For some reason, the firewall module is not recognizing the management console as that: the management console. This may be because the management console is described in the GUI with a different IP address than the hosts file on the firewall and management. Correcting the network object and/or the hosts file (possibly re-doing the putkeys)
should solve the problem.
If this does not work, consider the $FWDIR/lib/control.map file (this is more or less the "default"
control.map file):
MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1
CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none
* :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny opsec/fwn1 */fwa1
What does this file mean?
1.When my master talks to me (as defined in $FWDIR/masters), I will:
Allow stat, getkey, and gettopo functions without authentication
Require fwn1 authentication for opsec-related functions.
Require fwa1 authentication for all other functions.
2.As a client talking to my master (or as a master talking one of the managed firewalls), I
expect to:
- Authenticate with fwa1 for load, db_download, fetch, and log functions.
- Authenticate via fwn1 for opsec-related functions.
- Not authenticate for other functions.
3.When talking to all other hosts (or other hosts talking to me), I will:
- give (or require) no authentication for stat, getkey, and gettopo functions.
- deny authentication for unload, ioctl, load, or db_download functions.
- give (or require) opsec authentication for opsec functions.
- give (or require) fwa1 or all other functions.
To resolve this, you will need to modify the control.map file on the remote firewall. Make a copy of the SERVER line, replacing the word "SERVER" with the IP address of the management console (e.g. a.b.c.d). Place the new "SERVER" line between the existing SERVER and the CLIENT line, so the file looks like this:
MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1
a.b.c.d :stat,getkey,gettopo/none opsec/fwn1 */fwa1
CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none
* :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny
opsec/fwn1 */fwa1
This new line means makes it so that when communication takes place with a.b.c.d:
Allow (or request) stat, getkey, and gettopo functions without authentication
Require (or give) fwn1 authentication for opsec-related functions.
Require (or give) fwa1 authentication for all other functions.
Because this file is processed in order, the order of the lines in control.map is important. Bounce the remote firewall (fwstop; fwstart) and attempt to load security policy and it should succeed.
If you're still having problems, see Can't Get Putkeys to Work.
No comments:
Post a Comment