[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Log from a FloodGate-1 module
HI, I've a problem about a configuration with 2 Nokia IP440. The first one has the management, firewall and floodgate modules installed and the second only the firewall and floodgate modules. When I want to log the floodgate events (with the option 'Turn on Traffic Control Logging' in the VPN tab) of the second one, i have the following message : "connection broken while communicating with fw1 for ssl_opsec". I check the "control.map" but nothing seems strange and i saw an interesting white paper from Nokia (see below) explaining that the problem could be in the "fwopsec.conf" but i don't know how to configure each file (the management and the secondary one). Any help on this problem would be appreciated. Vincent ROY ------------------------------------------------ Resolution 3723 Error: Authentication with x for command ssl_opsec failed FloodGate, for version: last update: 09/21/2000 14:34:28 This error message comes up during 'etmstart' while fetching bandwidth Policy from Management Module. SOLUTION These messages are generated because you have selected "Turn on Traffic Control Logging" under the VPN tab of the Firewall workstation properties, but have not setup the 'fwopsec.conf' files in the proper format for collecting the logs from the Floodgate Module to the Floodgate Management Module The FloodGate-1 Management Server can make one of the following types of connections with the Floodgate Module : 1. Clear connection The FloodGate-1 Management Server and the Floodgate Module can transfer data without any restrictions. 2. Authenticated connection The FloodGate-1 Management Server and the Floodgate Module must verify each others identities before any data can be transferred. A shared key, exchanged by fw putkey, is used to authenticate the FloodGate-1 Management Server with the Floodgate Module. 3. Encrypted connection (using SSL - Secure Socket Layer) The data transferred between Floodgate Module and the FloodGate-1 Management Server is encrypted using a 3DES key. This is done only after the Floodgate Module is authenticated with the FloodGate-1 Management Server. If Firewall Module does not have 3DES feature enabled, 'ssl_opsec' method can not be used, hence you have to modify 'opsec.conf' to use either 'Clear connection' or 'auth_opsec' Here are examples of 'opsec.conf' file for all the above 3 types: 1. For an encrypted connection ela_proxy auth_port 18187 ela_proxy auth_type ssl_opsec ela_proxy fwd_machine localhost 2. For an authenticated connection ela_proxy auth_port 18187 ela_proxy auth_type auth_opsec ela_proxy fwd_machine localhost 3. For a Clear connection ela_proxy auth_port 18187 ela_proxy fwd_machine localhost NOTE: 1. If either 'auth_opsec' or 'ssl_opsec' method is used, make sure you have successful 'putkey' operation performed on the Modules . 2. ELA Proxy must be restarted on Management Module after the 'putkey' operation. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|