RE: [fw1-gurus] r55 upgrade

["Ray Pesek" <raypesek@xxxxxxxxxxxx>]

> It may, however, affect VPNs if you're using
> certificate authentication for either remote access or 
> site-to-site VPNs since the CA lives on the manager. 

In a distributed environment, the Certificate Revocation List and user
database are cached on the enforcement module. I believe the CRL is good for
seven days, although I don't recall how often it refreshes itself. I use
certificate authentication for both remote access and site-to-site VPNs and
have my SmartCenter down for a couple of hours every two weeks for an image
backup without anyone noticing.

> It will also cause the firewall to
> start logging locally until the manager is back up. This 
> isn't usually a
> problem unless the firewall is low on disk space.

Correct. When the SmartCenter comes back up, my system keeps right on
logging on the enforcement module as well as sending them to the SmartCenter
server. I have to go into SmartCenter, Remote File Management, do a log
switch on the enforcement module, and fetch the file to SmartCenter to stop
it from logging in both places. I don't know if this is normal or not, but
that's how it works. R55 HFA12.

Ray



---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx