Solved

Stop Checkpoint FW1 security policy from loading at boot: Solaris

Posted on 2004-08-07
9
1,477 Views
Last Modified: 2013-12-05
Solaris 8.
I am trying to get the fw1 module not to load at boot time. I have removed the startup and there is no FW process running.

From what I can tell in /etc/init.d there isn't anything loading.

Where is module being loaded from?

0
Comment
Question by:SrArtemis
9 Comments
 
LVL 4

Expert Comment

by:net_sec_guru
ID: 11745081
check out /etc/fw.boot

and what about the file:
/etc/rc2.d/Sxxcpp??? - can't think of the exact file name right now... and the "xx" is the number it's assigned.

It's the file that starts the firewall service...
0
 

Author Comment

by:SrArtemis
ID: 11752256
I removed all the FW startup files from the rc2 and rc3 directories already.  

Ps -ef | grep fw shows no processes. The security policy is being launched from something else.

0
 

Expert Comment

by:EdUSC
ID: 11753392
do a cpstat -fw  to see what policy is loaded.  If there aren't any fw processes then the policy can't be active.

Why do you think it is loading?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:SrArtemis
ID: 11755150
I do not have cpstat on the machine unfortunately.

I know it is loading for two reasons:

1) on boot it shows FW-1 loading modules and fwstrmodwput for the interface.

2) When trying to connect via samba from windows it fails until I run /opt/CPfw1-41/bin/fwstop...then it reports to standard out:

Cannot kill fwp pid -fine we know it is not running
Cannot kill snmp pid - same
Cannot kill fwm pid -same
Unistalling security policy from all.all@host
Done

Then samba works fine.....

0
 

Expert Comment

by:EdUSC
ID: 11756864
run dmesg and see if you can pick out the startup line for the module.  It may have a path for you.

I didn't realize you were on 4.1 which does not have the cpstat command.
0
 
LVL 3

Accepted Solution

by:
dschwartzer earned 50 total points
ID: 11763541
Firewall kernel loads the policy - not a user process.
If you're running NG, run cpconfig -> Automatic Start of Check Point products. There you can choose whether fw will load during boot.

Anyway to see the currently installed policy, run "fw stat", to unload the policy from the current computer and revert to "any-any-accept" run "fw unloadlocal".

Just for the information - any-any-accept is not completely equal to the absence of the FW on the machine - some kind of basic sanity inspection is still applied. This is not a problem for you, because if policy uninstall solves your problem.

HTH,
d
0
 

Author Comment

by:SrArtemis
ID: 11764483
I am not running NG. I am really not sure what NG is?

I ran fw stat and the following was reported:

localhost defaultfilter 5aug2000: [>qfe1]

I then ran fw unload localhost.
unistalling security policy from all.all@bork

fw stat again:
localhost -                           : <qfe1

I tried running fw unload qfe1 and got back the following:
unistall security policy from qfe1: No license for remoter unistall.

When I reboot it doesn't change anything. dmesg reports back that fw0 is /pseudo/fw@0
FW-1: fwstrmodwput: loading default filter on qfe1

Thoughts





0
 

Expert Comment

by:EdUSC
ID: 11764625
Uninstall Checkpoint or create a startup script that performs a fw unloadlocal.  S99local would work.
0
 
LVL 3

Expert Comment

by:yokel
ID: 11767816
cpconfig still works on versions previous to NG? If not try fwconfig (can't remember).
Once there as dschwar... says above, you should get an option to not start Checkpoint at startup.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question