Doug,
I run a similar configuration to you: 2 firewalls (CP2000) on Sun E250s with
dual CPUs and 512MB RAM each, with management on an Ultra 10 w/ 512MB RAM (I
also run this same configuration on another network, so it's really 4
firewall modules and 2 management servers). I installed SP4 and both
hotfixes this week and have had absolutely no change to CPU load, nor any
problem pushing policies. What version of Solaris are you running? SP4 is
*supposed* to support Solaris 8, but I haven't seen anyone openly admit to
success yet (which is why I'm holding off upgrading to Solaris 8). I would
recommend making sure you have Solaris 7 with the latest patches, and if you
have a spare box (big IF), try rebuilding your firewall from scratch,
install all the Service Packs in order, and see if you still have the
problems. I've worked with FW-1 for over three years (since 3.0b), and have
seen cases where installing the builds/service packs in production machines
leads to problems. You occasionally have to just rebuild a box from scratch
and then put it up on the network. Not an optimal solution, but it gets the
job done.
Good Luck!
Dan
----------------------------------------------------------------------------
-
Daniel R. (Dan) Dunn, EE, CCSA/CCSE
Principal INFOSEC Engineer, GRC Int'l (an AT&T company)
OSD-ITD Firewall Administrator
p: 703-614-8086, ext 500
The opinions expressed by the author are entirely his own, and do not
reflect those of AT&T, GRCI, Inc., or their subsidiaries, nor do they
reflect policy, opinion, or endorsement by the US Department of Defense or
any of its agencies.
>-----Original Message-----
>From: Johnson, Doug (ISS Atlanta) [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, July 19, 2001 2:10 AM
>To: '[EMAIL PROTECTED]';
>[EMAIL PROTECTED];
>'[EMAIL PROTECTED]';
>[EMAIL PROTECTED]
>Subject: [FW1] Who in the @#$&^! wrote SP4?
>
>
>
>Okay...so I'm installing SP4 to allow us to do IKE over TCP
>for SecuRemote
>(about time!) and I start by putting it on my management
>server and one of
>my perimeter firewalls. Big mistake!
>
>Load on my firewall shoots up to 3 - 4 (about 75-95%
>utilization on my dual
>CPU Sun box) and starts dropping packets. After a day of
>troubleshooting
>and testing, not to mention wasted time with Checkpoint's
>"support" team, we
>regress both machines to SP3 by *REINSTALLING* and restoring our config
>files. Note I say reinstalling, since the backout script
>fails horribly,
>except to remove the indicator that SP4 is loading and
>therefore preventing
>any further attempts to do a 'patchrm'.
>
>So a few weeks go by, and things are back to normal. We try
>installing SP4
>along with the RDP and format string hotfixes to our management station
>only, trying to troubleshoot a SR problem. Looks great - we
>now see IKE_tcp
>drops where before nothing appeared in the log viewer (did I mention I
>haven't installed policy yet?). So the next time my script
>runs that loads
>policy on all the firewalls, about half fail with either a
>
>"<firewall> is not defined as firewalled" error, or a
>"Failed to open file
>'/opt/CPfw1-41/tmp/<firewall_name>.fwrl.conf': No such
>file or directory" error.
>
>Of course, the firewalls listed as "not defined as firewalled"
>ARE defined
>as firewalls. When I try to load policy using the GUI to any
>of these, the
>error changes to the one about the missing file
>firewall.domain.com.fwrl.conf. So I spend a day
>troubleshooting this and
>find out the following "change" to SP4:
>
>The management server, when creating a policy file to push to
>a firewall
>module, creates the file from the <policy_name>.pf and names
>it by doing an
>'nslookup <firewall_ip_addr>' and using this for the filename (plus the
>.fwrl.conf addition). However, when fw_readfiles tries to
>find the file, it
>uses the name of the firewalled object (from objects.C) plus
>the .fwrl.conf
>addition. If the two don't match, it can't find the file. In
>our case, our
>/etc/hosts file had both <firewall> and <firewall>.domain
>listed for the IP
>address and our /etc/nsswitch.conf file defines host lookups
>as files first,
>then DNS. For example...
>
>#/etc/hosts
>1.2.3.4 firewall firewall.domain.com
>
>#/etc/nsswitch.conf
>hosts files dns
>
>So, here is what happens if you try to install policy (my
>comments are in
>parenthesis)...
>
>Downloading Security Policy /opt/CPfw1-41/conf/Policy_1.pf to
>firewall.domain.com
>Failed to open file '/opt/CPfw1-41/tmp/firewall.fwrl.conf': No
>such file or
>directory
> (nslookup resolves 1.2.3.4 to 'firewall', not
>'firewall.domain.com')
>fw_readfiles:cannot open firewall.domain.com.fwrl.conf: No such file or
>directory
> (the GUI object is called 'firewall.domain.com')
>Failed to Download Security Policy on firewall.domain.com: No
>such file or
>directory
>Installing Security Policy on firewall.domain.com failed
>
>As you can see, the program creates the file using one method, and then
>looks for it using another. By the way, don't bother looking in your
>/<firewall_dir>/tmp directory - these .fwrl.conf files are
>created and then
>deleted. Interesting that the program can find them to delete
>them, but not
>find them to load them. If you want to see what the file is
>that is being
>created, you have to start a policy load and then sit in that
>tmp directory
>doing "ls -al *.conf" over and over again - it will appear for
>about 2-3
>seconds.
>
>Of course this was all academic - as soon as I fixed this
>problem (making
>sure the /etc/host file *only* had reverse lookup entries that
>matched the
>GUI firewall object names) and we loaded policy, load shot up
>on my firewall
>again. I had to rebuild the management server AGAIN (the patch backout
>failed AGAIN) and reinstall policy - load drops to normal in
>less than 5
>minutes.
>
>We're currently talking to Checkpoint about this (yeah,
>right), but they
>won't even admit there is a problem with the service pack yet.
> They want us
>to reinstall SP4 to firewall and mgmt. server, get and fwinfo,
>regress both
>back to SP3, get and fwinfo, and send them to them. Too bad
>we actually
>WORK FOR A LIVING and need our firewalls (and consequently our
>office) up
>and running.
>
>Oh...just for the record, these are Enterprise level Sun boxes
>with lots of
>RAM and dual CPUs. My first firewall was 3.0 (before 3.0b)
>back in 1998, so
>I have a small clue about what I'm doing. :-)
>
>Doug Johnson
>Sr. Network Engineer
><mailto:[EMAIL PROTECTED]>
>
>
>===============================================================
>=================
> To unsubscribe from this mailing list, please see the
>instructions at
> http://www.checkpoint.com/services/mailing.html
>===============================================================
>=================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
