PolicyEditor- "cannot connect to server"

[Guest_imported]

I am running Checkpoint 4.1 on a Nokia IP400 box. All of a sudden, I can't log back into Policy Editor any more. got "cannot connect to server!"

I can still ping the firewall and the IPs haven't been changed. Is there a way that you can add some policy to block yourself out from GUI access? My other guess would be the licence problem. Here's the output of the printlic. After some research, it seemed to me that I should see another licence showing up for the GUI. Is that right?

[admin]# fw printlic
This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 SP-1 Build 41492 IPSO-
build-11 SDK-849 ( 3Jul2002 17:04:25)

Host Expiration Features
208.x.x.x Never cpvp-vig-50-3des-v41 CK-xxxxxxxx

Have a nice holiday.

 

[Piloria]

The GUI is part of the main licence so you only need the one
a few checks
1. has the hosts table on the local machine had the firewall removed (try connecting using ip address where it asks for management server)
2. has the ip address on the local machine changed? (need to change the gui ip address allowed on the firewall)
3. has the rule allowing gui management been changed
gui machine - firewall - fw1-mgmt - allow

if you can access the logs look to see if there are any rejections when you try to make the connection this will give you some idea as to the reason

 

[Guest_imported]

Hi, Piloria

I can rule out 1&2. However, if there is a stupid rule get in for some reason, e.g.
any - firewall - fw1-mgmt - deny

is there a way I can start the checkpoint bypassing the policy? I tried to use fwstop and then just run fwm, doesn't work...

Also, since I don't have access to Log Viewer(cannot connect to server). Is there another way I can check the policy logs? I checked the whole log directory, most of the files are not readable...

Thanks!

 

[Piloria]

(un)fortionatly fw1 blocks all trafic by default (the catch all rule allows you to log failures) if no policy is there then nothing will get through.
i have never used nokia boxes so i am a little unsure what happens to logs(if someone else can help out on this) i presume they are written to a local hardrive. most configurations unload the active logs on a dayly/weekly cycle so if you can access these some how (when we unload they are in plain text format nasty to look at but almost readable)
we use these line to export (\xx\ is to donate directory structure)

fw logswitch old
fw logexport -d , -i \xx\old.log -o \xx\log \xx\temp.txt


i am not sure from what you say that the rule you have
(any-firewall-fw1 mngt-deny)
is in place, if it is you need
gui machine - firewall - fw1-mgmt - allow
above it. i would also recoment changing the rule slightly when you have fixed this and try (any-firewall-any-deny) this is the stealth rule and stops ALL trafic to your firewall and hides it better.

 

[Guest_imported]

Piloria,

I finally got back into Policy Editor. Apparently there must be some stupid rules blocking me out. A "fw unload localhost" did the trick.

Thanks for helping!