Re: [FW1] put key command - management console vs. firewallmodule

Tue, 11 Jul 2000 09:39:37 -0700 


Waskley(Dave),

Use the interface closest to the management station.
This is usually the external interface when remotely
managing systems. You should use the same interface
that was used by your predecessor(like all good
sysadmins/security admins, they documented it just
for cases like yours ;).

Make sure that time is synchronized(TZ dependent
of course).

You should redo all the keys on fw modules and the fw
manager at one time. If you don't, any systems that
haven't been done, will most likely fail. If I'm not
mistaken, time is used for creating the key.

You will should stop the fw services (fwstop) on all
of them. Depending on how they are setup, this
could be a big security concern. You now have
stopped the firewall software and the outside world
could have access to it.

Issue the putkeys and start the fw software
again(fwstart). watch the messages to verify that
each of the systems could contact the fw mgr and
pull verify/pull down the security policy. If they
can't, they will load the last one installed. At this
point you'll need to fix the error(redo above correctly)
and try again.

HTH.

Sincerely,
E. Fudd

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> Waskley Wabbit <[EMAIL PROTECTED]> 7/6/00 3:08:29 PM >>>
>
>I have a question about the put key command. We
>recently inherited several firewalls being managed by
>one management server/firewall. Two of the sites are
>having timeout connections. Looking into the phoneboy
>faq: Failed to Install Security Policy, it explains
>that the module doesnt recongize the management server
>and the keys need to be generated. Would I stop the
>services of the management station and the firewall
>module in question, and generate a key on both side by
>specifying its external interface? Will this in any
>way interfere with the other firewall modules that are
>already working?
>
>Please help! Thanks.
>
>Dave




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to