Hello our CP and Nokia IPSO gurus, We are experiencing a problem with the security server on Nokia 440 with IPSO 3.4 and fw-1 sp4.
We are in the process to upgrade our current production Nokia boxes to IPSO3.4 and run into some problems. The current Nokia boxes(IP400) are running on IPSO 3.3 with FW-1 4.1 sp3. The Firewalls are configured within a HA cluster mode via VRRP. For users internet access, we are using FW security serverr features working with Netscape proxy and ldap servers. First, we upgrade one standby Nokia box to sp4 and then to IPSO 3.4 from 3.3 according the nokia and checkpoint sp4 release notes. We followed the instructions and turn off the sync mode between two firewalls within the cluster. After the upgrade, except for the fwauthed.conf need to be changed back to our previous configuraiton (add a 8080 port for in.ahttpd daemon for our local security proxy server feature), other things seems ok, when it is STILL ON STANDBY MODE. The firewall-1 4.1 sp4 with IPSO 3.4 box does seem working "well" on this standby mode firewall(we tested by changed our browser proxy server settings to this particular updated firewall). We can get access to internet via the new IPSO3.4 nokia standby box after authoried via our ldap server. The problem happened when we try to upgrade the master one(active one). We first, changed the current active mode firewall to standby mode via VRRP. Instantly, we see the new IPSO 3.4 box take over the master mode and the previous active IPSO 3.3 box changed to backup mode(standby). However, here is the problem : we can't get the LDAP authentication prompt any more via the new IPSO 3.4 and FW-1 sp4 machine and it seems to us: at this point, this Firewall security server feature is not working any more. We do a tcpdump on the particular interface, we saw the local client http traffic is coming in to a web server located on the dmz zone but we didn't see any traffic back for the ack of the request of the client port 80 http traffic from our web server. It seems to us something wrong with the security server feature part on this new master firewall, the ldap prompt never got prompted !! However, if a person come from internet, he can gain access to the public web server without any problem. Please share with us your thoughts and suggestions. Currently, we are considering to upgrade it to IPSO 3.4.1 instead. Any good experience with the IPSO 3.4.1 with FW-1 sp4 so far from anyone ? Thanks, Steven
begin:vcard n:Wu;Steven tel;work:(313)235-3437 x-mozilla-html:FALSE url:http://www.dteenergy.com org:DTE Energy version:2.1 email;internet:wus@dteenergy title:Network Security Analyst adr;quoted-printable:;;Detroit Energy=0D=0A2000 2nd Ave., 749 GO=0D=0ADetroit, MI 48226;Detroit;MI;48226;USA fn:Steven Wu end:vcard
