tag:blogger.com,1999:blog-7755136273253085483.post8236967275018878845..comments2024-03-21T15:44:25.378+01:00Comments on CCMA's blog: FW module is lost after reboot, analysisValeri Loukinehttp://www.blogger.com/profile/11915389342131738939noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-7755136273253085483.post-5803715466746223642014-07-30T14:44:02.024+02:002014-07-30T14:44:02.024+02:00Thanks, Sergei! Hope CP fixes it any time soon.Thanks, Sergei! Hope CP fixes it any time soon.Valeri Loukinehttps://www.blogger.com/profile/11915389342131738939noreply@blogger.comtag:blogger.com,1999:blog-7755136273253085483.post-25341107535496043342014-07-30T14:30:25.782+02:002014-07-30T14:30:25.782+02:00This behavior can be easily replicated
Replicatio...This behavior can be easily replicated<br /><br />Replication:<br />1) delete an IP address from the "Mgmt" interface<br />2) set the state of the interface to "off"<br />3) the entry that corresponds to machine's HostName will be removed from the /etc/hosts/ file<br />4) reboot the machine<br /><br />Result:<br />Firewall machine loads "defaultfilter" policy, which by design prevents any connections to and through the machine.<br /><br />Root cause:<br />CPSTART code checks that the machine's HostName has an IP address in the /etc/hosts file.<br />If such entry is not found, the CPSTART terminates.<br /><br />Next step:<br />Issue will be forwarded to the relevant developers.Sergei Shirhttps://www.blogger.com/profile/08692008581050122263noreply@blogger.comtag:blogger.com,1999:blog-7755136273253085483.post-68396787899825943262014-05-27T11:48:18.846+02:002014-05-27T11:48:18.846+02:00Uri, in the described scenario FW fails to load pr...Uri, in the described scenario FW fails to load pre-existing policy after reboot. All explicitly defined connections are no longer working because of that.Valeri Loukinehttps://www.blogger.com/profile/11915389342131738939noreply@blogger.comtag:blogger.com,1999:blog-7755136273253085483.post-19974562202387104452014-05-27T10:03:47.644+02:002014-05-27T10:03:47.644+02:00Hey Valery
This is an implied connection - implied...Hey Valery<br />This is an implied connection - implied rule uses the IP in /etc/hosts file, and this is the IP of the management port.<br />If you explicitly allow ssh connection to this you should be able to connect to the machine w/o the need for a console connectionAnonymoushttps://www.blogger.com/profile/02087752544858967127noreply@blogger.comtag:blogger.com,1999:blog-7755136273253085483.post-48318916668720198702014-05-25T13:37:01.668+02:002014-05-25T13:37:01.668+02:00Nice catch! I was already wondering how important ...Nice catch! I was already wondering how important the management interface really is ;)Anonymoushttps://www.blogger.com/profile/15237564580177767547noreply@blogger.com