First, an update. NAI has already released a fix regarding my original
e-mail. You can download it from:
http://www.tis.com/support/patch50.html
Thanks to NAI support for getting a fix out so quickly.
Strange wrote:
>
> According to the folks we asked at NAI in June about the Gauntlet install
> procedure (on all supported OSes), the install order to be used is:
>
> Install OS
> Install OS patches
> Install Gauntlet
> Install Gauntlet patches
> never install any OS patches again
True, but many people install the firewall then the OS vendor releases a
patch.
> Because of that last nasty gotcha, we use a firewall builder box when we
> want to "patch" the firewalls. We then pull the newly-built drives, and
> swap them into the extant firewall box. Lather, rinse, repeat.
You are a stronger person than I... I wouldn't want to have to keep
securing the OS on a box and "reinstalling" the firewall everytime the
OS/firewall vendor releases an important patch... :-)
> Interestingly, this is what the vendor told us to *always* do, under *all*
> circumstances. I'd say that if you're going to apply vendor patches, you
> should assume you have to do a full Gauntlet reinstall because Gauntlet
> 5.0 replaces some key kernel items.
See above....
> I.e., a vendor patch replaced code that the gauntlet had already replaced.
Exactly.
> I am wondering if this is *really* a Gauntlet bug or a Gauntlet vendor
> documentation bug.
Which is why the word "bug" never appeared in the original alert. Had
the M310-049 patch not been required for the kernel patch install, very
few of us would have run into the problem.
> (they do not, as far as we could tell, make it plain that you
> should not apply vendor patches after installing the firewall)
Not exactly true. Look here:
http://www.tis.com/support/bsd31.html
--Keith
[EMAIL PROTECTED]
