NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Solstice Backup and Checkpoint Firewall



Jonny,
I am forwarding a document I received from support related to your issue...

 There are a few workarounds, choose which ever one fits your company's
security policy:
1. Raise the TCP start timeout from 60 seconds to 3-4 minutes:
2. Force the FireWall to match Non-SYN  packets which aren't of an established
connection against the rulebase.
3. Change this new FireWall-1 behavior so the connection timeout will
be raised to whatever is defined in the FireWall's Properties once
the TCP handshake is done.

I changed the TCP start timeout to 4 minutes and have been successful since.
If you choose this option, you need to edit objects.C- and find tcpstarttimeout under props...
Good Luck!
Casey DeBerry
[email protected]

jonny robertson wrote:

Hi again....  :))

Has anybody on this list had any experience of trying to use Sun Solstice
Backup (version 6) with Checkpoint Firewall?
I'm trying to backup a machine from one network through the firewall and
onto another.

I'm running CPFW-1 4.1 (SP3) and am having a big problem making it work
properly....

It looks to me like Checkpoint Firewall does not understand how Solstice
intends to communicate with its clients.  When the information that builds
up the bootstrap comes back from the client, it is dropped on rule 0 with
the good old 'unkown established TCP packet'.
It's not a timeout problem as it happens regularly within 10 minutes of
starting the backup, and before the packet is dropped, I can see it open
up a port connection normally (SYN --> SYN-ACK --> ACK).

So am I right in thinking that the (partial!) statefullness of Checkpoint
Firewall is dependent on understanding the specific applications that will
be passing data through it?

any help would be much appreciated,
cheers
-jonny
Wellington,
New Zealand

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

begin:vcard 
n:DeBerry;Casey
tel;cell:tel;fax:tel;work:x-mozilla-html:FALSE
org:Navidec Inc.;Operations
version:2.1
email;internet:[email protected]
title:Security Engineer
adr;quoted-printable:;;6399 S. Fiddlers Green Circle=0D=0A#300;Greenwood Village;Colorado;80111;USA
fn:Casey DeBerry
end:vcard


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.