Has only loopback (lo) interface, aborting...

[BarryStiefel]

Has only loopback (lo) interface, aborting...



When attempting to install a policy, I get the following error message:

Installing Security Policy foobar on all.all@firewall Has only loopback (lo) interface, aborting... Failed to Load Security Policy: No such file or directory Fetching Security Policy from firewall failed

Answer

It is possible that FireWall-1 has no clue about any of the interfaces that are loaded. You can force FireWall-1 to refresh it's interface list by uninstalling and reinstalling the kernel module as follows: fw ctl uninstall fw ctl install fw fetch localhostYou should also check the Interfaces tab on the workstation object representing your firewall. If the interfaces listed are incorrect or missing, perform an SNMP Get and reset Anti-Spoofing as appropriate. You should then be able to install your policy.



This error may also be caused by backing out a service pack on Solaris (Sparc and i386). If the back out process fails, /etc/init.d/fw1boot and /etc/init.d/fw1bootd may not be restored correctly. As a result, FireWall-1 may give an error saying it recognizes only the loopback interface. A workaround is to backup the files /etc/init.d/fw1boot and /etc/init.d/fw1bootd before backing out the service pack and restoring them after backing out the service pack.

This error may also come up because the FireWall-1-specific startup scripts are either non-existent or are symlinks on a Solaris platform (for some reason, these don't work right). A copy of /etc/init.d/fw1bootd should be in /etc/rc2.d/S00fw1bootd and a copy of /etc/init.d/fw1boot should be named /etc/rcS.d/S25fw1boot.

This error message may also come up as a result of missing a dumb terminal definition in terminfo (happens frequently on Solaris), which can easily be fixed as follows:



# cd /usr/share/lib/terminfo

# cp v/vt100 d/dumb

Another person suggested moving $FWDIR/conf/product.conf to $FWDIR/conf/inst.conf and re-running fwconfig or cpconfig. You should also check to see /etc/fwboot/if.dev has the correct interface types listed there. This can happen when re-running fwconfig or cpconfig. A person from Check Point explains the "accept" or "deny" in this file:

"The deny/accept sets only the way the FW talks to the driver. If it will use DLPI or not. DLPI is supported on some adapters, and not supported by others. If you would change all the 'deny' to 'accept' you could have extremly odd behaviour with the FW. It is best not to touch the file, and if cpconfig asks you about cards that do not appear in the file, it is recommended that if in doubt about the capabilities of the NIC you should choose to deny DLPI."





-- RobertGraham - 16 Mar 2004

FAQForm FAQs.Class: TroubleshootingFAQs FAQs.OS: FAQs.Version: