[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] fw-1 4.1 SP1 http 1.1 support




Hi Xuemei

Apologies, I appear to be wrong, it is supported from v4.0. The following
from phoneboy:

<snip>
Q:

We recently had an evaluation copy of FW-1 3.0b, which we installed and ran
on a Sparc 4 under Solaris 2.6. Everything was fine except
when we tried to use the HTTP Security Server to log accessed URLs. URL
requests to our internal server took 15s for each request to pass
through the FW. We think that this is due to the fact that the browser (IE4)
and server (Apache 1.2.4) want to use HTTP 1.1 with persistent
connections, which results is the URL server holding the TCP connection open
for 15s. However the FW-1 Security Server waits until the
URL server closes the connection before passing the information it has
received from the server to the browser.

Does FW-1 Security Server support HTTP 1.1 and has anybody else seen this
effect?. Is there a patch or fix?

A:

The Security Servers in 3.x and earlier do not support HTTP/1.1,
specifically the keep-alive functionality. FireWall-1 4.0 supports HTTP/1.1,
but on releases prior to SP3, you have to add the following things to
$FWDIR/conf/objects.C in the props section to make this work correctly
(Thanks to Nathan Thompson):

    :http_cvp_allow_chunked (true)
    :http_ing_allow_chunked (true)
    :http_block_java_allow_chunked (true)
    :http_allow_ranges (true)

Note that there are some known issues with MSIE and HTTP/1.1 as well as
issues with CVP and HTTP/1.1. These issues are fixed in
4.0SP5 and 4.1SP1 with the following additions to the props section in
objects.C:

     :http_force_down_to_10 (true)
     :http_sup_continue (true)
     :http_avoid_keep_alive (true)

Remember to do these changes with no management GUIs running. You will then
need to reload your security policy after making these
changes.
<snip>

my understanding of the command "http_force_down_to_10 (true)" is that it
forces the http proxy to use http1.0 instead of 1.1, implying that there is
some sort of problem with the proxy and http1.1. So perhaps it does support
1.1, but it doesn't? :)

Please feel free to correct me if I'm wrong!

Regards
Corne



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================