Summary


All FireWall-1 administrators with Nokia firewalls need to know basic tasks such as installing and upgrading the Check Point FireWall-1 software packages. If you never upgraded your firewall, you could be at risk if there are known vulnerabilities in that release that have been resolved in newer patches. In this chapter we provided the tools necessary to complete these tasks so that you can continue to secure your organization with Check Point FireWall-1 on Nokia.

Preparation is always key to a successful upgrade or install. With FireWall-1, you need to obtain licenses, configure a hosts entry, and possibly upgrade the IPSO image on your Nokia before you can begin with Check Point. It's also very important to read all release notes available before you install new software.

Once you have the software installed on IPSO, you then need to enable it. If you are running Check Point NG, you will first need to enable the SVN Foundation, Apply and Save your configuration, and then enable the VPN-1/FireWall-1 packages. When you enable packages through the Manage Installed Packages configuration screen, the file /var/etc/pm_profile is updated with appropriate environment variables. This means that you will have to log in again to the Nokia after the packages are enabled to receive the correct shell environment. The next step to configuring the firewall is to run cpconfig. The first run of this utility will prompt you for the type of install (stand-alone or distributed), licenses, administrators, management clients, ICA initialization, SIC password (firewall module only), and then finally to reboot. You can always reconfigure your firewall at any time by running cpconfig again, which will provide you with a menu to choose the option you want to edit.

After configuring Check Point, you need to verify that you can log in with the management clients and push a policy. You should also test fetching a policy to ensure that the firewall will operate properly during a reboot. If you have any problem doing these things, verify that the firewall is running on the module with the command ps –auxw | grep fw, try unloading the policy from the console with the command fw unloadlocal, ensure that there is connectivity between the management server and the module by checking cables and testing with ping, and check that SIC is configured properly.

Once you have a running FireWall-1 installation, you eventually need to upgrade your firewall software to stay up to date. Whenever you are upgrading the firewall in IPSO, you must first upgrade your IPSO image to one compatible with the new software. The next step is to get the new firewall package downloaded to your Nokia, and then run newpkg –i to start the upgrade. Choose the option to upgrade from an old version (as opposed to install, which will not copy over your configuration), and then choose the old FireWall-1 package that you are upgrading from. If you're upgrading from 4.1 to NG, run your configuration through an upgrade verifier utility provided by Check Point to see if there are any configuration issues that you can sort out before you upgrade the management server. The recommended upgrade path is to go from 4.1 SP-6 to NG FP2 via the wrapper package (which installs FP1 first) and then to NG FP3.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net