ltee. Fax: (819) 379-3449
------------------------------------------------------------
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[EMAIL PROTECTED]
=================================================
