Uable to set idle warning and timeout to 0 from gui

ITEM: RTA000151799

Topic thread:                                                                   
RALEIGH NETWORKING SUPPORT CENTER (RALY - NA/ATS)                               
 IBM COMMERCEPOINT                                                              
  IBM eNetwork Firewall V3.2 for AIX                                            
Customer is running AIX 4.2.1 and FireWall A firewall                  
administrator fwadmin was added by root. I was able to use smit to set          
the idle warning and timeout value for fwadmin to 0,0. But fwadmin can          
not do any the configuration gui function until 0,0 was removed from            
the gui user definition. The error message I got from gui was something         
like the timeout value has to be greater than the warning. This                 
phenomena creates a problem when fwadmin telnet into the fw to                  
continuously monitor the log. Please help me with the following:                
1. What's the right way to give a certain user unlimited idle connection       
2. The symptom I observed with GUI, is it a bug or a feature?                   
The eNetwork Firewall 3.1 for AIX Redbook that is downloadable from             
the IBM Firewall Websites Library Page; (see the following URL;         ) provides               
some great information on Page 185 about setting up Idle Proxy.  It             
answers your first question by stating, "By default, connections started        
up by root would not time out.".  All other Userid's would have a               
timeout and disconnect value as the minimim default value for all               
other users other than the 'root administrator' userid is set with              
the default value assigned when you install the IBM Firewall.  Those            
default values define the 'warning time' and the 'disconnect time'              
which are probably the values that were mentioned in the error msg.            
you described.  Something like 'warning time must be less than                  
disconnect time'.  The 'warning time' value is the elapsed time                 
that a session can sit idle before the user receives a message that             
they are about to be disconnected.  The 'disconnect time' is then               
the amount of time that can elapse before the session is disconnected.          
Your answer to #2 would be a feature so that the 'disconnect time'              
could not be set greater than a 'warning time'.  Otherwise, a user              
would be disconnected before receiving a warning that their session             
had been idle.                                                                  
Hope this answers your question.  Please don't hesitate to contact              
us again, and thanks for using ASKQ.                                            
I want to give user fwadmin idle time out for both warning and                  
disconnect to 0. I was able to set it through smit, but has problem             
doing so via GUI. How can this be a feature, it looks like a bug to me.         
Furthermore, after I set both value to 0 via smit. fwadmin can't do any         
configuration function until I either blank out both fields (fall back          
to the default for everybody) or use non-zero value. Please answer the          
1. Why am I allowed to set both fields to 0 in smit, but not in GUI.            
2. Is root the only account allowed to have 0 for both fields?                  
Thank you for your help.                                                        
Congratulations¢  You have found a Firewall bug.  I talked to one of            
the IBM Firewall developers about your first question today and they            
verified that the SMIT panels in the Firewall product should *not*              
allow a value of 0 for any other user other than the root administrator.       
So they have asked that a defect report be open against the IBM                 
Firewall AIX product.  Do you have the ability to do that?  If so,              
please open it and the defect will be APAR'd and you will have a                
problem record to track the progress of the fix.  The developer                 
asked that you use the following text when opening the PMR.                     
" Firewall SMIT panel in idle users section allows you to set idle              
proxy time out values for any user to zero.  But the base AIX                   
operating system only allows idle time for root to be set to zero".             
You probably want to mention the inability to do configuration                  
for the fwadmin (not root) once you have changed the SMIT panel.                
The answer to your second question is "Yes".  According to the                  
IBM Firewall for AIXRedbook, the only user that would not timeout               
would be the 'root' user.                                                       
Thanks for using ASKQ and thanks for taking the time to pass this               
question back a second time.                                                    

WWQA: ITEM: RTA000151799 ITEM: RTA000151799
Dated: 08/1998 Category: FIREWAIX
This HTML file was generated 99/06/24~12:43:39
Comments or suggestions? Contact us