Re: R65 HFA01 problems?

There is a problem to this.  I don't manage the CMA.  The
R55 CMA 
is currently residing on a P-1 system at a Managed Security
Service Provider.  By the time we are going to migrate from
R55 to
R65, the MSSP will probably be at R65 with HFA_01.  As a
security
consultant for this customer, it is my responsibility to
test these 
scenarios and make sure things go as planned.

"maybe you should try to install the hfa after you
migrated the cma and 
see if it works".  

You just violate Checkpoint's cardinal rule.  Checkpoint
always recommends that you should be running the latest HFA
on
any versions of Checkpoint before checkpoint will help you. 
Therefore,
if I am building a brand new P-1 system, I should be running
the latest
HFA, correct? 

The point I am trying to say here is that HFA_01 has
issues.

sin <sinIMACANDI.NET> wrote: cisco4ng wrote:
> I am referring to the fact that when I migrate a cma
from R55 to R65 with 
>   NO HFA, everything works.  When I migrate a cma from
R55 to R65
>   with HFA_01, it does NOT work.  It seems to me that
HFA_01 has 
>   issues.  I am just one of those many victims.

maybe you should try to install the hfa after you migrated
the cma and 
see if it works.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================


 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around 
http://mail.yahoo.com 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

cisco4ng wrote:
> There is a problem to this.  I don't manage the CMA. 
The R55 CMA 
> is currently residing on a P-1 system at a Managed
Security
> Service Provider.  By the time we are going to migrate
from R55 to
> R65, the MSSP will probably be at R65 with HFA_01.  As
a security
> consultant for this customer, it is my responsibility
to test these 
> scenarios and make sure things go as planned.
> 
> "maybe you should try to install the hfa after you
migrated the cma and 
> see if it works".  
> 
> You just violate Checkpoint's cardinal rule. 
Checkpoint
> always recommends that you should be running the latest
HFA on
> any versions of Checkpoint before checkpoint will help
you.  Therefore,
> if I am building a brand new P-1 system, I should be
running the latest
> HFA, correct? 

If you find from testing that installing a clean R65, then
do the
migration and then apply HFA-01 if needed will work. Why
don't you do
so? Unless you insist on breaking the eggs without any
intention of
making an omelet.

All I saw in the post was a remark that HFA-01 as earlier
provided to
CSP's was not alright. No one reported issues with the
normal HFA-01 as
far as I can read in that posting.

It sounds to me you are testing migrations that will not
occur for real.
So why should you bother to test that scenario?

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of
conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHGllwBvzDRVjxmYERAiLRAJ9PJzgddsl/uG6OtIbX8CFytKMUkQCf
Vt2Z
gmyIyZcuH2/jc5Am5lNo6lA=
=8lH/
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hugo van der Kooij <hvdkooijVANDERKOOIJ.ORG> wrote:
>
> It sounds to me you are testing migrations that will
not occur for
> real.  So why should you bother to test that scenario?

If you are saying that there's no way anyone could still be
running R55
in this day and age, think again!!  

- -- 
David DeSimone == Network Admin == foxverio.net
"This email message is intended for the use of the
person to whom
 it has been sent, and may contain information that is
confidential
 or legally protected.  If you are not the intended
recipient or have
 received this message in error, you are not authorized to
copy, dis-
 tribute, or otherwise use this message or its attachments. 
Please
 notify the sender immediately by return e-mail and
permanently delete
 this message and any attachments.  Verio, Inc. makes no
warranty that
 this email is error or virus free.  Thank you." 
--Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHGmDpFSrKRjX5eCoRAl4IAJ9terL2pB4OtRpYDcghiDi9F94YjACf
bzuj
sdEvHlGhhuLje9qg3ZR6WAE=
=+Xj1
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David DeSimone wrote:
> Hugo van der Kooij <hvdkooijVANDERKOOIJ.ORG> wrote:
>> It sounds to me you are testing migrations that
will not occur for
>> real.  So why should you bother to test that
scenario?
> 
> If you are saying that there's no way anyone could
still be running R55
> in this day and age, think again!!  

That was not even close to what I said. C said he expected
the target
would be on R65 + HFA-01 by the time they needed to migrate.
So I fail
to see why someone would test a migration from R55 to R65 if
the expect
move is from one R65 to another R65 setup.

Or he intended to say something different and I just
misunderstood this.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of
conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHGmmGBvzDRVjxmYERAgPGAJ9i2dIWL8CMHoJqVV6KNiRns4y6HgCf
bRwj
g04IUfRebqYBCHaQvVmgN7A=
=/qFq
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hugo van der Kooij <hvdkooijVANDERKOOIJ.ORG> wrote:
>
> That was not even close to what I said.  C said he
expected the target
> would be on R65 + HFA-01 by the time they needed to
migrate.  So I
> fail to see why someone would test a migration from R55
to R65 if the
> expect move is from one R65 to another R65 setup.
> 
> Or he intended to say something different and I just
misunderstood
> this.

I believe he tested it to prove a point.

    R55 --> R65       works.
    R55 --> R65 HFA01 doesn't work.

Conclusion:  R65 HFA01 is messed up.

I think his conclusion might be overstepping things a bit,
as all that
it really proves is that the migration scripts in HFA01
don't work
correctly.  A cold install of HFA01 might work fine, but
that doesn't
help a customer trying to perform a migration.

- -- 
David DeSimone == Network Admin == foxverio.net
"This email message is intended for the use of the
person to whom
 it has been sent, and may contain information that is
confidential
 or legally protected.  If you are not the intended
recipient or have
 received this message in error, you are not authorized to
copy, dis-
 tribute, or otherwise use this message or its attachments. 
Please
 notify the sender immediately by return e-mail and
permanently delete
 this message and any attachments.  Verio, Inc. makes no
warranty that
 this email is error or virus free.  Thank you." 
--Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHGnEEFSrKRjX5eCoRAk3cAJ9aF8P7UKUOs8zZp7pi3aObE0dbCwCd
GV+q
zMYRmWeSPcj/g7/5Qn04o3U=
=Umm5
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

I believe the last two posts, from Melipa and DannTro, were
regarding issues with the public release.

Ray


> All I saw in the post was a remark that HFA-01 as
earlier provided to
> CSP's was not alright. No one reported issues with the
normal HFA-01 as
> far as I can read in that posting.

____________________________________________________________
_____
Climb to the top of the charts!  Play Star Shuffle:  the
word scramble challenge with star power.
http://club.live.com/star_shuffle.aspx
?icid=starshuffle_wlmailtextlink_oct

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================