Nokia IP350 & IPSO3.6 + web visualistaion tool

[jemma_noor]

Hi All,

Would appreciate any help you could provide me with the following;

-1- We have a live checkpoint firewall1/vpn1 running on nokia ip330 with ipso 3.6 and checkpoint firewall1/vpn1 NG FP3. We intend on installing a second gateway at a remote site. The second device is a nokia ip350 with ipso 3.9. Checkpoint license for this covers the Firewall/VPN pro express NGX.

According to Nokia Website, the IP350 is not supported with ipso 3.6 and but is with ipso 3.5.1. We would like to retain the existing version of the ipso (3.9) but down grade the checkpoint package to NG FP3. I would like to read from anyone who is running the ip350 with ipso 3.9 and NG FP3 or know’s of any reservations with such a setup. Alternatively, I could downgrade the ipso image to 3.5.1 and install NG FP3?

-2- The cpdd2web.exe (or web visualisation tool) creates a 1.html file with headings but no data and generates the error message – “the procedure entry point_cp_get_cpdir could not be located in the dynamic link library OS.dll”.
I have installed the utility on 2 different windows pc’s (winxp sp2 and win2k sp4), both of which have access to the smartcentre server but the same error is repeated. The full syntax I am using to run the tool is “cpdb2html C:\Progra~1\CheckP~1\SMARTc~1\NGFP3~1\PROGRAM c:\cpinfo 192.168.5.200 adminname adminpassword”.

Where I’m I going wrong?


Thank you for your feedback.

Jemma
XX

[Sergej]

Quote:

Originally Posted by jemma_noor

Hi All,
According to Nokia Website, the IP350 is not supported with ipso 3.6 and but is with ipso 3.5.1. We would like to retain the existing version of the ipso (3.9) but down grade the checkpoint package to NG FP3. I would like to read from anyone who is running the ip350 with ipso 3.9 and NG FP3 or know’s of any reservations with such a setup. Alternatively, I could downgrade the ipso image to 3.5.1 and install NG FP3?

Look inside Nokia documentation (i suppose release notes). There is a table which describes IPSO - CheckPoint - Hardware versions compatibilities. You can not install random version of IPSO and Checkpoint. Some Nokia appliances can not be downgraded to old IPSO versions.

[Lackie]

FP3 is supported on IPSO 3.9 but there are some things that are not supported and some limitations (listed below). I don't think any of this would affect you but make sure before you put it into place. As for 'downgrading' to IPSO 3.5.1, if you do go this way, do a fresh/clean install from the boot manager as there isn't any other supported way and it can cause some problems if you just install 3.5.1 on top of 3.9.

Not supported when using FP3 on IPSO 3.9:
- IP clustering in IPSO. Because of changes in the clustering API, IP clustering in IPSO 3.9 is not backwards compatible with Check Point versions earlier than NGAI (R55) for IPSO 3.8. Use VRRP for high availability instead.

- SecureXL. This feature is not supported by NG FP3. Use Firewall Flows for firewall throughput acceleration.

- Multicast acceleration.This feature is not supported by NG FP3.

- Monitoring of the firewall state by VRRP. Firewall state monitoring was introduced in IPSO 3.8 and is not supported by NG FP3.

Limitations when using FP3 on IPSO 3.9:
- Enabling SecureXL might cause the system to panic and reboot. <PR 50646>

- No error checking prevents you from enabling flowpath while FloodGate-1 is running. <PR 50765>

- Using dynamic routing protocols with VRRP is not supported as of HFA 327.<PR 50922>

- Because VRRP cannot monitor the firewall state, a system on reboot might become master before the firewall is ready to accept connections, causing current connections to be lost. To avoid this problem, use the VRRP Preempt Mode option to specify that if the master fails over to a backup system, it should not re-establish itself as master when it becomes active again. (Note that the Coldstart Delay option is not available in IPSO 3.9, having been
replaced by the Monitor Firewall State option.) For more information on how to configure preempt mode, see the Nokia Network Voyager for IPSO 3.9 Reference Guide.<PR 50110>.

[ligmania]

for the web tool you should also profide the directory, ipaddress of smartCenter server and output filename. I've used this tool on the management server to migrate settings and rules to new management servers. Try running the tool directly from the smartcenter server and make sure you supply the ip address.

Ex.

cpdb2html c:\path2cpdb2html_install c:\outputdir MangServIPAddress admin_name admin_passwd -o output.html