[FW1] Re: http 1.1 errors and such

[Camille Edge <ceedge@FW1-NOSPAMceedge.net>]

Title: Re: http 1.1 errors and such

Hi all

Oh yes, I agree that checkpoint and phoneboy both have info on this issue, but the documentation that Esafe puts out is much better and more complete, for me anyway, which is why I was recommend it, just my opinion of course (YMMV).  I just like pictures and color in my instructions.  <BG>  Of course don't forget the crayons and nap time, but I digress.

From what I've read from Esafe,Checkpoint and phoneboy, there are several issues that come up when you turn on http security server not just http 1.1 connection error message.  There appears to problems with pdf files.  Sometimes you get a pdf to open in a browser or download and sometimes you don't, but if you turn off the http resource then you can get the pdf no problem.  There are also some website where you get a message that the firewall can't connect to the webserver such as: "FW-1 at firewallname: Failed to connect to the WWW server".  But these websites can be gotten to from home, so the url is up and working.  There are also some issues with active x tags and malformed responses.

Here are some of the various changes that I've found that it is recommended you make to the objects.C file to take care of many of these issues plus some of the smtp ones as well.

:props (

        ***            ceedge notes here.  don't add the stuff in stars, just my notes.                           ****

        *** this stuff is suppose to be added to the end of the props section.  it is a huge section.  ****

        *** you may want to check to make sure someone didn't do these before you started          ****

        *** because I don't think you want to have duplicates.                                                         ****

        :smtp_encoded_content_field (true)
      :http_disable_content_enc (true)
        :http_disable_content_type (true)
       :http_use_host_h_as_dst (true)
  :http_force_down_to_10 (true)
   :http_sup_continue (true)
       :http_avoid_keep_alive (true)
   :http_max_header_length (8000)

        :http_max_url_length (8000)

        :http_cvp_allow_chunked (true)
  :http_ing_allow_chunked (true)
      :http_block_java_allow_chunked (true)

        :http_allow_ranges (true)

        :http_check_response_validity (false)

        :http_check_request_validity (false)

        :smtp_rfc821 (false)

)

I can't tell you if these will solve your problems or not, but this is what I've been given.  Since many of  you that are not interested in this, most likely don't want the pdf file and since I'm not sure if this list will take attachments, I'm not going to send it to the list.  If you want it let me know privately and I'll send it to you.

This is from the CVP section of the Esafe documentation on how to edit the objects.C file.

1. Stop the firewall and close all management consoles (gui)

2. Use a text editor such as notepad to open the objects.C file. (I'd make a backup first!)

3. Search for :servers.  Then under that find each CVP server you have created an object for.  Then look under that for the :protocol_info section.  If you have one see if you have the following info listed below, if not then you need to add it.  Make sure that all the brackets are closed when you are done.  There is more to how it would look then what I wrote here.

:protocol_info (

        :http {

                : (Host)

        }

        :smtp {

                : (rcpt_to)

                : (mail_from)

        }

}

4. Then search for the string :props and add the items I listed at the beginning of this email.  I didn't retype it since I figured this email was long enough.  Don't forget to close your brackets.

5. Save the file.

6. Restart the firewall service

7. Reinstall the policy from within the Gui

This is the info I've been given.  I can't promise you it will work for you or that my instructions make sense to you.  I hope they do, but  I'd suggest reading Esafe's pdf file.  You should be able to go there public ftp site and get the instructions.

<ftp://ftp.esafe.com/pub/manuals/ESG/ESG3.x/CVP/> has a list of manuals.  The one that talks specifically about this stuff is the esg-cvp_edit_objects.C.pdf and is at <ftp://ftp.esafe.com/pub/manuals/ESG/ESG3.x/CVP/esg-cvp_edit_objectsC.pdf>.  Ignore my <>s around the urls, they are just placeholders.  If you can't get it then at least checkout phoneboy or checkpoint's knowledge base.

I hope this helps someone.  If you find other info, please let me know.  Or if you find out I've done something wrong, please let me know that too.  Thanks everyone.  This is such a great group.  Now if we can only get rid of the Out of Office emails.  Maybe we should get instructions together on how to turn off Out of Office replies to the web and post it to the group.  Anyone game?

For those of you that specifically ask, I'll send you the document privately.

see ya and good luck.

cee

> And Hubbard, Dan wrote:
> >From phoneboy....
>
> http://www.phoneboy.com/faq/0213.html

and

> And Ronny Vaningh wrote:
> This solution is well
> known with checkpoint and if you've got the right support contract you
> can get it from their
> knowledgebase
>  
> Solution: Cannot view web page when using HTTP 1.1 connection
> with HTTP Security Server
> (10043.0.610)
> Disable
> the option to use HTTP 1.1 connections in one of the following
> ways:
>
> Method 1
> 1. Stop FireWall-1 (fwstop)
> 2. Backup the $FWDIR/conf/objects.C file
> 3. Enter the following lines in the $FWDIR/conf/objects.C file under
> the ":props" section:
>    :http_force_down_to_10 (true)
>    :http_avoid_keep_alive (true)
> 4. Start FireWall-1 (fwstart)
> 5. Install the policy
> Sincerely
>  
>  
> Ronny
> Vaningh
> Security
> Engineer
>  
> UUNET
> > -----Original
> > Message-----
> > From:
> > owner-fw-1-mailinglist@lists.us.checkpoint.com
> > [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf
> > Of T.Higgins@eu.hns.com
> > Sent: maandag 20 augustus 2001 11:47
> > To: Camille Edge
> > Cc: David.LEFEVRE@cardif.fr; fw1
> > Subject: [FW1] Re: http 1.1 errors
> > Camille
> >
> > Yes please - could I have the info.
> >
> > I am curious as to why a 3rd party can come up with a
> > solution but not CP ? (!) - there is an obvious answer but suffice it
> > to say it may be worth a look through the FW Mailing list archives for
> > unfixed CP problems......
> >
> >
> > Thanks
> >
> > Tim
> > Camille Edge
> > <ceedge@ceedge.net>
> > 20/08/01 04:44
> >      
> >  
> >        
> > To:        T.Higgins@eu.hns.com,
> > David.LEFEVRE@cardif.fr
> >        
> > cc:        fw1
> > <fw-1-mailinglist@lists.us.checkpoint.com>
> >        
> > Subject:        http 1.1
> > errors
> > Hi Tim & David
> >
> > There is a fix for that.  I got it from Esafe.  You have to
> > make
> > changes to the objects.C file.  I can send it to you on Monday if
> > you
> > are interested.
> >  I'm sorry that I'm a little <G> behind in my mail
> > here.  If you still need the info, just let me know.
> >
> > cee
> >
> > Message: 1
> >    Date: Thu,
> > 9 Aug 2001 09:58:08 +0100
> >    From: T.Higgins@eu.hns.com
> > Subject: RE: [FW1] Code Red: What security specialist don't
> > mention
> > in war nings
> >
> > My experience was that it did eat up a little extra CPU but not too
> > bad -
> > BUT our main problem was with the other affects of using these rule
> > -
> > namely some web sites (especially newer ones) not working properly
> > -
> > workaround was to uncheck "Use HTTP 1.1"  in IE.
> >
> > This hasn't worked for every situation and occassionally I have to
> > temporarily disable the http-with-resource rules if a user is
> > really
> > struggling.
> >
> > Not the best situation ever - but what can you do ?!  ;-)
> > Tim

-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

cee

Don't meddle in the affairs of dragons, for you are crunchy and

taste good with honey mustard.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~