Good idea, Joe! Obviously thats the way to do it!
Huiqi
Joe <[EMAIL PROTECTED]>
Sent by: Mailing list for To: [EMAIL
PROTECTED]
discussion of Firewall-1 cc:
<[EMAIL PROTECTED] Subject: Re: [FW-1] Directories/Files
required for configuring redundant
KPOINT.COM> Nokia IP440 firewall
18/12/2003 09:07
Please respond to Mailing list
for discussion of Firewall-1
Hi Alan,
i agree that you should install the same versions for IPSO and
FW-1.
Then you can perform a backup over the voyager and transfer the
backup file to an ftp-server. but be careful that only authorized
people have access to it! This should be done periodicaly.
If a failure occurs you can put the backup-file on the cold stand-by
machine an perform a restore from the voyager. Keep in mind, that you
have to put the license manually to the cold-standby machine.
The transfer of the backup-files could also be done over scp by a
cronjob.
HTH.
Joe
Alan Choyna wrote:
> Thanks for the replies Greg and Huigi,
>
> What l meant to say was that we don't have a management station, just the
> IP440. It would be sweet if we had one, so we could just push the policy.
>
> As Greg recommends, l will load ipso 3.5-FCS10 on the redundant firewall,
> as well as FW1 4.1 SP6.
>
> Having done that, l guess l will check the conf and lib directories to
see
> which files l should bring over.
>
> I will copy over almost every file from the state and database
directories,
> files l have modded in the lib directory, and as for the conf dir, l will
> bring over the following files:
> The most recent *.W policy file
> All *.conf files
> auth.C
> cp.license
> cp.macro
> default.W
> external.if
> fgrulebases.fws
> fwauth.NDBBKP
> fwmusers
> gui-clients
> logviewer.C
> objects.C
> rulebases.fws
>
> Bringing over these files, l may not have to run cpconfig (gui-clients,
> fwmusers) or install the license strings (cp.license) hopefully.
>
> Have l missed anything? Have l assumed incorrectly?
>
> Thanks,
>
> Alan.
>
>
> At 06:00 AM 12/16/2003, [EMAIL PROTECTED] wrote:
>
>> Agree with Greg's point about the IPSO version.
>>
>> I wouldn't manually copy any files - when you say "no management
console"
>> do you mean the IP440 is just an enforcement module? If thats the case
>> then I would just load IPSO, load CP and run cpconfig on the standby.
>> Then
>> push the policy from the management station to it. Obviously you'll
>> either
>> need to take the first firewall off-line or build a test lab as the two
>> firewalls have the same IP address.
>>
>> Huiqi
>>
>>
>>
>> "Pendergrass, Greg"
>> <[EMAIL PROTECTED]> To:
>> [EMAIL PROTECTED]
>> Sent by: Mailing list for cc:
>> discussion of Firewall-1 Subject:
>> Re: [FW-1] Directories/Files required for configuring redundant
>> <[EMAIL PROTECTED] N okia
>> IP440 firewall
>> KPOINT.COM>
>>
>> You have to match the version of IPSO with the version of checkpoint you
>> want to run. IPSO 3.7 is for NG-AI only, so run a version compatible
with
>> checkpoint 4.1 SP6, which is IPSO 3.5.
>>
>> Since this unit is going to be a cold-swap you want to match software
>> versions exactly so there will be nothing to chance when it is used.
>>
>> GP
>>
>> -----Original Message-----
>> From: Alan Choyna [mailto:[EMAIL PROTECTED]
>> Sent: 16 December 2003 05:18
>> To: [EMAIL PROTECTED]
>> Subject: [FW-1] Directories/Files required for configuring redundant
>> Nokia IP440 firewall
>>
>>
>> Hey guru's,
>>
>> l'm in the process of building a redundant (cold swap) firewall for
>> one of
>> my clients.
>>
>> Our client just has the one Nokia IP440 firewall with no management
>> console, and since they don't wish to pay for a 2nd license, the
>> redundant
>> firewall will be cold swap.
>>
>> The original and the new redundant FW's are both Nokia IP440's, the
>> original with ipso 3.5-FCS10 the redundant will come with ipso 3.7. With
>> the exception of the original IP440 having the disk mirroring option,
>> they
>> are both physically configured identically.
>>
>> What l intend to do is ensure that they both have the same version of FW
>> (4.1 sp6), and then copy across the conf, database and state directory
>> files from the original FW to the new FW's equivalent directories, as
>> well
>> as any files modified in the lib directory. Then l apply the licences to
>> the new Firewall.
>>
>> Does this sound correct? Have l missed anything? Can anyone forsee any
>> problems l may encounter?
>>
>> Your advice will be greatly appreciated.
>>
>> Another way l could do this would be to take one of the mirrored disks
>> from
>> the original IP440 (it came with the mirroring option), and place it
>> in the
>> new firewall. The only thing stopping me from doing this is the doubt
>> regarding how the mirroring is done (software vs hardware). As the
>> redundant firewall does not come with the mirroring option, would this
>> method work? Does anyone know how the mirroring is done?
>>
>> If l could do that, then l would place the disk from the redundant
>> firewall
>> into the original firewall when it realizes that a disk is missing
>> (emulating a disk failure) and requests a replacement disk.
>>
>> Thanks in advance.
>>
>> Alan
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
