[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH
After upgrading two IP440's to 4.1 SP2, we starting seeing lots of drops on rule 0 with reason: unknown established TCP packet I uncommented the #define ALLOW_NON_SYN_RULEBASE_MATCH statement in lib/fwui_head.def and pushed the policy out. Cleared up the problem right away. Comment: This was disrupting communication from our Internal zone into the DMZ zone. Critical. Can't tolerate this. Questions: 1) How great is the danger of leaving this non-match in effect? 2) Wouldn't this create more problems if one of the Nokias fails over to the other? Seems there would be a painful period of re-establishing all TCP connections, and again when failing back to primary Nokia. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|