---

Q = Question A = Answer
Contributed By ITKFS@qe2-hsc.ns.ca
Q - What version of NT should I use.
A- NT 4.0 workstation or NT 4.0 Server. Workstation is cheaper and is the most commonly used platform but you can use either. There is no real gain to use NT server unless you want to run other services on her. Like the DHCP service for Example.
Q - How do I setup NT before installing FW1
A - 1) Make sure all your equipment is on the Windows NT hardware compatibility list before installing. If it's not Microsoft may not support your system. See "insert link to Microsofts HCLsite here" for more details.
2) Install NT 4.0. Install the SNMP service and any NICs you have. Install service pack 3.0 and any post service pack 3.0 fixes. See http://www.ntbugtraq.com. Good site for fixes and security info. NTFS partitions are preferred and are more stable. I can really expand this to multiple steps. I'll work on this. 3) Verify that all your routing and IP addresses on your NICs are working. You do not need IPX or Netbuie installed unless you plan on running other services on your Firewall. It is not recommended that you do this. Q > What port(s) do I need to open to allow MS SQL Server to replicate thru Firewall 1?
A > Open port 1433 flow in the direction that you wish to replicate.
Q = Question A = Answer
Contributed By cbrenton@sover.net
Q > What is the suggested order for installing FW-1 on NT?
A > FW-1 should be installed as followed:
1) Install NT
2) Remove any non-essential files, protocols or services
3) Enable IP forwarding under TCP/IP properties
4) Install SP3
5) Install the following hotfixes _in order_: lsa-fix, ndis-fix, pent-fix, getadmin-fix, teardrop2-fix, srvr-fix
6) Install FW-1
7) Install the latest FW-1 patch (3045 is public, 3055 is still in beta)
Q > Can I monitor FW-1 through the NT Performance Monitor?
A > Yes, from the \fw\lib directory, execute the following:
lodctr fwctrs.ini
This will add FW-1 parameters to Performance Monitor
Q > In Event Viewer, I get an error message that states "External interface not set by this loading". What gives?
A > The external interface is not correctly defined. From the CMD prompt type "ipconfig" to get a list of driver names associated with your network cards (like Elnk3). Now with a raw text editor, edit or create the file "\fw\conf\external.if". On the first line of this file, enter the driver name for your external interface. This entry is case sensitive! Once complete save and exit. Now do a "fwstop" and an "fwstart" to initialize the interface.
Q > I'm running FW-1 version 3.0b. The system has been running fine for a while but I made a few changes and now all of a sudden the rule editor and the log viewer time out when I try to connect. What gives?
A > SP3 should not be installed once FW-1 has been installed on the firewall. If you add/remove services from the original NT CD and then install SP3, you need to re-install all of the hotfixes, the FW-1 server software (as an upgrade so rules and databases are not lost) and then the latest FW-1 patch, in that order.
Q > I've setup one of my internal systems to use static NAT but I can not ping it from the Internet. What gives?
A > Once you have created the network object and installed it in the rule base, you still have some configuration steps to perform.
1) Create a route entry from the command prompt by typing:
route add -p legal_IP_address mask 255.255.255.255 private_IP_address
So, if the legal NAT address is 100.100.100.10 and the private address that is assigned to the system is 192.168.1.10, the entry would look as followed:

route add -p 100.100.100.10 mask 255.255.255.255 192.168.1.10

If the system is located on the other side of a router within the internal network, replace the system's private address with the IP address of the router's local interface in the above command.
2) With a raw text editor, edit or create the file "\fw\state\local.arp". Add an entry with the following syntax:
Legal_IP_address external_mac_of_firewall
So, if the MAC assigned to the firewall's external NIC was 0020AF01CAB1, the file would look as followed:

100.100.100.10 00:20:AF:01:CA:B1

Exit and save the file. From the \fw\bin directory execute a "fwstop" followed by an "fwstart".
Q > Okay, I've cut down the number of rules I am using and shut off address resolution for log entries. The firewall still seems slow however. Is there anything else I can do?
A > Make the two following changes:
1) Go to Network Properties-->Services and open the Server service. Select "Maximize throughput for network applications".
2) Go to System Properties and click the Performance tab. Set foreground application boost to "none".
Q > When I do a "ipconfig /all" I get a "registry corrupt" error or the driver names are associated with the wrong NIC cards. Did FW-1 break something?
A > This is an NT problem, not a FW-1 problem. If you install, remove or change a network card after NT has been installed (for example to create a DMZ), there is the potential that the registry information which links the driver names to the network cards will become corrupt.
A > To fix this problem, remove the TCP/IP protocol and remove all adapter drivers. Reboot the system and then re-install the driver as well as TCP/IP. You will unfortunately also have to re-install SP3, all the hotfixes, the FW-1 server (as an upgrade so your rules and databases can be reused) and the FW-1 patch.
Q > When I try to use the log viewer I receive only date, time, and action entries. This is regardless of whether using the NT-GUI or the fwui program living on Firewall 1. What can I do?
A > This is a known bug...
1) do a \%fw%\bin\fwstop
2) delete the following files from \%fw%\log
*.*vlog*
*.*alog*
*.log*
3) Then do a \%fw%\bin\fwstart
This blows away your log but at least gives you addidtional details on future entries.

VIEWSLETTER