PDA

View Full Version : Failed to install security policy: Unauthorized action



Barry J. Stiefel
2005-08-13, 13:48
Failed to install security policy: Unauthorized action



(Relevant to FireWall-1 4.1 and earlier only)

I get the following message when I try and install my security policy from my management console to my remote firewall module:

Installing Security Policy /etc/fw/conf/external0.1.pf on all.all@fw62bs01 Authentication for command load failed Failed to Install Security Policy on fw62bs01: Unauthorized action

I've tried redoing the putkeys with no luck. What's going on?

For some reason, the firewall module is not recognizing the management console as that: the management console. This may be because the management console is described in the GUI with a different IP address than the hosts file on the firewall and management. Correcting the network object and/or the hosts file (possibly re-doing the putkeys) should solve the problem.

If this does not work, consider the $FWDIR/lib/control.map file (this is more or less the "default" control.map file). Note that if you are using a FireWall-1 4.1 management console to manage a 4.0 firewall module, you may also need to edit the control.map file contained within your backward compatibility directory as well.

MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1 CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none * :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny opsec/fwn1 */fwa1

What does this file mean?


When my master talks to me (as defined in $FWDIR/masters), I will:

Allow stat, getkey, and gettopo functions without authentication
Require fwn1 authentication for opsec-related functions.
Require fwa1 authentication for all other functions.

As a client talking to my master (or as a master talking one of the managed firewalls), I expect to:

Authenticate with fwa1 for load, db_download, fetch, and log functions.
Authenticate via fwn1 for opsec-related functions.
Not authenticate for other functions.

When talking to all other hosts (or other hosts talking to me), I will:

give (or require) no authentication for stat, getkey, and gettopo functions.
deny authentication for unload, ioctl, load, or db_download functions.
give (or require) opsec authentication for opsec functions.
give (or require) fwa1 or all other functions.



To resolve this, you will need to modify the control.map file on the remote firewall. Make a copy of the SERVER line, replacing the word "SERVER" with the IP address of the management console (e.g. a.b.c.d). Place the new "SERVER" line between the existing SERVER and the CLIENT line, so the file looks like this: MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1 a.b.c.d :stat,getkey,gettopo/none opsec/fwn1 */fwa1 CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none * :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny opsec/fwn1 */fwa1

This new line means makes it so that when communication takes place with a.b.c.d:




Allow (or request) stat, getkey, and gettopo functions without authentication
Require (or give) fwn1 authentication for opsec-related functions.
Require (or give) fwa1 authentication for all other functions.


Because this file is processed in order, the order of the lines in control.map is important. Bounce the remote firewall (fwstop; fwstart) and attempt to load security policy and it should succeed.

If you're still having problems, see CantGetPutkeysToWork (http://www.phoneboy.com/bin/view.pl/FAQs/CantGetPutkeysToWork) .

-- GuyR (http://www.phoneboy.com/bin/view.pl/Main/GuyR) - 08 Jan 2004

FAQForm (http://www.phoneboy.com/bin/view.pl/FAQs/FAQForm) FAQs.Class: RemoteManagementFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/RemoteManagementFAQs) FAQs.OS: FAQs.Version: