NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ALLOW_NON_SYN_RULEBASE_MATCH question



There are two modifications that you can make to the fwui_head.def file to
deal with this issue.  The first modification just disables the errors from
showing up in the Log Viewer, but does not open you to any threats (i.e. the
traffic is still not allowed to pass).  This is done by commenting out the
following line:

#define NON_SYN_RULEBASE_MATCH_LOG

The second modification which is the one you mentioned actually just permits
the packet through and you never see anything in the log (a little more
dangerous).  I would recommend that you pursue the first method.

Jeffrey Hochberg
Digital Stronghold
[email protected]

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Peter Goodridge
Sent: Friday, November 10, 2000 10:28 AM
To: firewall list
Subject: [FW1] ALLOW_NON_SYN_RULEBASE_MATCH question



Hi,

I have a frame relay network connecting my different
sites as well as a site to site VPN.  Under 4.0 when
frame relay went down everything would fail over very
nicely to the VPN and my users didn't even know there
was a problem.  However;  under 4.1 I get the dreaded
"unknown established TCP packet" message when a
session already running on frame relay tries to use
the VPN.

I know I can fix this by defining
ALLOW_NON_SYN_RULEBASE_MATCH; however I don't want to
open any holes for all my other traffic by doing so.
I'm wondering if there is a way do this just for
predefined site to site VPNs.

If that won't work I can try getting my frame relay
routers to tunnel the traffic though the VPN thereby
creating new sessions when fail over happens, but
that's likely to get pretty complicated.  Any other
ideas would be welcomed.

THX,
Pete Goodridge

__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one Place.
http://shopping.yahoo.com/


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.