[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Fetching the wrong policy

To: Michael Martin <mmartin@clarify.com>
Subject: RE: [FW1] Fetching the wrong policy
From: sirving@ca.ibm.com
Date: Mon, 8 Nov 1999 10:37:08 -0500
Cc: fw-1-mailinglist@lists.us.checkpoint.com
Michael, maybe you can answer this question then.  I asked it a few months
ago and didn't get any feedback.

You are aware that using install on with a firewall object causes the rule
to be enforced in the eitherbound direction which causes the packets to be
checked twice.  Have you done any testing to see what the difference in
performance is??

Also, Lanse if you are there; has your checking on the state tables shown
one or two entries added when you do address translation and eitherbound??


Michael Martin <mmartin@clarify.com> on 11/04/99 02:55:02 PM

Please respond to Michael Martin <mmartin@clarify.com>

To:   fw-1-mailinglist@lists.us.checkpoint.com
cc:
Subject:  RE: [FW1] Fetching the wrong policy




    [ Part 2: "Attached Text" ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]




The solution to your problem that I use is to simply have a single policy.
I think that this is really what Aylton meant in the first place.  Simply
place all the rules in a single rulebase but only select to install FW A
rules on FW A and FW B rules on FW B.  Whenever the rulebase is fetched it
will ignore rules for the other firewall.  If you have shared rules (like a
stealth rule or a logging "all all all drop" rule) just have it install on
both and you save the extra inspect code for duplicates.  I've done this
successfully on a couple of firewalls and never had any trouble.  This is
also a good way to build a single policy that will install different NAT
rules for the same internal hosts on different outbound routes.

-----Original Message-----
From: Joseph Favia Jr. [mailto:jfavia@olivettiricerca.it]
Sent: Thursday, November 04, 1999 3:02 AM
To: Aylton Souza; fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Fetching the wrong policy



Hi Aylton,

1. After performing a fwstop-fwstart on each FW module, the Status Monitor
shows the names of the fetched policies, i.e. Policy A on FWA and Policy A
on FWB. I must then install the policy from the management console to get
Policy B on FWB.

2. I'm not sure your tip will work. What happens if I try to fetch a policy
where there are no rules to be applied to the gateway itself (which is
exactly my situation)? Does the FW use an empty ruleset with the DENY ALL
final rule? I will test this as soon as possibile although I think the
right workaround is to put all the rules in the same policy (with the
INSTALL ON field set appropriately) so that there will always be a single
policy that will be fetched.

The other workaround that I'm considering is to get the FETCH command to
fail somehow, so that the module only fetches the local policy, but my
tests to achieve this through modifications to the control.map file have
failed so far.

Thanks for your help

Joseph


At 18.22 02/11/99 -0200, Aylton Souza wrote:
>
>Hello Joseph,
>
>Here we are again into trouble.
>
>I know the tip I'll talk about won't solve your problem, but maybe it's an
>workaround/
>
>What if we set the field 'install on' in each policy so that policy will
>load only in the proper firewall.
>
>Another tip to troubleshoot: What info does Status Monitor presents as the
>name of the policy currently load? DOes it appear to be reasonable?
>
>Best wishes
>
>Aylton
>
>-----Mensagem original-----
>De: Joseph Favia Jr. <jfavia@olivettiricerca.it>
>Para: fw-1-mailinglist@lists.us.checkpoint.com
><fw-1-mailinglist@lists.us.checkpoint.com>
>Data: Terça-feira, 2 de Novembro de 1999 08:58
>Assunto: [FW1] Fetching the wrong policy
>
>
>>
>>Hi,
>>
>>I'm running FW1 4.0 SP4 on NT 4.0 SP4 with a management console and 2 FW
>>modules. I've set up two different policies, A & B, one for each Firewall
>>module. I can successfully install policy A on FW A and policy B on FW B.
>>Logging works well too. My problem is that if I stop-start FW B it
fetches
>>policy A! I have to go to the console and install policy B. Even running
>>the fw fetch command produces the same incorrect result. I've looked at
the
>>contents of the STATE directory on the console and it seems ok. I don't
>>know what else can be done. Can I play with the settings in the
control.map
>>file on the FW module to disable fetching from the console (as a
temporary
>>workaround)? Would this then affect policy loading from the console?
>>
>>All suggestions are welcome.
>>
>>Thanks
>>
>>Joe
>>
>>



================================================================================

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



================================================================================

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] Reporting Module
Next by Date: RE: [FW1] SecureRemote
Prev by thread: [FW1] Reporting Module
Next by thread: RE: [FW1] Fetching the wrong policy
Index(es):
- Date
- Thread