RE: Licencing probs

["Andrew Helm-Cowley" <andrew.cowley () techie com>]

Lee,

The following was taken from www.Phoneboy.com's WWW site.

99% of the time, this problem is caused by having the incorrect external
network interface device name in file $FWDIR/conf/external.if.
Edit file $FWDIR/conf/external.if. For more details, see the following FAQ:
http://www.phoneboy.com/fw1/faq/0133.html
Clear the host count according to the following FAQ:
http://www.phoneboy.com/fw1/faq/0058.html
Bounce FireWall-1 (fwstop ; fwstart)
Debugging
If the above steps do not correct the problem, the following paragraphs
discuss some debugging techniques that you can use:
First, get firewall-1's list of the internal hosts. Check your
/var/adm/messages file for the start of the list:
Jan  6 14:40:11 mutiara unix: FW-1: too many internal hosts detected
Jan  6 14:40:11 mutiara unix:  (192.100.98.167
and for the end of the list
...
Jan 10 17:19:08 mutiara unix: FW-1: only 50 internal hosts allowed
You can also get a list of hosts with the command 'fw lichosts'.

Now take a look at those hosts.
If all hosts are valid internal hosts, then your current license is not
sufficient and you will have to upgrade your license.
If some of the hosts have IP's belong to your internal network but you don't
recognize them, then find out if they exist by: ping it, telnet to it ... If
they don't exist, we will treat those hosts as unknown hosts. See Monitoring
Unknown Hosts (http://www.phoneboy.com/fw1/faq/0001.html#Monitoring)
If all hosts are external hosts, then there are three possibilities:
You have specified your internal interface in $FWDIR/conf/external.if. Make
correction and restart FireWall-1.
There is another path from the external network into your internal network.
Some connections originated from the external network are coming in via that
path and are coming out through the firewall machine. We will have to
monitor this. See Monitoring Unknown Hosts
Someone from inside your network is trying to spoof other IP's addresses. We
will have to monitor this. See Monitoring Unknown Hosts
Monitoring Unknown Hosts
Our goal is to be able to get more information about the IP's that are being
recorded as internal host by firewall-1. That means we will have to log all
connections and then for each unknown IP in the internal host list, find the
first connection with the matching IP source.
Bring up your rule base, in the 'Track' column, select 'Long' for all rules
Install the current rule base.
Wait for the error message 'too many internal hosts detected ...'. At that
time, extract the list of internal hosts. Then start matching against
entries in the log file.


-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Lee Edward Armstrong
Sent: Wednesday, January 10, 2001 9:58 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Licencing probs


Hi there,

                We have a 50 user version of FW 4.1. We have half a dozen servers
which this was bought to protect. The servers are on a subnet of our network
10.1.7.* with our main network on 10.1.1.*. This has caused FW1 to through
up an error in the logs that more than 50 internal hosts exsist.

I've since shifted the firewall onto a different network - 192.168.10.* and
i'm
still getting the same problem. I've tried un-installing FW1, but no joy.
Even
when the internal network lead is unplugged and the server is only connected
to the net....still no joy.

Its like FW1 has a counter, once thats been hit, thats it.....Is there any
way
of resetting this and starting over again ???

Ta,
                Lee

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards