>>> On 7/24/2006 at 2:12 PM, Gary Scott <gscott AT VIGILAR DOT COM> wrote:
> fw unloadlocal , does SIC check out good? When you try to install a policy
> what error(s) do you see. Are you getting logs from this module?
The SIC is/was fine. As for the errors, I was operating with "remote
hands," i.e. someone at the remote site typing my instructions and
reporting back responses over the phone. My notes and recollections
are fuzzy on the exact errors. The system in question is no longer on
the network (we had to fall back to the old configuration), so I cannot
go reproduce the errors. I also restored the old configuration with a
export_upgrade/import_upgrade on the management server, so my old
borked configuration got wiped out.
But the mention of "unloadlocal" makes me think that is my problem.
I was telling my helper "fw ctl uninstall" when what I _meant_ was
"fw unloadlocal." When you do a "fw ctl uninstall," I don't think
you can do any policy installations, which is why they failed. If I
had been on the console, I probably would have caught it. Damn remote
upgrades.
However, I'm still hoping for a sure-fire procedure to pull a system
with a hosed policy back from its self-imposed isolation. It'll
take me a day or two to get this simulated in a lab setup, and I'd
like to reschedule another attempt to do this ASAP.
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Crist
> Clark
> Sent: Monday, July 24, 2006 3:51 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] Bad Anti-Spoof Recovery
>
> I have an enforcement module that appears to have a "bad"
> policy installed. That is, it feels that traffic coming in
> from the management server is spoofed. So how does one
> install a corrected policy on this system? Obviously, you
> cannot push a policy, but sometimes traffic originating from
> the firewall itself gets through the anti-spoofing, so I
> thought a,
>
> # fw fetch <master>
>
> Might work, but I no. So then I tried,
>
> # fw ctl uninstall
>
> To kill the anti-spoofing, but the fetches would still fail.
>
> What is a procedure to "reaquire" a module that has incorrectly
> decided the management server is spoofing?
B¼information contained in this e-mail message is confidential, intended only
for the use of the individual or entity named above. If the reader of this
e-mail is not the intended recipient, or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that any review,
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this e-mail in error, please contact
postmaster AT globalstar DOT com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
