Thread: Upgrade: NG FP3 to NGX R62 (win2k)
View Single Post
  #1 (permalink)  
Old 2007-03-07
seizeadonai seizeadonai is offline
Junior Member
  
Join Date: 2007-02-28
Posts: 2
Rep Power: 0
seizeadonai has an average reputation (10+)
Default Upgrade: NG FP3 to NGX R62 (win2k)
All,

***PROLOGUE***

First I want to state that I appreciate anyone who has taken the time to respond to this thread in any way shape or form. Now I can beg for help!

Our organization has used NG FP3 on Win2k for quite some time now. My duties, since being hired, have been to identify software/hardware that needs replacement/upgrade. Our firewall has been in my crosshairs for sometime.

***THE UPGRADE PROCESS--BACKGROUND***

We have two identical servers; 1, the active firewall running NG FP3 with all applicable hot fixes on win2k server and 2, the "backup firewall." I rebuilt the backup firewall with win2k, all applicable service packs, updates, etc. I configured the server's networking interfaces & routing tables to match the current active firewall.

I took the NGX R62 CD, put it in the active firewall, ran the export procedure as documented in the upgrade guide. The checkpoint "installation" program generated a tar-gzipped archive of the entire configuration of the active firewall as it should. That was relatively painless and simple, I was impressed.

I took the tar-gzipped configuration, moved it over to the "backup firewall" that I am using as the upgrade box--which will replace the active firewall. I ran the installation program and selected the option to import an exported configuration. The installation program for R62 ran without error. I rebooted, installed the upgraded UTM/NGX licenses, put hardware loopbacks into the Ethernet interfaces and fired up the smart dashboard. Logged in, the configuration looked the exact same. I did a few hours of in depth configuration comparisons between the two servers to make sure that the upgrade export/import didn't miss anything. Everything looked good.

***THE ROADBLOCKS***

When our maintenance window arrived, I rolled into work, cup of coffee in hand, fired up some ping/http/cifs tests to automatically run, verified active firewall is responding the way it has always, all good. I then swapped the firewalls cat5 cables for the internal/external interfaces to the "backup firewall" (fresh install of NGX R62 with exported/imported configuration from NG FP3), dumped the ARP tables on most applicable switches, looked at my tests, boom everything "looked good."

VPN Tunnel's: up and chirping
SecureRemote Login: active and ready
Internal to Internet traffic: flowing nicely

Aces right?

I then proceeded to test the services that we hosted, mail, some http, a little sftp, and a pinch https--nada, zip, zero, nuthin'

Went into SmartDashboard to check the config, automatic NAT rules existed. I checked the proxy arp table "fw ctl arp" -- looked good. Compared the NAT config on the NG FP3 firewall to the NGX, no difference. I got a little worried.

I logged into a box that has a NAT rule specified for it, couldn't get out to the internet, as a matter of fact, couldn't get past the firewall, no VPN, no nuthin'. Okay, dumped the ARP tables on the box, verified, checked the new MAC address against the actual interface on the firewall, same. Attempted external communication from that box again, nothin'.

Fired up SmartView Trakker, packets didn't even look like they were making it to the firewall. So I said to myself, okay, maybe this is isolated right? WRONG. I logged into another box that was configured for auto NAT, same deal.

I did some research and here is what I came up with. Maybe something about the automatic proxy arp was broken and not listening for that traffic and passing it through the engine. I manually created a local.arp file and put it in the appropriate directory. I deleted all the automatic NAT rules just to make sure that the manual proxy arp file was being used, it was. Re-created the auto NAT rules, based on the other firewalls configuration, tested, same results. I then played around with manual NAT for a while. I already had the proxy arp entries created manually and figured that this might due the trick. Same result.

I realized what I might be missing at this point is something obvious, routing. I read some posts from northlandboy and robertgraham, which incidently I used to work with, small Internet huh? Anyways their recommendations have been to abandon automatic NAT wherever possible in favor of manual NAT and routing statements on the CE. Here is the issue with that, our next hop is PE. Our firewall acts as the router as our circuit comes in via Ethernet. The routing entries on the CE, which would be the firewall itself, proved to be fruitless. I tried my hand at a few things there, didn't really get anywhere. I then read some more posts.

I found a post, moving to NGX : two questions which eluded to an issue using the export/import tool and then upgrading. joris said that he had to add some routes to the firewall to fix the automatic nat config.

I haven't tried the route entries yet, and really don't want to, there has got to be a better solution. I don't want to pair auto NAT with manual band-aids, proxy arp, routes, etc, if auto NAT should take care of all this in the first place.

I know I have probably provided a lot of useless information, so if you have any specific questions, I will be inclined to elaborate. Any help on why the automatic NAT rules are not working the way that they were designed? I'd like to stick to using them as opposed to the manual NAT rules for simplicity of management for other people who may touch the firewall in the future.

Thanks!
Reply With Quote