Thread: How to establish SIC betwn mgmt cntr and enforcement module WITHOUT SMART DASHBOARD
View Single Post
  #10 (permalink)  
Old 2008-03-10
dantro dantro is offline
Senior Member
  
Join Date: 2007-02-07
Location: Halle (Saale)
Posts: 200
Rep Power: 2
dantro has an average reputation (10+)
Default Re: How to establish SIC betwn mgmt cntr and enforcement module WITHOUT SMART DASHBOA
From the Secure Knowledgebase:

Performing an 'fw putkey'

Solution
An easy method for performing this is to use the 'fw putkey' command from the OS command prompt. To perform this correctly:

1. Ensure that both machines have a hosts file with name to IP address resolution that directly matches the hostname as they are defined on their respective machines.

2. Stop the FireWall and Management modules.

3. At the command prompt type 'fw putkey <hostname>' with hostname being the hostname of the opposite machine. In other words, from the Management module command issue the hostname of the FireWall module that you have placed in the hosts file. You will then be prompted for a password. Use a password of 8 characters or less. Enter it again.

4. Perform the same action from the other machine.

5. Now start the management module, and once it is fully started, start the FireWall module.

Using fw putkey when Static NAT is used for the Management Station

Solution
Numbered items 1-5 describe the environment:

1. Management Server machine

Private IP address = 172.30.5.11
Statically NAT'd IP address = 212.150.194.191

2. Module A machine directly connected to the Management Server

LAN IP address = 172.30.5.2
External IP address = 212.150.194.213

3. Module B machine NOT directly connected to the Management Server

External IP address = 212.150.194.215

4. The $FWDIR/conf/clients file on the Management Server includes the following IP addresses:

* LAN IP address = 172.30.5.2 (Module A machine directly connected to Management Server).
* External IP address = 212.150.194.215 (Module B machine NOT directly connected to Management Server).

5. The $FWDIR/conf/masters file on the Module machines includes the following IP addresses:

* Module machine directly connected to Management Server = 172.30.5.11
* Module machine NOT directly connected to management = 212.150.194.191 and 172.30.5.11

Proceed as follows:

Stage 1
======
Run 'fw putkey' between the Management Server and the Module A machine directly connected to the Management, as follows:

1. Run 'fwstop' on both machines

2. On Management machine run:
fw putkey -n 172.30.5.11 172.30.5.2

3. Enter the secret key.

4. On Module A machine run:
fw putkey -n 172.30.5.2 172.30.5.11

5. Enter the secret key (same one as entered on Management).

6. On Management machine run 'fwstart'.

7. On Module A machine run 'fwstart'.

6. Define Module object in Policy Editor.

7. Define following rule: Source = management, Destination = Module machine directly connected to Management, Service = FW1, Action = Accept

8. Install Policy

9. Ping the IP address 212.150.194.191 to make sure that Static NAT works.

Stage 2
======
Run 'fw putkey' between the Management Server and Module B machine NOT directly connected to Management, as follows

1. Run 'fwstop' on both machines

2. On Management machine run:
fw putkey -n 172.30.5.11 212.150.194.215

3. Enter secret key.

4. On Management machine run:
fw putkey -n 212.150.194.191 212.150.194.215

5. Enter secret key:

6. On Module B machine run:
fw putkey -n 212.150.194.215 212.150.194.191

7. Enter secret key (same one as entered on Management)

8. On Module B machine run: fw putkey -n 212.150.194.215 172.30.5.11

9. Enter secret key: (same one as you entered on Management)

10. On Management machine first run: 'fwstart'

11. On Module B machine run: 'fwstart'

12. Define Module object on Management machine (This could be done in an earlier stage)

13. Install Policy


Flushing all putkey related files and reestablish putkeys

Solution
If the putkey command is not working, you can flush all putkey related files as follows:

1) Run 'fwstop' on the Management Module and the FireWall Module

2) Backup the following files by copying them to <filename>.old

$FWDIR/database/authkeys.C
$FWDIR/database/opsec_authkeys.C
$FWDIR/conf/fwauth.keys
$FWDIR/conf/serverkeys.*
NOTE: You must delete the original files. If you do not, the new putkeys will not overwrite the old keys and the procedure will not work.

3) Confirm that $FWDIR/lib/control.map is using the same authentication method as the Management Module (either fwa1 or skey).

4) Make sure the modules are able to resolve each other's IP address, and the addresses you receive are the ones you use in steps 5 and 6.

5) On the Management Module, perform the following command:
fw putkey -p <password> -n <Management Module IP> <FireWall Module IP>

6) On the remote FireWall Module perform the following command:
fw putkey -p <password> -n <FireWall Module IP> <Management Module IP>

7) On the Management Module:
fwstart

8) Wait for manager to be up, and then on the FireWall Module(s):
fwstart

The putkey process is very detailed and a single error can make it fail. If the putkey process still does not work. Repeat steps 1. to 8.

If the above procedure does not work you can try using a different encryption scheme- skey for example.

In the $FWDIR/lib/control.map replace fwa1 with skey

SECURITY WARNING: If you absolutely must fetch or push a new policy on the firewall, the following step will DISABLE policy and log authentication on the firewall:
If you use none in the control.map instead of fwa1 or skey you will be able to push a new policy to the FireWall Module from ANY Management Module.
Reply With Quote