SmartDashboard/Policy Editor does not have too many issues. However, a few problems come up from time to time. Note that the issues described in the following subsections continue the numbering system used in the FAQs in the previous section.
There are times when it appears that all of your rulebases have disappeared. This is because the rulebases.fws file is corrupt. You can simply recreate this file by closing any GUI connected to the management console and performing the following steps:
On UNIX:# cd $FWDIR/conf # fwm -g *.W
On Windows NT:c:\> cd %FWDIR%\conf c:\WINNT/FW/conf> for %i in (*.W) do fwm -g %i
There are some differences between these commands.
On UNIX, the * is interpreted as a wildcard and includes all .W files.
On Windows NT, the * is not interpreted as a wildcard, so you must list the .W files individually (thus the for loop).
When importing rulebase files, if objects referenced in a specific rulebase no longer exist, the rulebase in question will not be successfully imported. This happens with particularly old rulebases. You will see errors to this effect when you run this command: These errors are normal.
If you are using the GUI over a particularly slow link or have a particularly large number of rulebases or network objects, you may see a lot of Server Not Responding messages when you attempt to use the GUI. The GUI tries to download objects_5_0.C and all the rulebases used. If this takes longer than the timeout value (which is 25 seconds), you will get this message.
In FireWall-1 NG, a new "compressed connection" feature was added. By default, the SmartDashboard/Policy Editor application should have this option enabled. However, it's possible it might have been disabled. On the SmartDashboard/Policy Editor logon screen, ensure that the "Use compressed connections" option is enabled. It will be listed if you click on the "More options" link.
Although not much can be done for the size of objects_5_0.C, the number of rulebases can certainly be reduced. Remove some unused rulebases. You can also adjust the timeout for the GUI client connection as follows.
UNIX: Set the environment variable SERVER_TIMEOUT before running fwpolicy (e.g., setenv SERVER_TIMEOUT 60 to set the timeout to 60 seconds).
Windows: Create the following Registry entry as a DWORD, specifying the desired number of seconds for the timeout: HKEY_LOCAL_MACHINE/SOFTWARE/CheckPoint/Policy Editor/5.0/server_timeout.
When you are editing a workstation object, you may be trying to do a GET to automatically fill in the interfaces on the Interfaces tab. This may fail. You can only fetch the interfaces on a host that has either FireWall-1 installed or SNMP installed. Depending on the object in question and the version of FireWall-1 being used, you will either have to troubleshoot this as a remote management issue (see Chapter 7) or as an SNMP issue.
After upgrading FireWall-1 4.1 to FireWall-1 NG FP3 (management server), sometimes SmartDashboard crashes after logging in to it. It seems to be the SmartMap that generates this problem.
The solution for this problem is to edit the objects file (don't do this manually!) by using dbedit as shown below.
c:\> dbedit Enter Server name (ENTER for 'localhost'): <ip management server> Enter User Name: <username> Enter User Password: <pass> Please enter a command, -h for help or -q to quit: dbedit> modify properties firewall_properties totally_disable_VPE true dbedit> update properties firewall_properties firewall_properties updated successfully. dbedit> quit
Now when you try to log in to the SmartDashboard, you'll be able to manage your firewall and policy but without the SmartMap.
There are several possible causes for this error:
Check that the $FWDIR/conf/gui-clients file on the management console is defined correctly.
If you are using the GUI from a UNIX platform, you must have the motif license feature. In FireWall-1 4.1 and later, this feature costs extra.
Make sure that the host specified at the login screen is actually the management console, not the remote firewall module. Keep in mind that the SmartConsole applications, the Management Module, and firewall module can all reside on separate machines, so make sure you specify the correct machine.
Check that the license is bound to the correct address on the Windows platform. (Run ipconfig from the DOS prompt.)
Remember that the licensed IP address must be the primary address of its interface. If the licensed IP address is bound to a virtual interface, FireWall-1 will not work.
Check that there are no other licensing irregularities. For example, an expired eval or demo license can cause various errors, including this one. Reinstall your currently valid licenses. Also ensure the licenses you have are appropriate for the topology you are using. For example, if you have a separate management license and you've installed a standalone configuration, this won't work. You must either request the appropriate licenses or change your topology to fit the licenses you have.