Install Database > FW module doesn't show?

[ajlafontaine]

In the process of rolling out an NGX R60 installation beside an existing NG FP3 setup that is to be retired. When trying to install the user database selectively to update different FW modules, only the primary smart center FW appears in the list. Other FW modules managed from this smartcenter do not show up.

At one point I had a similar problem with NG FP3 but I just can't remember what I did to fix it. All settings between the new NGX and the old NG FP3 are identifical. This is a pain as some "user admins" are not allowed to update the rules, which is the only way to install user database for those FW modules at the moment.

Any ideas?

[humayun]

I have a basic question, how do you install the User Database from the Dashboard to your firewall objects?

Needed urgently as I am assuming a corrupted database.
Thanks.

[kva.kva]

You can "install database" only on SmartCenter, Log modules etc, not on modules. This feature helps to update users and groups without re-installing the Rule Base.

[northlandboy]

humayun, if you think the DB is corrupted, just install policy on the module - that also installs the database.

ajlafontaine, you used to be able to have users who could install the database only, and then it became something you could only do by editing objects_5_0.C - have a look at sk15270. You need to edit allow_install_users_db_on_module

However, you should be warned that this can cause some problems. What ends up happening is that the DB gets out of sync with the policy. What I've seen happen is for SecureClient to start dropping all the authenticated rules on the cleanup rule, until you reinstall policy. I'm not sure exactly what causes it - things will be going fine, install DB a few times, no problems - and then it stops working. I'm not sure if it's caused by certain sorts of changes - perhaps user/object deletes?

I don't know what your setup is, but I understand having something like that, where you have user admins who are separate from the firewall team. What you could do, if the users are being authenticated externally, is to use a generic* user, and let the ACE server (or whatever) handle it.