This clears things up nicely thank you. At 08:02 AM 10/15/01 -0700, you wrote:
>The specific answer: > >In a fetch, your module requests the latest installed (or attempted >install) from the management server, which provides the last compiled >policy from the $FWDIR/state directory on the management server. No >compilation is performed in a fetch - the management server simply gives >it the last compiled policy for that module. > >In a "push," the policy is compiled and pushed to the module. This policy >is also moved to the state directory, such that it will be the policy >provided to the module at the next "pull" (fetch). > >If you save a policy but do not push it, the compiled policy in the state >directory is unchanged, such that you will still "pull" (fetch) the older >policy from the management server. > >HTH - please post again if this isn't clear! > >Dan Hitchcock >CCNP, CCSE, MCSE >Security Analyst >Breakwater Security Associates, Inc. >"Safe Harbor for E-Business" >dhitchcock (at) breakwatersecurity (dot) com ><http://www.breakwatersecurity.com>http://www.breakwatersecurity.com >206-770-0700 work > >The information contained in this email message may be privileged, >confidential and protected from disclosure. If you are not the intended >recipient, any dissemination, distribution or copying is strictly >prohibited. If you think you have received this email message in error, >please email the sender at [EMAIL PROTECTED] > >-----Original Message----- >From: Juan Concepcion >[<mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]] >Sent: Saturday, October 13, 2001 6:54 PM >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] Difference between fetch and push > >All depends in a fetch, if you haven't saved your changes, the firewall will >not pick-up the changes you've made to the policy and will only enforce what >was there before. In a push the rules and changes are automatically saved >before any attempt is made to push out to the firewalls. I find it strange >that one firewall picked up your change and the other didn't but that's >basically the difference between a push/fetch. > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[<mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]]On >Behalf Of mikecc >Sent: Friday, October 12, 2001 4:48 PM >To: [EMAIL PROTECTED] >Subject: [FW-1] Difference between fetch and push > >Hello, > >I noticed something today that I never noticed before. I had to >reboot a firewall and when the firewall came back up I was on the >console and did a "fw fetch" to get the latest policy from the Management >server, which happens to be a Provider-1 CMA. > >All appeared ok, I even did a fw stat after the fact to see that >it got the proper policy. > >However, one of the rules was not working the way we expected. I >had made a change maybe an hour before to this particular rule, I >included the VRRP pair (of which the firewall I rebooted was a member >of) in the Install On colomn. Prior to this change the rule did >not do what we wanted, it was just something I had to tweak. > >So while running on the secondary after I fixed the rule, everything >worked fine. But it appeared that when I did a fetch from the newly >restored master firewall it did not get that Install On change. > >When I returned to my desk and pushed the policy out to the newly >restored Firewall the rule worked perfectly. > >Is there a difference between what happens in a fetch and what happens >when a policy is pushed? > >Mike > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at ><http://www.checkpoint.com/services/mailing.html>http://www.checkpoint.com/services/mailing.html > >=============================================== > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at ><http://www.checkpoint.com/services/mailing.html>http://www.checkpoint.com/services/mailing.html > >=============================================== MikeCC http://atrek.org/mikecc =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
