Description of the different fwcore.cfg files.

How to's for older versions of CorePlus
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Description of the different fwcore.cfg files.

Post by Peter » 15 Apr 2008, 18:20

This How-to applies to:
  • Clavister Security Gateway, all versions up to 8.90
Clavister CorePlus will attempt to load the following configuration files, in order:
  • [*] FWCore_N.cfg
    [*] FWCore.cfg
    [*] FWCore_O.cfg
"FWCore.cfg" is the "standard" configuration file. Most of the time, it is the only one of the above list that actually exists.
This document describes when "FWCore_N.cfg" exists, and how you can use "FWCore_O.cfg" as a fall-back option if something goes wrong.

What "FWCore_N.cfg" is, and when it exists
When you upload a new configuration, it will be temporarily stored as "FWCore_N.cfg". The SGW will then load the contents of it.
If you successfully reconnect to the SGW (Security Gateway) within 30 seconds (default, see "Advanced Settings" -> "Misc" or "RemoteAdmin" -> "NetConBiDirTimeout"), SGW will place the new configuration in "FWCore.cfg" and delete "FWCore_N.cfg".

If however you can not reconnect to the SGW, "FWCore_N.cfg" will be deleted, and the SGW will fall back to "FWCore.cfg".

Resolving fatal configuration problems
If there is ever a problem with a newly uploaded configuation that prevents your SGW from starting, you can halt the startup and escape to the boot menu. From there, select "Advanced" -> "CLI", which drops you to a command-line interface prompt.

There, you can type the following commands:
  • del fwcore_n.cfg
This removes the newly uploaded configuration, and allows the SGW to start using the previous configuration ("FWCore.cfg").

What "FWCore_O.cfg" is, and what you can use it for
"FWCore_O.cfg" is not created by any automated process. You can, however, create it yourself, so that you have an backup configuration that you can fall back to if all else fails.
To create an "FWCore_O.cfg", you can either go to the command-line interface via the boot menu and use the following command:
  • copy fwcore.cfg fwcore_o.cfg
Or you can use the fwctl tool to upload a configuration of your choosing as "FWCore_O.cfg":
  • fwctl --fileupload myconfigfile.txt fwcore_o.cfg mygw
When will "FWCore_O.cfg" be used?
"FWCore_O.cfg" will be used if the SGW fails to find or parse "FWCore_N.cfg" as well as "FWCore.cfg".
This means that it can happen because you accidentally uploaded a much older SGW Core, so you should make sure that "FWCore_O.cfg" contains only very basic configuration options if it is to be useful in such a situation.
You can, of course, also force it to happen by simply deleting your current configuration.

But won't "FWCore_O.cfg" be ... old?
The SGW will assume that the policy and settings in FWCore_O.cfg is too old to be trusted, and do two things:
  • Enable "Safe Mode", which minimizes RAM consumption by assuming a minimum of concurrent states, packet buffers, etc...
  • Enable "Lockdown Mode", where only admin access to the SGW is allowed. No traffic is allowed through the SGW.