Uable to set idle warning and timeout to 0 from gui
ITEM: RTA000151799
Q:
Topic thread:
RALEIGH NETWORKING SUPPORT CENTER (RALY - NA/ATS)
IBM COMMERCEPOINT
IBM eNetwork Firewall V3.2 for AIX
Customer is running AIX 4.2.1 and FireWall 3.2.1.1. A firewall
administrator fwadmin was added by root. I was able to use smit to set
the idle warning and timeout value for fwadmin to 0,0. But fwadmin can
not do any the configuration gui function until 0,0 was removed from
the gui user definition. The error message I got from gui was something
like the timeout value has to be greater than the warning. This
phenomena creates a problem when fwadmin telnet into the fw to
continuously monitor the log. Please help me with the following:
1. What's the right way to give a certain user unlimited idle connection
time?
2. The symptom I observed with GUI, is it a bug or a feature?
A:
The eNetwork Firewall 3.1 for AIX Redbook that is downloadable from
the IBM Firewall Websites Library Page; (see the following URL;
http://www.software.ibm.com/enetwork/firewall/library/ ) provides
some great information on Page 185 about setting up Idle Proxy. It
answers your first question by stating, "By default, connections started
up by root would not time out.". All other Userid's would have a
timeout and disconnect value as the minimim default value for all
other users other than the 'root administrator' userid is set with
the default value assigned when you install the IBM Firewall. Those
default values define the 'warning time' and the 'disconnect time'
which are probably the values that were mentioned in the error msg.
you described. Something like 'warning time must be less than
disconnect time'. The 'warning time' value is the elapsed time
that a session can sit idle before the user receives a message that
they are about to be disconnected. The 'disconnect time' is then
the amount of time that can elapse before the session is disconnected.
Your answer to #2 would be a feature so that the 'disconnect time'
could not be set greater than a 'warning time'. Otherwise, a user
would be disconnected before receiving a warning that their session
had been idle.
Hope this answers your question. Please don't hesitate to contact
us again, and thanks for using ASKQ.
Q:
I want to give user fwadmin idle time out for both warning and
disconnect to 0. I was able to set it through smit, but has problem
doing so via GUI. How can this be a feature, it looks like a bug to me.
Furthermore, after I set both value to 0 via smit. fwadmin can't do any
configuration function until I either blank out both fields (fall back
to the default for everybody) or use non-zero value. Please answer the
following:
1. Why am I allowed to set both fields to 0 in smit, but not in GUI.
2. Is root the only account allowed to have 0 for both fields?
Thank you for your help.
A:
Congratulations¢ You have found a Firewall bug. I talked to one of
the IBM Firewall developers about your first question today and they
verified that the SMIT panels in the Firewall product should *not*
allow a value of 0 for any other user other than the root administrator.
So they have asked that a defect report be open against the IBM
Firewall AIX product. Do you have the ability to do that? If so,
please open it and the defect will be APAR'd and you will have a
problem record to track the progress of the fix. The developer
asked that you use the following text when opening the PMR.
" Firewall SMIT panel in idle users section allows you to set idle
proxy time out values for any user to zero. But the base AIX
operating system only allows idle time for root to be set to zero".
You probably want to mention the inability to do configuration
for the fwadmin (not root) once you have changed the SMIT panel.
The answer to your second question is "Yes". According to the
IBM Firewall for AIXRedbook, the only user that would not timeout
would be the 'root' user.
Thanks for using ASKQ and thanks for taking the time to pass this
question back a second time.
WWQA: ITEM: RTA000151799 ITEM: RTA000151799
Dated: 08/1998 Category: FIREWAIX
This HTML file was generated 99/06/24~12:43:39
Comments or suggestions?
Contact us