Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Stop Checkpoint FW1 security policy from loading at boot: Solaris

Posted on 2004-08-07
9
1,479 Views
Last Modified: 2013-12-05
Solaris 8.
I am trying to get the fw1 module not to load at boot time. I have removed the startup and there is no FW process running.

From what I can tell in /etc/init.d there isn't anything loading.

Where is module being loaded from?

0
Comment
Question by:SrArtemis
9 Comments
 
LVL 4

Expert Comment

by:net_sec_guru
ID: 11745081
check out /etc/fw.boot

and what about the file:
/etc/rc2.d/Sxxcpp??? - can't think of the exact file name right now... and the "xx" is the number it's assigned.

It's the file that starts the firewall service...
0
 

Author Comment

by:SrArtemis
ID: 11752256
I removed all the FW startup files from the rc2 and rc3 directories already.  

Ps -ef | grep fw shows no processes. The security policy is being launched from something else.

0
 

Expert Comment

by:EdUSC
ID: 11753392
do a cpstat -fw  to see what policy is loaded.  If there aren't any fw processes then the policy can't be active.

Why do you think it is loading?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:SrArtemis
ID: 11755150
I do not have cpstat on the machine unfortunately.

I know it is loading for two reasons:

1) on boot it shows FW-1 loading modules and fwstrmodwput for the interface.

2) When trying to connect via samba from windows it fails until I run /opt/CPfw1-41/bin/fwstop...then it reports to standard out:

Cannot kill fwp pid -fine we know it is not running
Cannot kill snmp pid - same
Cannot kill fwm pid -same
Unistalling security policy from all.all@host
Done

Then samba works fine.....

0
 

Expert Comment

by:EdUSC
ID: 11756864
run dmesg and see if you can pick out the startup line for the module.  It may have a path for you.

I didn't realize you were on 4.1 which does not have the cpstat command.
0
 
LVL 3

Accepted Solution

by:
dschwartzer earned 50 total points
ID: 11763541
Firewall kernel loads the policy - not a user process.
If you're running NG, run cpconfig -> Automatic Start of Check Point products. There you can choose whether fw will load during boot.

Anyway to see the currently installed policy, run "fw stat", to unload the policy from the current computer and revert to "any-any-accept" run "fw unloadlocal".

Just for the information - any-any-accept is not completely equal to the absence of the FW on the machine - some kind of basic sanity inspection is still applied. This is not a problem for you, because if policy uninstall solves your problem.

HTH,
d
0
 

Author Comment

by:SrArtemis
ID: 11764483
I am not running NG. I am really not sure what NG is?

I ran fw stat and the following was reported:

localhost defaultfilter 5aug2000: [>qfe1]

I then ran fw unload localhost.
unistalling security policy from all.all@bork

fw stat again:
localhost -                           : <qfe1

I tried running fw unload qfe1 and got back the following:
unistall security policy from qfe1: No license for remoter unistall.

When I reboot it doesn't change anything. dmesg reports back that fw0 is /pseudo/fw@0
FW-1: fwstrmodwput: loading default filter on qfe1

Thoughts





0
 

Expert Comment

by:EdUSC
ID: 11764625
Uninstall Checkpoint or create a startup script that performs a fw unloadlocal.  S99local would work.
0
 
LVL 3

Expert Comment

by:yokel
ID: 11767816
cpconfig still works on versions previous to NG? If not try fwconfig (can't remember).
Once there as dschwar... says above, you should get an option to not start Checkpoint at startup.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question