Nokia IP530 cannot connect with Checkpoint GUI policy editor client 1

[kopauk]

Hi,

I have nokia ip530 fw running fine for last couples of months. I can connect to ip530 with checkpoint policy editor GUI last month. But I cannot connect to it by GUI anymore suddenly. I have already checked the allow GUI client list in IP530 and management client pc ip is there. port 18190 is listening on ip 530. When I try to connect with the gui client it said it cannot connect and make sure service is running blah blah. I don't have much experience with nokia and checkpoint. I would appreciate your expert advice on what should I do next.
Thanks

 

[watchguardmonkey]

what was the last change you made to the FW, are you the only person with acces to the FW?

try a fw unloadlocal, then you should be able to access the FW via the GUI check the rules make sure the stealth rule is not above any management access rule then push the policy and see what happens.

 

[kopauk]

I don't change anything on the rule. the other person who can access to firewall does not do anything last time he access it (according to him). That firewall bos is in production. I want to know by issuing the command "fw unloadlocal" on nokia box, will it get problem with the policy loaded for the the server behind?
following is the output of fw stat command
HOST POLICY DATE
localhost FW02092007B 5Aug2007 6:44:29 : [<eth1c0] [>eth-s1p4c0] [<eth-s1p4c0] [>eth-s1p1c0] [<eth-s1p1c0] [>eth-s1p3c0] [<eth-s1p3c0]

 

[rn4it]

Is the IP530 a stand alone config(management and enforcement)? or is is a destributed (enforcement or management only)? and which one is it?

If the IP530 is only an enforcement
fw unloadlocal will unload the policy off the IP530, before you do that, check you FW policy see if you're able to connect to it. ie is your PC's IP address allowed to access it?

If the IP530 is the Management or in Standalone,
Then console into the box or SSH/Telnet in, check your Harddisk space. If you don't keep your harddisk clear it will lock you out. once you've clearned it then it's fine. It happened to us by have the Smartreporter running and logfiles growing too large.
If that's not it,
from console/ssh/telnet run a cpconfig and confirm that the permitted IP's are there for your PC.

Then if those aren't it schedule a time to do the fw unloadlocal, as it should create an outage then you'll want to have it load the policy, I believe the command is fw fetch <ip address of the mgmt server> or you could just do a cprestart which will restart the checkpoint services and in doing so fetch the policy watch for error.

good luck

 

[kopauk]

Thanks for the response. I am new to checkpoint and nokia. On the windows xp workstation, I saw only Checkpoint management clients. And on the Nokia, I saw *.W and *.pf files under /var/opt/CPfw1-50-02/conf folders. I already check the file gui-clients and windows xp pc ip is in there. I did verified with cpconfig and it is included. I can telnet to the nokia ip with port 18190 and it did response to telnet command. But when I start the client from windows box, it cannot connect blah blah comes out. It is used to get connection.
I just want to know if i run fw unload localhost and then fw load FW02092007B will i get back the current stage? I don't want to break the current status before I do any changes.
Thanks

 

[rn4it]

If you do fw unloadlocal the policey will be removed, if you the do a fw load FW02092007B it will attempt to load the FW policy. Depending on what was changed or broke it may or may not fix it.

You never answered my question regarding whether it was a stand alone or distributed configuration. If there is an issue with the sic keys then no unloading and loaing the policy won't work, but sic keys are only used in the distributed configuration as far as this goes.

Have you checked disk space, it sounds silly but if your log files fill up your harddisk it will give you that services up and running error message.

 

[kopauk]

Thanks for your reply. Following is the output from disk usage.

Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0f 396952 190565 174631 52% /
/dev/wd0a 38193 28 35110 0% /config
/dev/wd0d 14950231 633983 13120230 5% /var
/dev/wd0e 2563618 294832 2063697 13% /opt
procfs 4 4 0 100% /proc

And there is no disk issue I think.
For about distributed configuration, I am new to nokia and checkpoint and I cannot answer exactly. It is standalone nokia box and management client is on windows xp box.
I really appreciate for your help.

Thanks again

 

[rn4it]

Your logfiles are in the following directory
FW1[admin]# cd $FWDIR/log
FW1[admin]# pwd
/var/opt/CPfw1-50-04/log

Go to this folder and do a ls to see if you have logswitch enabled. If you do you'll see *.log files that are date stamped. If you donot you'll need to enable it and configure it to be deleted.

I would recommend that you go to support.checkpoint.com and download the guides for your version of Checkpoint and find out if you have a login id for support.nokia.com so you can download the user guides for the documentation the IPSO version your running.

good luck

 

[watchguardmonkey]

do you hav oob access to the FW or is the access inband, if you have oob acces then you will be able to acces the FW fine by either the voyager or CLI.

 

[kopauk]

I have voyager and telnet access to nokia. Can you guide me more how to change the rule without GUI client?

 

[watchguardmonkey]

from CLI run cpconfig and then add yourself as an administrator and you can add tour pc as a GUI client, this should give you access to the FW.