[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] ALLOW_NON_SYN_RULEBASE_MATCH question
There are two modifications that you can make to the fwui_head.def file to deal with this issue. The first modification just disables the errors from showing up in the Log Viewer, but does not open you to any threats (i.e. the traffic is still not allowed to pass). This is done by commenting out the following line: #define NON_SYN_RULEBASE_MATCH_LOG The second modification which is the one you mentioned actually just permits the packet through and you never see anything in the log (a little more dangerous). I would recommend that you pursue the first method. Jeffrey Hochberg Digital Stronghold [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Peter Goodridge Sent: Friday, November 10, 2000 10:28 AM To: firewall list Subject: [FW1] ALLOW_NON_SYN_RULEBASE_MATCH question Hi, I have a frame relay network connecting my different sites as well as a site to site VPN. Under 4.0 when frame relay went down everything would fail over very nicely to the VPN and my users didn't even know there was a problem. However; under 4.1 I get the dreaded "unknown established TCP packet" message when a session already running on frame relay tries to use the VPN. I know I can fix this by defining ALLOW_NON_SYN_RULEBASE_MATCH; however I don't want to open any holes for all my other traffic by doing so. I'm wondering if there is a way do this just for predefined site to site VPNs. If that won't work I can try getting my frame relay routers to tunnel the traffic though the VPN thereby creating new sessions when fail over happens, but that's likely to get pretty complicated. Any other ideas would be welcomed. THX, Pete Goodridge __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one Place. http://shopping.yahoo.com/ ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|