Installation NGX V61 on Sun Solaris 10

[vlions]

Hello,

I try to install NGX V61 on Solaris 10, installation works fine. But after installation and boot, no interface are plumb'ed. See also the details.

I have installed de latest ALOM, OBP and Solaris recommended patches (July 20, 2006)

Sun Fire V210, No Keyboard
Copyright 2005 Sun Microsystems, Inc. All rights reserved.
OpenBoot 4.18.10, 2048 MB memory installed, Serial #57870381.
Ethernet address 0:3:ba:73:8:2d, Host ID: 8373082d.

Rebooting with command: boot
Boot device: /pci@1c,600000/scsi@2/disk@0,0:a File and args:
SunOS Release 5.10 Version Generic_118833-18 64-bit
Copyright 1983-2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hardware watchdog enabled
FW-1: driver installed
Failed to plumb IPv4 interface(s): bge0
Jul 24 20:47:02 svc.startd[7]: svc:/network/physical:default: Method "/lib/svc/method/net-physical"
failed with exit status 96.
[ network/physical:default misconfigured (see 'svcs -x' for details) ]
Hostname: xxxx
Configuring devices.
SVM: driver installed
VPN-1: driver installed
Jul 24 20:47:21 in.mpathd[246]: main: IPv4 socket open: Protocol error
checking ufs filesystems
/dev/dsk/c1t1d0s0: is logging.
/dev/rdsk/c1t0d0s7: is logging.
Jul 24 20:48:23 svc.startd[7]: svc:/network/rpc/bind:default: Method or service exit timed out. Killing contract 38.
Jul 24 20:48:23 svc.startd[7]: svc:/network/rpc/bind:default: Method "/lib/svc/method/rpc-bind
start" failed due to signal KILL.

Jul 24 20:49:23 svc.startd[7]: svc:/network/rpc/bind:default: Method or service exit timed out. Killing contract 41.
Jul 24 20:49:23 svc.startd[7]: svc:/network/rpc/bind:default: Method "/lib/svc/method/rpc-bind
start" failed due to signal KILL.
Jul 24 20:50:24 svc.startd[7]: svc:/network/rpc/bind:default: Method or service exit timed out. Killing contract 43.
Jul 24 20:50:24 svc.startd[7]: svc:/network/rpc/bind:default: Method "/lib/svc/method/rpc-bind
start" failed due to signal KILL.
[ network/rpc/bind:default failed (see 'svcs -x' for details) ]

xxxx console login: Jul 24 21:20:25 svc.startd[7]: svc:/milestone/multi-user:default: Method or
service exit timed out. Killing contract 54.
Jul 24 21:20:25 svc.startd[7]: milestone/multi-user:default timed out, fault threshold reached

xxxx console login:

Any idea ?

Regards Marcel

[vlions]

This is known issue between Check Point (SK31772) en Sun Microsystems (Bug 6401218).

The only work round, on this moment is to remove patches 118833-18, 122856-02, 120661-04, 119981-09 and 118822-30.

And install 118822-20.

regards Marcel

[mmoret]

Prutser :-)

[albada]

I couldn't find sk31772 on checkpoint site.

[RobGault]

I just found a solution to this. Anything else I found did not apply to either Release 1 or Release 2 of Solaris (1/06 or 6/06).

My system is a 6/06 core install w/o any patches applied.

- - Disable the fwip autopush by commenting the two lines
push_fwip_module udp fwip
push_fwip_module udp6 fwip6
in /etc/init.d/fw1boot

- - reboot

- - Manually unplumb the interface(bge/e1000g/... whatever)

- - Manually plumb and up the interface

- - double check
If it looks like the following, you get it done.

#> ifconfig bge0(your system interface) modlist
ip
fw
bge0

#> strconf </dev/udp
udp
ip

[iea38]

Sun issued patch 118833-23 that addresses bugid 6401218. My system no longer panics. It is running
Solaris 10 6/06 with the latest kernel patches. However, I still had to comment out: push_fwip_module udp fwip from /etc/init.d/fw1boot.

[hassan]

I applied patch 118833-23, too.
However, I feel trouble wasn't fixed.

What was cause this trouble?

[sdorand]

We've been running Checkpoint on Solaris since the 3.0b days. Most of our builds are on Solaris 9 using JASS for hardening running NGX R60 HFA03.

I'm pretty happy with my JASS build for 10... Maybe I'll put up a blog page with this. But getting R60 HFA03 (downloaded from checkpoint - which specifically notes its for 10) installed brings no joy.

Found the reboot/panic issue and was referred to the IDR patch @ sun which became a T patch and on 9/15 was released as kernel patch 118833-23.

So happily I install it, create a new flar (so we can roll out tons of firewalls easily). Install checkpoint, goes fine. Reboot and now its just hanging there. I wish both Checkpoint and Sun would get their act together around this. 10 has been out forever now. It doesn't panic and reboot anymore but now it just complains about plumbing the interface (bge). R60 does not have that autopush stuff you guys have been commenting out of fw1boot.

Will post more as I find out more.

- Seann

[tHeInDian]

Hello,

I installed a Solaris 10 with Solaris Hardware Core 1/06 with a ClusterPatch downloaded from sun released on May 3, 2006. The patch included with this bundle is 118833-03. I have installed the Check Point NGX R61 and everything is working fine.

This mean that the problem occur after 118833-03

regards

[iea38]

Checkpoint has sk32031 on getting Solaris 10 update 2 to work with NGX R60 or higher.
They have issued a new fw1boot file - it works now - no need to comment out "push_fwip_module udp fwip"

[vlions]

Hello, there is a final solution for this problem from Check Point; (https://secureknowledge.checkpoint.c....do?id=sk32031)
---
Solaris 10 Release 2 (06/06) supports VPN-1 Pro NGX R60 and higher.

To use VPN-1 Pro NGX on a Solaris 10 Release 2 machine, perform the following steps:


If a BGE interface is installed on the machine, make sure that patch IDR123068-01 is not installed.
To do so, type the showrev -p | grep IDR123068 command. If the patch is installed, remove it.

Install patch 118833-23 or higher (publicly available from Sun).

Download the fw1boot.zip file and unzip it.

Run the dos2unix fw1boot.txt fw1boot command to convert the fw1boot file to UNIX dormat.

Replace the $FWDIR/boot/fw1boot file with the file downloaded in step 3.

Issue the chmod 755 $FWDIR/boot/fw1boot command.

Reboot the machine.
---
Regards Marcel

[vlions]

#!/sbin/sh

# $RCSfile: S25fw1boot.sh,v $ $Revision: 1.14.4.3.8.1 $ $Date: 2003/11/05 12:57:31 $


echo FireWall-1 boot security configuration:

if [ -z "$FW_BOOT_DIR" ]
then
# echo "FW_BOOT_DIR undefined. Using /etc/fw.boot"
FW_BOOT_DIR=/etc/fw.boot
fi

if [ -z "$PPK_BOOT_DIR" ]
then
PPK_BOOT_DIR=/etc/ppk.boot
fi

if [ -c /dev/securexl0 ]
then
$PPK_BOOT_DIR/bin/sim installin
sim_ap="securexl"
else
sim_ap=""
fi

export FW_BOOT_DIR # needed for bootconf
export PPK_BOOT_DIR # needed for bootconf

ifdevlist=$FW_BOOT_DIR/ifdev

dbg_on=0

dbg() {
if [ $dbg_on -eq 1 ] ; then
eval $*
fi
}

true() {
return 0
}

apverify() {
if [ $2 -ne -1 ] ; then
echo "FW-1: WARNNING $1 has autopush configuration which is not ALL:"
echo $*
echo "FW-1: Aborting $0 ..."
exit
fi
}

ap_cmd="$FW_BOOT_DIR/fwboot ap"
fwipfwdoff="$FW_BOOT_DIR/fwboot ipforwarding_off"
fwbootd="$FW_BOOT_DIR/fwboot bootd"
fwifdev="$FW_BOOT_DIR/fwboot ifdev $ifdevlist"
fwdevname="$FW_BOOT_DIR/fwboot fwdevname"

bootconf="$FW_BOOT_DIR/fwboot bootconf"

os_inet6_installed=1

FW1_BOOTSEC=`$bootconf get_def`
FW1_DOIPFWD=`$bootconf get_ipf`

if [ `$bootconf get_ipv6` -eq 1 -a ${os_inet6_installed} -eq 1 ]; then
IPV6_INSTALLED=1
else
IPV6_INSTALLED=0
fi

fwdefault="$FW_BOOT_DIR/fwboot default $FW1_BOOTSEC"

if [ ${FW1_DOIPFWD:-1} -ne 0 ]; then
echo FW-1: Disabling IP forwarding
$fwipfwdoff
fi

if [ ${FW1_BOOTSEC:-0} != "0" ]; then
echo FW-1: Loading default filter
( unset FWDIR ; $fwdefault )
fi

echo FW-1: Loading I/F device list:" \c"
$fwifdev
echo FW-1: Starting bootd": \c"
$fwbootd

push_fwip_module() {

ap_udp_save=`$ap_cmd -g $1 0`
ap_udp_fw=`$ap_cmd -g $1 0 1 $2`

if [ $? -ne 0 ] ; then
echo "FW-1: Nothing is pushed on $1"
else
apverify $1 $ap_udp_save
dbg echo $ap_cmd -r $1 0
$ap_cmd -r $1 0
fi

dbg echo $ap_cmd -a $1 $ap_udp_fw
if $ap_cmd -a $1 $ap_udp_fw ; then
dbg echo $1 `$ap_cmd -g $1 0`
else
echo FW-1: $1 autopush failed: resetting ...

if $ap_cmd -g $1 0 >/dev/null 2>&1 ; then
dbg echo $ap_cmd -r $1 0
$ap_cmd -r $1 0
fi

dbg echo $ap_cmd -a $1 $ap_udp_save
$ap_cmd -a $1 $ap_udp_save

dbg echo $1 `$ap_cmd -g $1 0`

exit
fi
}

push_fw_over_interface() {

while read ifdev ifoptions ; do
if [ "$ifdev" = "#" -o "$ifdev" = "" ] ; then
true
else
real_dev=`$fwdevname $ifdev`
if [ $? -ne 0 ] ; then
continue
fi
$ap_cmd -e $real_dev $1 >/dev/null 2>&1
if [ $? -eq 17 ] ; then
continue
fi
if $ap_cmd -g $real_dev 0 >/dev/null 2>&1 ; then
ap_if_save=`$ap_cmd -g $real_dev 0`
ap_if_fw=`$ap_cmd -g $real_dev 0 0 $2 $1`
apverify $real_dev $ap_if_save
dbg echo $ap_cmd -r $real_dev 0
$ap_cmd -r $real_dev 0
else
if [ $? -ne 19 ] ; then
continue
fi
ap_if_save=""
ap_if_fw="-1 0 $2 $1"
fi
echo FW-1: Autopushing over $real_dev
dbg echo $ap_cmd -a $real_dev $ap_if_fw
if $ap_cmd -a $real_dev $ap_if_fw ; then
dbg echo $real_dev `$ap_cmd -g $real_dev 0`
else
echo FW-1: $real_dev autopush failed: resetting ...

if $ap_cmd -g $real_dev 0 >/dev/null 2>&1 ; then
dbg echo $ap_cmd -r $real_dev 0
$ap_cmd -r $real_dev 0
fi

if [ "X$ap_if_save" != "X" ] ; then
dbg echo $ap_cmd -a $real_dev $ap_if_save
$ap_cmd -a $real_dev $ap_if_save
fi


dbg echo $real_dev `$ap_cmd -g $real_dev 0`
fi
fi
done < $ifdevlist

}

echo FW-1: Autopushing under UDP

push_fwip_module udp fwip

if [ ${IPV6_INSTALLED:-0} -ne 0 ]; then
echo FW-1: Autopushing under UDP6
push_fwip_module udp6 fwip6
fi

echo FW-1: Autopushing over network interface drivers

push_fw_over_interface fw $sim_ap

if [ ${IPV6_INSTALLED:-0} -ne 0 ]; then
push_fw_over_interface fw6
fi

# Solaris 10 must call other startup scripts that where found
# in /etc/rcS.d
if [ `uname -r` = "5.10" ]; then
if [ -f /etc/rcS.d/S29cphaboot ]; then
mv -f /etc/rcS.d/S29cphaboot $FW_BOOT_DIR/cphaboot
fi
if [ -f $FW_BOOT_DIR/cphaboot ]; then
$FW_BOOT_DIR/cphaboot
fi
fi

[seanmac1904]

Thanks for this info
these issues have made me keep my firewalls on Solaris 9 for now
( I need to upgrade my JASS scripts for Solaris 10 too)

this will be a big help

Sean