TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Filip,
I had similar problems and discovered that it was a a problem with the
distribution of the various keys and licenses.
If you are using the Check Point version of RealSecure, you can follow the
following steps to get this whole thing working. I haven't seen a couple of
the steps here documented anywhere but if you complete these, it will work!
In my example below, I have three devices; A RealSecure Engine (on NT - host
name rse1 ), A Management PC (on NT - host name mgmt1 ) and a Check Point
FireWall Version 4.1-SP1 (on Nokia IPSO - host name nokfw1).
Installation Methodology
a) Install Check Point FireWall-1 on rse1 and Check Point management on
mgmt1.
b) Install Check Point RealSecure Console on mgmt1.
i) Run RealSecure Console Setup from the CD and install the software
ii) Run RealSecure Console Setup from the CD a second time and select
"Export Console Public Keys" and export the keys to a floppy disk
c) Modify the $FWDIR/opsec.conf file on mgmt.
i) put a # in front of the line "ela_proxy auth_type ssl_opsec" as ssl
authentication is not supported with RealSecure.
ii) change the sam_allow_remote_requests to "yes"
d) Install Check Point RealSecure Manager on mgmt1.
i) Run CPRSM Setup from the CD and install the software
ii) Enter the IP address of mgmt1 as the IP Address on which CPRSM would
listen for incoming console connections (despite the fact that it is on the
same machine as the Check Point Management server and should have been able
to use 127.0.0.1)
iii) Run CPRSM Setup from the CD a second time and select "Export CPRSM
public Keys" and export the keys to a floppy disk
iv) Run CPRSM Setup from the CD a third time and selected "Import
Console/CRSSI Public Keys" and import the keys from the floppy disk
e)Install Check Point RealSecure Engine on rse1.
i) Run Check Point RealSecure Engine Setup from the CD install the
software
ii) Run RSE Setup from the CD a second time and select "Import Console
Public Keys" which you retrieve from the floppy disk.
f) PutKeys!
i) On mgmt1 issue a putkey to rse1 "fw putkey -opsec -p password x.x.x.x"
ii) On nokfw1 issue a putkey to rse1 "fw putkey -opsec -p password
x.x.x.x"
iii) On rse1 issue a opsec_putkey to mgmt1 "opsec_putkey -p password
x.x.x.x"
Got back "OPSEC: Received new control Security key..... x.x.x.x
initialized"
iv) On rse1 issue a opsec_putkey to nokfw1 "opsec_putkey -p password
x.x.x.x"
Got back "OPSEC: Received new control Security key..... x.x.x.x
initialized"
g) ***** THE STEP THAT ISNT DOCUMENTED ANYWHERE! *****
Get the CPRSM to talk to the CPRSC
i) Start the RealSecure Console.
ii) You will get back the error "CPRSM connection to x.x.x.x failed
(E_CM_TRANSPORT_ERROR)!!.
iii) Click OK and Close the Console.
iv) COPY C:\Program Files\CheckPoint\KeyContainer\ to C:\ISSKeyContainer\
including subdirectories. I found this one out by chance!!!!!
***** THIS IS TOTALLY UNDOCUMENTED. *****
I Checked all of the PDF files and found NO REFERENCE to this step. My guess
is that if the CPRSM and the CP Management machine were two separate
machines this would need to be done on BOTH machines, although I would need
to verify that.
h) Restart the console, Under RealSecure Management Configuration Enter the
IP address of the CPRSC/CPRSM machine, Check the Ports for FWMS, they are
correct, and add the IP address of the CPRS Engine Machine under the
"Engines" Tab.
i) Add the RealSecure License. When licensing RealSecure, use the
management module IP address and not the engine IP address.
j) Copy the C:\Program files\CheckPoint\RealSecure 4.1\keys directory from
the mgmt1 to the C:\Program Files\Check Point\RealSecure 3.2\keys directory
on the engine machine rse1
k) Set your global responses (FWopsec - specify the ip address of the mgmt1
machine and inhibit/ inhibit and close etc)
k) Add a detector (rse1) and configure profile and your specific responses
etc.
l) Add a rule allowing FW1_SAM service between CP Management/CPRSM and FW
modules. Compile and install the rulebase.
Why run the setups twice? This makes it so that the console can talk to the
CPRSM and RS Engine, and CPRSM can talk to the RS Engine in much the same
way that the opsec putkeys establish trust between the various Check Point
Firewall components.
Yours Kindly
Gregor Munro
SecurIT Limited
New Zealand
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Filip Sneppe
Sent: Thursday, 20 July 2000 4:17 a.m.
To: [EMAIL PROTECTED]
Subject: RealSecure 3.2 & FW-1 OPSEC problem
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Hi,
I am experiencing some problems trying to get RealSecure to talk to a
Checkpoint FW-1 4.1 via OPSEC in a test environment. The Realsecure console
and network engine are on the same (NT) computer. The Firewall-1 GUI,
management station and firewall engine are also on one NT host.
I am basically following the steps described in the "Using RealSecure to
Configure Check Point FireWall-1" tech note.
The FW PUTKEY on the FW-1 appears to be successful, as is the opsec_putkey
on the RealSecure machine:
C:\Program Files\ISS\RealSecure 3.2>opsec_putkey 10.0.0.1
Enter secret key:
Again secret key:
OPSEC: Received new control security key from 10.0.0.1
Authentication with 10.0.0.1 initialized
However, as soon as the Realsecure detects an attack and it is supposed to
undertake an OPSEC action, I get a "SamSendAction Failed to send action for
host ..." high priority message on the console.
I have followed the troubleshooting/debugging steps described in the tech
note (starting the network engine from a command prompt) and there seems to
be an OPSEC related problem. When I start the network engine from the
command prompt and set the debugging level to 3, I get:
C:\Program Files\ISS\RealSecure 3.2>network_engine.exe
Reloaded The General Configurations for the Engine.
RealSecure Starting. Product Version '3.2.1999.350'
error in opsec_connect
Reloading user defined strings into finders.
Opening Adapter "[1] Compaq Netelligent 10/100 TX PCI UTP Network Adapter".
Using driver version "3.1.1999.124".
When the RealSecure is supposed to be contacting the FW-1, I get:
Send Firewall request: 172.20.8.1
SamSendAction Failed to send action for host: 172.20.8.1
Send Firewall request: 172.20.8.1
SamSendAction Failed to send action for host: 172.20.8.1
I did't capture any network traffic between the RealSecure box and the FW-1.
As described in the tech note, I rebooted the FW-1 to make sure (also
rebooted the RealSecure), but to no avail.
Any help on this would be greatly appreciated.
Also, I am thinking about reinstalling the TCP/IP protocol on the RealSecure
machine and reapplying an NT service pack, but I don't know if the
RealSecure installation has modified anything to the NT TCP/IP stack that
will be broken by a protocol reinstall...
-Regards,
Filip
