Diary of a geek

June 2005
Mon Tue Wed Thu Fri Sat Sun
    2
     

Andrew Pollock

Categories

Other people's blogs

Subscribe

RSS feed

Contact me

JavaScript required


Thursday, 02 June 2005

Firewall-1: Great when it works, utter poo when it doesn't

Let me just start off by saying that CheckPoint Firewall-1 is probably my preferred EPLed packet-filtering firewall. The GUI is good, the fact that it is "object-oriented" is also good. What is not good is the complexity of a deployment and the ability to troubleshoot it when things go wrong. When it's broke, you are left with your pants down.

I've just deployed some new (non-production) firewalls. I've got a management station (which is also an enforcement module), which is multi-homed (5 interfaces). There are two enforcement modules managed by this management station, one on each of two of the 5 interfaces.

I'm able to push a policy from the management station to the enforcement modules. That's all good. If I try to make the enforcement module fetch a policy from the management station, it decides it would like to talk to it on one of the unrelated interfaces, rather than on the interface that is directly connected, or to the interface with the IP address of the management station object in the rulebase. Bonkers.

Furthermore, if I do issue a

fw fetch master
this works fine. It's just trying to log to the wrong interface of the management station, and fetch its policy (by default) from the wrong interface. Highly vexing stuff. As it's non-production, I'm getting close to reinstalling Firewall-1, but I wouldn't mind determining the cause for future reference in situations where this might not be an option.

[17:54] [work] [permalink]