How to Modify the Nokia IPSO Default Filter
{LANG_NAVORIGIN} Firewall CheckPoint
Mitchell Rowton
02/21/2004
Are you buying Nokia's, configuring them, and then shipping them off to their destination? If so you
need to read this.
Deploying Nokia boxes to remote locations can be difficult for a couple of reasons. Most of the time
their destination will be on a different network, therefore you must configure the Nokia with this
future IP address. Because you are assigning the future IP address, you cannot connect the Nokia to
a management server before you ship it. "Ah," you say, "I'll just wait until I get the Nokia
delivered and then connect it to the management server." Unfortunately this option is not easy to do
and is in fact (kind of) supported and (kind of) documented with Nokia TAC (although they are
revising this resolution)
The defaultfilter.pf is a policy that for all intensive purposes blocks everything (everything
includes SIC). Normal standard operating procedure when establishing SIC between enforcement point
and management server is to issue a "fw unloadlocal." However, if you are not able to console into
the firewall (say its in another country) then you can't issue this command. And of course you can't
SSH or Telnet into it because the defaultfilter.pf blocks this.
IPSO has a couple of alternatives to defaultfilter.pf. The most widely suggested appears to be "use
Horizon Manager." However this cost more money that I (personal opinion) think it warrants. Another
option is to replace the defaultfilter.pf with another IPSO specific file called
defaultfilter.ipso_ssh. As the name suggest, this policy will allow you to SSH (and ping) the box.
Allowing you to issue the standard "fw unloadlocal" to establish SIC.
DO THIS BEFORE YOU RUN THE INITIAL CPCONFIG
cp $FWDIR/lib/defaultfilter.ipso_ssh $FWDIR/conf/defaultfilter.pf
fw defaultgen
cp $FWDIR/state/default.bin $FWDIR/boot
Now run cpconfig and march on...
E-Mail Link
Your IP address will be sent with this e-mail
