[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Unknown established TCP packet
On Wed, 23 May 2001 [email protected] wrote: >Is it possible or recommendable to increase the TCP timeout beyond >TCP keepalive. And is TCP keepalive among the packets that will reset >the timeout timer of the state tables? Unless I do so I will have to >disable Checkpoints new feature. > >Also, there seem to be bugs in the implementation of this feature, >at least as far as the Linux version is concerned. Copied from CheckPoint's knowledge base: Solution: How to increase the TCP Established connection Grace Period (10043.0.110) 1. Close all VPN-1/FireWall-1 GUI clients. 2. Edit the $FWDIR/conf/objects.C file on the management (Use a simple text editor such as Notepad/Wordpad. Do not use a Word processor). 3. Under the :props section of $FWDIR/conf/objects.C, add the following line: :tcpestb_grace_period (XX) All non TCP SYN packets that are not part of an established connection in either table will be matched against the Rule Base for XX seconds after a Security Policy installation. See also How to edit the objects.C file. 4. Save the changes to the objects.C file 5. Reinstall the security policy 6. For properties that involve the security servers, VPN-1/FireWall-1 must be restarted I haven't implemented this yet myself. When I do XX will be 1800. I'd be interested in any reports on whether or not this helped the unknown established TCP packet problem. -- Shane Castle Boulder County Info Svcs Boulder CO USA ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|