Hey people,
Just attempted to go live with a new SPLAT (on HP DL360) server
running NG AI R55 HFA09 which l had upgraded (using export/import)
from our Nokia IP440 running NG FP3. The management station and
gateway is on the same server (both old and new servers).
The pre-upgrade verifier gave the thumbs up, with no issues
highlighted (conflicting services on some minor ports being the exception).
After doing the import, l added the routes, updated the ethernet
adapter names on the FW object, etc, and then manually modified the
$FWDIR/lib/base.def file to correct a high port FTP error one of our
other SPLAT NG AI R55 HFA09 servers had. l then looked over all rules
and object to ensure all had migrated ok.
The swap over seemed to go very smoothly. VPN tunnels came up fine.
Rules seemed to be fine, remote users could VPN in fine, everything
except for 3 problems:
1) The 2 servers that were NAT'd to the outside world using the
automatic address translation were not able to access the outside
world, nor could the outside world access these 2 servers.
2) One server that had a proxy arp address on the Nokia voyager
interface on the FP3 box, could not be accessed, even after doing the
/etc/ethers & /etc/rc.local mods (very cumbersome) on the R55 server.
3) The tracker interface was very slow updating log records,
sometimes showing up to 10 - 20 seconds after the request.
We even upgraded to HFA16, which resolved none of these issues.
Our checkpoint support worked on these for 2 hours, trying to assist
us in solving them to no avail, so l was hoping one of you guru's may
have experienced at least one of these issues and could hopefully
shed some light.
The support guy said that the issue seemed to be with NAT not working
properly on the 2 servers with the automatic address translation, yet
working fine on other externally facing servers which had manual NAT
rules (with limited IP's at the site, we had to expose multiple
internal servers to 1 external IP using port translation to get
around it). He said that it reminded him of a NAT issue encountered
with FW1 3.0.
Any advice would be greatly appreciated. Thanks in advance.
Alan
Alan C. Choyna
Senior Consultant
Pathfinder Associates, LLC
<http://www.pathfinderassoc.com/>http://www.pathfinderassoc.com
Internet Strategy Business Consultants
<mailto:achoyna AT pathfinderassoc DOT com>mailto:achoyna@pathf<mailto:achoyna AT pathfinderassoc DOT com>.com
Business telephone (312) 372-1058. Mobile (773) 255-6662
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
