Hi!
-Reset SIC at the FW-Modules.
-Build FW-Object at the new Mgmt-Server
-Initialize SIC
-Configure FW-Object at Mgmt-Server
-Install Policy
:-)
The FW-Object at the old Mgmt-Server should be deleted afterwards.
Regards
Thomas Kunz
-----Ursprungliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Im Auftrag von Ray
Pesek
Gesendet: Dienstag, 27. Januar 2004 01:23
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: Re: [FW-1] Managing two firewalls from one station - any
gotchas?
Thanks, Derek. The major issue I have right now is how to tell the IP120
that it is going to be managed from a different server. I cannot figure out
what I need to do with SmartUpdate to change the IP120 from its current
management server to the new one. I found all sorts of articles but none
address moving an enforcement module from one management server to another.
Any ideasa would be freatly appreciated!
Ray Pesek, CISSP
>From: "O'Flynn, Derek" <DOFlyn AT LSUHSC DOT EDU>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Managing two firewalls from one station - any gotchas?
>Date: Mon, 26 Jan 2004 12:37:19 -0600
>
>I have a very similar situation. I have my main firewalls (crossbeam x40)
>and a departmental firewall (IP120).
>
>I manage them from the same SmartCenter. In SmartCenter you can specify
>the
>install targets of the policy.
>
>I have two policies. One for the mains, and one for the IP120. Only thing
>that aggravates me is that you have to define the objects all in
>Smartcenter
>regardless of the policy loaded, so these are going to get replicated to
>both firewalls. The policy install time on the IP120 takes a bit.
>
>It works well enough. We did run into one problem, where the IP 120 is
>inside the encryption domain of the mains. And VPN was configured on the
>IP120 it messed up SecuRemote (overlapping encryption domain). Two
>solutions to this (that I know about). Remove the subnet for the IP120
>from
>the mains encryption domain, or remove VPN on the Smartcenter IP120 object.
>We chose the latter.
>
>I'm running FP3 HFA317, Floodgate FP3 on the mains, and FP3 on IP120.
>
>Hope this helps,
>Derek
>
>
>-----Original Message-----
>From: Ray Pesek [mailto:sixsigma44 AT HOTMAIL DOT COM]
>Sent: Saturday, January 24, 2004 6:54 AM
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: [FW-1] Managing two firewalls from one station - any gotchas?
>
>Hi,
>
>We currently have our main firewall and a little IP120, both being managed
>by separate management servers. We want to free up the server that's
>controlling the IP120 and manage it as well from the one used by the main
>firewall. I was hoping anyone who experienced a problem with this
>arrangement could chime in so we can be aware of any issues before we make
>the change (such as installing the wrong policy on the wrong enforecment
>module, unexpected interactions, etc.)
>
>The main management station is already on NG AI R55 so there shouldn't be
>any version issues. The IP120 is on NG FP3 and we'll be upgrading it after
>we make the move.
>
>Thanks,
>
>Ray Pesek, CISSP
>
>_________________________________________________________________
>Check out the coupons and bargains on MSN Offers!
>http://shopping.msn.com/softcontent/softcontent.aspx?scmId=1418
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
_________________________________________________________________
Learn how to choose, serve, and enjoy wine at Wine @ MSN.
http://wine.msn.com/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
