I saw a post from CheckPoint Mail List that should answer your question. I
cut-and-paste it here.
-----------------------------------
-----Original Message-----
From: Manuel Cabrera Silva [mailto:[EMAIL PROTECTED]
Sent: Friday, February 21, 2003 10:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] fw sam error
Hello Mick,
Finally I made it work today. You need NG FP3 HF-1 (at least for my cluster
configuration). In fact it must work on a default instalation. Try this:
fw sam -v -s <fw object name> -D
If you still have the same answer, try to reset sic communication between
the module and management (caution you may lose conection). Reinitialize SIC
comunication and try again.
If you have a success response, then try fw sam -v -D. I hope you to have a
succefull response so that you can configure Realsecure communication.
In the management: fw putkey -opsec <ip realsecure net sensor> (provide a
shared secret twice as requested)
In the RS Sensor: opsec_putkey <ip management> (provide same secret
requested before, twice again)
Afeter that, from the RS Console stop and restar the sensor and that's all.
(check reponses so they are directed to the management, and a good way to
test it is enabling the "email debug" detection)
Finally, if you are unable to get a successful response at the manual
execution of sam commands from the management, think on sic_reset. This
operation is risky but it can be controled ("backup you configuration
first"). This might let you an unusable management and ready to use you
backup.
I hope this can can help you to configure your RealSecure. By the way, as
you only have one module, you can configure RS to interact directly with it,
replace management ip for module ip in the previous procedure, even in RS
responses and it works.
Manuel Cabrera
CCSA. NSA.
Cosapisoft
-----Original Message-----
From: Mick Toothaker [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 11, 2003 9:41 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] fw sam error
I am working with OPSEC suspicious activity messages (SAM), trying to get
our RealSecure IDS to originate SAM and CheckPoint NG to respond to SAM. The
next step I need to take is making sure that "fw sam -v -t 60 -i src <IP
address>" manual methods work. Well, they are not. When I enter the
address>above
command at the management console, I get the following error:
sam: Unexpected end of session. It is possible that the SAM request for
'Inhibit Drop Close src ip <IP addressas> on All' was not enforced.
where <IP address> is a dotted decimal IP address.
I found the article on the SecureKnowledge database "sk8382", but that did
not make any difference, and I am not sure that article applies to my
environment.
VPN-1 NG FP3 (non-HF1), single enforcement point, single management console.
Enforcement point: SecurePlatform, NG FP3, Second Edition (non-HF1)
Management console: Windows 2000 Server, NG FP3 (non-HF1)
Mick Toothaker
Manager of Technology Services
Fidelity Bank, Wichita, KS
-----Original Message-----
From: Marco Tramacere [mailto:[EMAIL PROTECTED]
Sent: Friday, February 21, 2003 6:52 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [ISSForum] ISS Network sensor and Checkpoint NG fp3
Hi,
sorry to bother you, I saw your post in issforum:
RealSecure Network Sensor don't reconfigure your security polici,
it uses Check Point SAM Module (Suspicious Activity Monitoring), .........
the network sensor signal first it is send to the firewall
management server and then it is send to the Firewall Module.
I'm having trouble exacly with this configuration.
I made it work with direct communication between the Network sensor and the
FW Module but not via NS -> FWManagment -> FWModule.
When I try to set up the communication between NS and the FWManagement
The "putkey" commands succed.
cp mngmt: C:\Servers\FW1\NG\bin>fw putkey -opsec -p mypass
192.168.205.10
rs ns: /opt/ISS/RealSecure6_5/opsec_putkey -p mypass 192.168.205.5
OPSEC: Received new control security key from 192.168.205.5
Authentication with 192.168.205.5 initialized
In The response policy that I applied, I did define:
FW manament station: 192.168.205.5
FW Module: tryed with "all" or specifying the ip of the module:
192.168.205.1
With a network sniffer I see the sam command going from the NS to the FW
Mngmt but it seems that the FW management does not "proxy" the sam request
to the FW module.
do you have any idea ?
best regards
Marco
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
