Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 SP2 (reloading policy and connection table)

To: Firewall-1 Maillist <[email protected]>
Subject: RE: [FW1] FW-1 SP2 (reloading policy and connection table)
From: Baskar Pathmanathan <[email protected]>
Date: Thu, 14 Sep 2000 11:32:07 -0400
Importance: low
Sender: [email protected]

Rajeev,

In FW-1 4.0 reload of security policy doesn't clear connections.  In a Lab
environment I reloaded security policy during a ftp download and there
wasn't any interruptions...  But I donot know abt ver4.1.

regards
baskar

-----Original Message-----
From: Rajeev Kumar [mailto:[email protected]]
Sent: Thursday, September 14, 2000 10:59 AM
To: Firewall-1 Maillist
Subject: [FW1] FW-1 SP2 (reloading policy and connection table)



Hello All,
	As many of you have been migrated to FW-1 SP2. Correct me if I am
wrong here.

-> Whenever you run fwstop;fwstart , FW-1 flushes its connection table and
as a default
     behavior it won't allow established connection anymore. (Since they are
sending
NON-SYN)
     packets after FW-1 restart. And you will see lots of "Unknown
established TCP
packets".

RESULT: You will loose all valid connections. (telnet, ftp, rlogin, any
client/server
application based
              on TCP/IP) after FW-1 restart process.

->Same thing happens even if you try to reload security policy from
management GUI. It
also
    flushes connection table and loose all established connections.

So what that means is , I can not modify/reload security policy during day
time as I know
lots of
users will scream at me. If you have multi-site setup spread all over globe,
then users
are busy
round-the-clock and again I can not reload policy without hurting users.

IS THERE ANY EASY SOLUTION TO THIS in FW-1 SP2?   

(I want to keep this feature of rejecting "Unknown TCP Packets" (if they are
really
unknown)
 but also do not want to loose my valid established connections.)

Yes! I want to have my own cake and eat it too!!

Thanks!!

Rajeev



-- 
********************************************************************
	Rajeev Kumar ([email protected])
		http://www.rajeevnet.com
********************************************************************


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Blocking MP3 downloads from the internet
Next by Date: RE: [FW1] Blocking MP3 downloads from the internet
Previous by thread: [FW1] FW-1 SP2 (reloading policy and connection table)
Next by thread: [FW1] Setting up NAT
Index(es):
- Date
- Thread