Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH

To: "Check Point FW List (E-mail)" <[email protected]>
Subject: [FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH
From: Tom Sevy <[email protected]>
Date: Thu, 26 Oct 2000 11:59:36 -0400
Sender: [email protected]

After upgrading two IP440's to 4.1 SP2, we starting seeing lots of drops on
rule 0 with reason: unknown established TCP packet

I uncommented the #define ALLOW_NON_SYN_RULEBASE_MATCH statement in
lib/fwui_head.def and pushed the policy out.  Cleared up the problem right
away.

Comment:  This was disrupting communication from our Internal zone into the
DMZ zone.  Critical.  Can't tolerate this.

Questions:

1) How great is the danger of leaving this non-match in effect?
2) Wouldn't this create more problems if one of the Nokias fails over to the
other?  Seems there would be a painful period of re-establishing all TCP
connections, and again when failing back to primary Nokia.






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Any differences between fwui and fwpolicy on FW - 4.1?? ?
Next by Date: [FW1] Strange warning message
Previous by thread: RE: [FW1] Any differences between fwui and fwpolicy on FW - 4.1?? ?
Next by thread: Re: [FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH
Index(es):
- Date
- Thread