connecting a fw to a SmartCenter ..

[derspot]

Hi is this statement true:

You can attach any Gateway, no matter its currnet config, to a SmartCenter - provided that:
-you have full connectivity
- you perform a sic reset.

I played around and found that the time must match on the SC and the FW, for the sic to initialize. I think even the time zone must match. After the SIC is initialized, time doesnt really matter anymore.

Question 2.
What is in the so called InitialPolicy - that is , what traffic the FW allows from/to it. I guess it doesn't allow any traffic pass.

Question 3. What happens if the CP services are down. Is any traffic allowed throug the FW ? Can it talk to the SC ?

[chillyjim]

Quote:

Originally Posted by derspot

Hi is this statement true:

You can attach any Gateway, no matter its currnet config, to a SmartCenter - provided that:
-you have full connectivity
- you perform a sic reset.

I played around and found that the time must match on the SC and the FW, for the sic to initialize. I think even the time zone must match. After the SIC is initialized, time doesnt really matter anymore.

Yup a gateway can be switched to a different SMC.

As for time, clocks always need to be close at least for SSL/TLS. Timezones should be set correctly then it will work. eg if the SMC is set to GMT and GW is set to EST, the clocks need to show a 5 hour difference.

Quote:

Question 2.
What is in the so called InitialPolicy - that is , what traffic the FW allows from/to it. I guess it doesn't allow any traffic pass.

See $FWDIR/conf/initial_module.pf for details.

Quote:

Question 3. What happens if the CP services are down. Is any traffic allowed throug the FW ? Can it talk to the SC ?

That's the idea. Routing should be disabled and controlled by FW1

[derspot]

Thanks Thanks

[Reaper]

If you want to, you can change the default policy. Use the following commands:

cp $FWDIR/lib/defaultfilter.ipso $FWDIR/conf/defaultfilter.pf
fw defaultgen
cp $FWDIR/state/default.bin $FWDIR/boot

Now you have SSH and HTTPS access even after running cpconfig and applying Initalpolicy. Much more convinient, in case you screw something up :)

[derspot]

Thanks , geeky stuff.

[NickBrandson]

Just wondering how it would work if the SmartCenter in the HQ and the remote gateways in different timezone. Possible to do so?
Or we have to give up the local time zone and set as the same as HQ.

[chillyjim]

As long as the OS's timezone is set correctly all is good. Time is stored as UTC/GMT and displayed in the local TZ. So its no problem having a SmartCenter in NYC on EST and a gateway in LA on PST. All is happy.