Putkeys with two different firewalls with the same IPs

[roadrunner]

Putkeys with two different firewalls with the same IPs
(This is relevant to FireWall-1 4.1 and earlier)

What is actually happening with a putkey is that you are setting up a "chain" (sort of like S/Key). The "putkey password" is the seed for this chain. Each time an authenticated session between systems is needed, one "key" in the "chain" is used. After a while, it generates a new "chain" based off the "putkey password" and the previous chain.

You can see where this is going: when you fail over to system B, the management console thinks it's talking to A still. A thinks the state of the authentication is one way, B thinks it's another way. They can't talk to one another until you redo the putkeys.

The authentication really uses the nodename IP address of the box, not the IP address specified in masters (or any other place). If the nodename IP of the box is the same (or even if it isn't), you can probably use the -n trick to solve it. i.e.:

On Management Console:

fw putkey -n mgmt-ip fwA fwB

On FireWall A:

fw putkey -n fwA-ip mgmt-ip

On FireWall B:

fw putkey -n fwB-ip mgmt-ip

The assumption here is that fwA-ip and fwB-ip are unique to each system. Note that once you've done this, all further '-n' putkeys you do must be to the same IP address (i.e. the argument to -n is the same) or your putkeys will break. I found this one out the hard way.

-- GuyR - 11 Jan 2004


FAQForm
FAQs.Class: RemoteManagementFAQs
FAQs.OS:
FAQs.Version: