[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Basic questions
Rahul, 1. Depends on the version. CP FW1 v4.0 will allow connections to continue, after you install a policy(except for VPN type connections, which would have to be re-established). The default in v4.1sp2 is to disallow them. This can be changed, see phoneboy.com for info. If I've interpreted your question properly, your most likely running v4.1sp2. When you should install a new policy is based upon your site and the companies policies. If, for example, you have a large site with many rules and you install a new rulebase that by accident cut's off access for important processes or allows all sorts of stuff in, could you afford the time it would take to install a corrected rulebase? How would you look in the eyes of those who've trusted you to run a smooth operation? 2. The system has logic builtin to support for known services. In your case, you would have to enhance the system to account for the outbound traffic on one port and the return traffic on the other port. IOW, you would need to define the services needed and the rules to support these services. HTH, Robert - - Robert P. MacDonald, Network Engineer Team Lead, e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> Rahul Parasnis <[email protected]> 12/15/00 4:57:29 AM >>> >Hello All, >I am new to this field , there are some doubts which I have in mind , I will be >obliged >if anybody can explain about it. >1. Whenever I install Security Policy , does all active connections gets lost ? > is it advisable to install policy during peak hours ? >2. If there is one port which has to be opened to go outside Firewall, normally >another port also establishes >it's connection with the source Machine. >if you see netstat > >tcp 0 0 202.35.82.118.51357 202.35.85.65.8144 SYN_SENT > >this 8144 port is opened but it gets droped by the last rule. >Like I understand for telnet you have to open only 23 Port. not the other port. > >Is there anything I am missing Here ? > >Thanks >- Rahul ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|