[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Trend InterScan VirusWall - CVP - HTTP/FTP
This from the Nokia support site (nothing about this that I could find at the Checkpoint support site): FireWall-1 Error Message: FW-1 at : Failed to connect to the WWW server. Check Point FireWall-1, Authentication Methods and Servers for version: 4.0 SP1 And Later last update: 11/29/2000 21:10:35 There are currently two situations where this error message has been seen: 1) When using the "Predefined servers" functionality of the HTTP Security Servers, and the error message is consistent and reproducible. 2) When browsing the internet, the error message occurs occasionally to frequently, but the destination URLs are not consistant. Another question which has come up is whether the message can be changed to something more friendly. SOLUTION Problem 1 If the firewall administrator is using Predefined Servers, i.e., HTTP Servers defined on the Security Servers tab of the Policy Properties dialog box, and if this problem is consistant for particular URLs defined in that list, then the problem probably indicates an issue with the HTTP Server definition. In particular, if the final server is not listening to the port defined in the HTTP Server definition, the Security Server will return the above error message to the client. Problem 2 This error message occurs when using Authentication or Content Security and indicates that the HTTP Security Server was unable to connect to the destination server. DNS, routing or some other problem (e.g., the destination server is down or slow) is preventing the HTTP Security Server from reaching the site in a timely fashion. What makes the problem worse is that the HTTP Security Server is acting as a proxy server. Ordinarily a browser will retry a site if problems occur. The FireWall-1 HTTP Security Server, however, will simply time out and send an error page to the client. If a browser receives an error page from the Security Server, it will stop retrying and will not attempt to use alternate IP address. Because popular and busy sites are most likely to experience short term problems which are allieviated by browser retries, those sites can frequently receive this error. The work around is to ask the users to completely reload the site, i.e., hold shift while hitting Reload. Different webbrowsers have different degrees of sensitivity to this problem. Upgrading to FireWall-1 v4.0 SP5, or to FireWall-1 v4.1 SP1 (but not FireWall-1 v4.1) may somewhat alieviate the problem. Websense is a popular UFP Server product which uses the HTTP Security Server functionality of FireWall-1. Most users who experience this problem are also using Websense. The Knowledge Base at Websense's website contains another explaination of the problem. The problem, however, is external to Websense Server. To troubleshoot the actual problem, a network administrator would need to use a protocol analyzer or use a utility like tcpdump to figure out what is different about queries that are accepted and ones that are blocked. There is no way to change the error message to say something else. It is hard coded into the FireWall-1 binaries and can not be changed. Kevin -----Original Message----- From: Sid Van den Heede [mailto:[email protected]] Sent: Wednesday, September 26, 2001 8:37 AM To: Miller, Robert Cc: FW-1 (E-mail) Subject: Re: [FW1] Trend InterScan VirusWall - CVP - HTTP/FTP On Tue, 25 Sep 2001, Miller, Robert wrote: > Date: Tue, 25 Sep 2001 12:47:09 -0500 > From: "Miller, Robert" <[email protected]> > To: "FW-1 (E-mail)" <[email protected]> > Subject: [FW1] Trend InterScan VirusWall - CVP - HTTP/FTP > > > All, > > I just put this server in place and created the rules. Everything seemed to > be working great until this morning when none of the users could surf the > web any longer. > > Error: > > "Error FW-1 at FireWall-Name: Failed to connect to the WWW server." > > Negated the rules, pushed the policy, and everything is back to normal. > > Is anyone successfully using the CVP-version of Trend's VirusWall product > for HTTP/FTP scanning? If so, is there some secret trick to get it to work? > > Thanks, > > BM > > > VirusWall version - 3.51 > Checkpoint version - 4.1 SP3 on Solaris I saw the the exact same thing just using a resource running locally on the firewall. Same CP version, no Trend etc. Looks like it's a CP problem. I was hoping that by adding a separate (CVP) scanner that it would remove some load from the firewall and avoid this problem, but this suggests it won't. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|