|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1-MAILINGLIST Digest - 30 Oct 2001 to 31 Oct 2001 ( #2001-2 8)
unsubscribe -----Original Message----- From: Automatic digest processor [mailto:[email protected]] Sent: Thursday, November 01, 2001 12:02 AM To: Recipients of FW-1-MAILINGLIST digests Subject: FW-1-MAILINGLIST Digest - 30 Oct 2001 to 31 Oct 2001 (#2001-28) There are 76 messages totalling 9029 lines in this issue. Topics of the day: 1. Text Book ? 2. [LOG_CRIT] 3. SRV_REDIRECT (2) 4. =?iso-8859-1?Q?R=E9f=2E_=3A_[FW-1]_[LOG=5FCRIT]?= 5. Nokia and log manipulation (10) 6. Mail size limit - Notify Sender on Error (2) 7. FW GUI Display problems... 8. Incorrect NAT translation (3) 9. Stealth Mode (4) 10. Servicepacks 11. Multiple Default Routes on Nokia (3) 12. How we fixed "FW-I/LINUX kmalloc" problem 13. CLM and Linux (2) 14. Automatic Saving of Log Files (6) 15. How do you hide/stealth your firewall...ideas? 16. How do you... (5) 17. Firewall Errors (2) 18. Securemote to multiple gateways defined in same management server 19. FW: Migration Headache (Problem Solved) FW1 SP5 and W2K (2) 20. Multiple default routes on Nokia (2) 21. Illegal command in control.map (2) 22. Simple SMTP Secure Server question (3) 23. IKE negotiation problems (2) 24. comparison between Pix and FW-1 (4) 25. Upgrade 4.1 to NG 26. VPN with OSPF for Failover (3) 27. adding a static route via GUI in NT (2) 28. Deauthorize in SecuRemote 29. [Fwd: Re: [FW-1] CDE lock frozen on solaris] 30. [Fwd: Re: [FW-1] comparison between Pix and FW-1] 31. Using SAM on CP4.1 32. Simon KWEK/EDB is out of the office. 33. VPN 34. A strange problem with citrix connection through CP -1 SP2 35. NAT on PDS2100 =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ---------------------------------------------------------------------- Date: Wed, 31 Oct 2001 09:15:01 -0000 From: "Parkin, Miles" <[email protected]> Subject: Re: Text Book ? The best documentation is on the CD. M -----Original Message----- From: Vikash Tulsi [mailto:[email protected]] Sent: 31 October 2001 06:22 To: [email protected] Subject: [FW-1] Text Book ? > Hi ! All ! > > Can anyone recommend a checkpoint firewall text book I can purchase that > is a good reference and a study guide for the CCSE exams. > > Thanks > Vikash ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at [email protected]. ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 09:51:01 -0000 From: Mitchell Silver <[email protected]> Subject: [LOG_CRIT] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C161F1.8C6ACB4A Content-Type: text/plain; charset="iso-8859-1" Has anyone seen this type of message before? [LOG_CRIT] kernel: ex_expire: c6f41948 (data: c6f4191c) ld_del failed to ex_remove ! The data string seems to be different every time. We're running FW-1 4.1 sp3 on a Nokia VPN 210 IPSO 3.3 sp2 ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------- Mitchell Silver Calculus Solutions Ltd Calculus House Tel: +44 (0) 20 7435 0070 6 Hampstead Gate Fax: +44 (0) 20 7794 1199 1A Frognal Mob: +44 (0) 07967 094 953 London NW3 6AL United Kingdom Email:[email protected] ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------- This email is from Calculus Solutions Limited. The e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify [email protected] <mailto:[email protected]> or telephone +44 (0) 20 7435 0070. Any views expressed by an individual within this e-mail, which do not constitute part of a legal contract, do not necessarily reflect the views of the company. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------- _____________________________________________________________________ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Scanning Service. For further information visit http://www.star.net.uk/stats.asp or alternatively call Star Internet for details on the Virus Scanning Service. ------_=_NextPart_001_01C161F1.8C6ACB4A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40";> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 9"> <meta name=3DOriginator content=3D"Microsoft Word 9"> <link rel=3DFile-List href=3D"cid:[email protected]";> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} span.EmailStyle15 {mso-style-type:personal-compose; mso-ansi-font-size:10.0pt; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:black;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Has anyone seen this type of message = before?<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>[LOG_CRIT] kernel: ex_expire: c6f41948 (data: c6f4191c) ld_del = failed to ex_remove !<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>The data string seems to be different every = time.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>We’re running FW-1 4.1 sp3 on a Nokia VPN 210 IPSO 3.3 = sp2<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle15><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoAutoSig><!--[if supportFields]><font color=3Dblack><span=20 style=3D'color:black'><span style=3D'mso-element:field-begin'></span><sp= an=20 style=3D"mso-spacerun: yes"> </span>AUTOTEXTLIST \s "E-mail=20 Signature" <span = style=3D'mso-element:field-separator'></span></span></font><![endif]--><= font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black'>--------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= ----------------------------------------------</span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>Mitchell= Silver</span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>Calculus= Solutions Ltd<span style=3D"mso-spacerun: yes"> &= nbsp; </span></span></font><font size=3D2 color=3Dblack face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;co= lor:black; mso-color-alt:windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>Calculus= House<span style=3D'mso-tab-count:13'> &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; </span>Tel:<span style=3D'mso-tab-count:1'> = </span>+44 (0) 20 7435 0070</span></font><font size=3D2 color=3Dblack face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;co= lor:black; mso-color-alt:windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>6 = Hampstead Gate<span = style=3D'mso-tab-count:12'> &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; </span>Fax:<span style=3D'mso-tab-count:1'> </span>+44 (0) = 20 7794 1199</span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black;mso-color= -alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>1A = Frognal<span style=3D'mso-tab-count:13'> &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; &nb= sp; = </span>Mob:<span style=3D'mso-tab-count:1'> </span>+44 (0) 07967 = 094 953</span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>London<s= pan style=3D"mso-spacerun: yes"> </span>NW3 6AL</span></font><font = size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt; font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:p></spa= n></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>United Kingdom<span style=3D"mso-spacerun: yes"> &= nbsp; </span></span></font><font size=3D2 color=3Dblack face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;co= lor:black; mso-color-alt:windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>Email:</= span></font><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:blue'>[email protected]</spa= n></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>----------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= --------------------------------------------</span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>This = email is from Calculus Solutions Limited.<span style=3D"mso-spacerun: = yes"> </span>The e-mail and any files transmitted with it are confidential = and intended solely for the use of the individual or entity to whom they = are addressed.<span style=3D"mso-spacerun: yes"> </span>If you have = received this e-mail in error please notify [email protected] = </span></font><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:blue'><mailto:[email protected]>= </span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black'>or telephone +44 (0) 20 7435 = 0070.</span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'>Any = views expressed by an individual within this e-mail, which do not constitute = part of a legal contract, do not necessarily reflect the views of the = company.</span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial;color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font size=3D2 color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></o:= p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>----------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= --------------------------------------------</span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoNormal><!--[if supportFields]><font color=3Dblack><span=20 style=3D'color:black'><span = style=3D'mso-element:field-end'></span></span></font><![endif]--><font color=3Dblack><span style=3D'color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font color=3Dblack><span style=3D'color:black;mso-color-alt:windowtext'><o:p>= </o:p></span></font></p> </div> </body> </html> <HTML><BODY><BR> _____________________________________________________________________<BR> This message has been checked for all known viruses by Star Internet<BR> delivered through the MessageLabs Virus Scanning Service. For further<BR> information visit http://www.star.net.uk/stats.asp or alternatively call<BR> Star Internet for details on the Virus Scanning Service.<BR> </BODY></HTML> ------_=_NextPart_001_01C161F1.8C6ACB4A-- ------------------------------ Date: Wed, 31 Oct 2001 10:55:51 +0100 From: "xcc.DV-Organisation.firewall-mailinglist" <[email protected]> Subject: SRV_REDIRECT Hi, I want to establish a transparent proxy via user defined service using the macro SRV_REDIRECT. Unfortunately the FW says there is no such macro. I use FW 4.1 SP2. Where is the macro SRV_REDIRECT defined? Regards Markus Markus Manck - Xcc Software AG Bahnhofplatz 8, 76137 Karlsruhe, Germany Tel. +49 (0) 721 / 93276-123 Fax +49 (0) 721 / 93276-76 Email [email protected] Web http://www.xcc.de ------------------------------ Date: Wed, 31 Oct 2001 11:30:50 +0100 From: [email protected] Subject: =?iso-8859-1?Q?R=E9f=2E_=3A_[FW-1]_[LOG=5FCRIT]?= You can find informations and hot fix on Nokia Support Web Site resolution 4358 : https://support.nokia.com/knowledge/frmResolutionView.jsp?ResolutionId=4358 Michael. Mitchell Silver <[email protected]> Pour : [email protected] Envoyé par : Mailing list for cc : discussion of Firewall-1 Objet : [FW-1] [LOG_CRIT] <[email protected] point.com> 31/10/01 10:51 Veuillez répondre à Mailing list for discussion of Firewall-1 Has anyone seen this type of message before? [LOG_CRIT] kernel: ex_expire: c6f41948 (data: c6f4191c) ld_del failed to ex_remove ! The data string seems to be different every time. We're running FW-1 4.1 sp3 on a Nokia VPN 210 IPSO 3.3 sp2 ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------- Mitchell Silver Calculus Solutions Ltd Calculus House Tel: +44 (0) 20 7435 0070 6 Hampstead Gate Fax: +44 (0) 20 7794 1199 1A Frognal Mob: +44 (0) 07967 094 953 London NW3 6AL United Kingdom Email:[email protected] ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------- This email is from Calculus Solutions Limited. The e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify [email protected] < mailto:[email protected]> or telephone +44 (0) 20 7435 0070. Any views expressed by an individual within this e-mail, which do not constitute part of a legal contract, do not necessarily reflect the views of the company. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------- _____________________________________________________________________ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Scanning Service. For further information visit http://www.star.net.uk/stats.asp or alternatively call Star Internet for details on the Virus Scanning Service. ------------------------------ Date: Wed, 31 Oct 2001 12:33:36 +0100 From: Nick Ellenden <[email protected]> Subject: Re: Nokia and log manipulation This is a multi-part message in MIME format. ------=_NextPart_000_000A_01C16208.42F3D120 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Nokia and log manipulationHi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman Sent: 30 October 2001 22:05 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Webtrends ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton Sent: 23 October 2001 10:21 To: [email protected] Subject: [FW-1] Nokia and log manipulation Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) Thanks Sam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------=_NextPart_000_000A_01C16208.42F3D120 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Nokia and log manipulation</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>You=20 might want to check out OpenService, they also make an agent server = system which=20 also works on Solaris and Windows for FW1, it can also parse and process = the=20 system logs as well.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>nick</FONT></SPAN></DIV> <BLOCKQUOTE> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion=20 of Firewall-1 = [mailto:[email protected]]<B>On=20 Behalf Of </B>Tim Holman<BR><B>Sent:</B> 30 October 2001 = 22:05<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Webtrends ?</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf Of = </B>Sam=20 Denton<BR><B>Sent:</B> 23 October 2001 10:21<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> = [FW-1] Nokia=20 and log manipulation<BR><BR></FONT></DIV> <P><FONT size=3D2>Is there anyway to manipulate log file data on the = Nokia=20 Platform (IP330 running FW-1 4.1 SP4)</FONT> </P> <P><FONT size=3D2>Thanks</FONT> </P> <P><FONT size=3D2>Sam</FONT> </P></BLOCKQUOTE><CODE><FONT=20 = size=3D3><BR><BR>********************************************************= **************<BR>This=20 email and any files transmitted with it are confidential = and<BR>intended=20 solely for the use of the individual or entity to whom they<BR>are = addressed.=20 If you have received this email in error please notify<BR>the system=20 manager.<BR><BR>This footnote also confirms that this email message = has been=20 swept by<BR>Dimension Data mail system for the presence of computer=20 = viruses.<BR><BR>www.uk.didata.com<BR>************************************= **********************************<BR></BLOCKQUOTE></FONT></CODE></BODY><= /HTML> ------=_NextPart_000_000A_01C16208.42F3D120-- ------------------------------ Date: Wed, 31 Oct 2001 13:32:33 +0200 From: Firewall1 <[email protected]> Subject: Re: Mail size limit - Notify Sender on Error Hi Mike Have you defined a CVP server? Are all other notifications working correctly? I haven't had any problems setting this up before on NT. -----Original Message----- From: Michael Masters (ZA) [mailto:[email protected]] Sent: Wednesday, October 31, 2001 7:37 AM To: [email protected] Subject: [FW-1] Mail size limit - Notify Sender on Error Hi, Checkpoint 4.1 SP4 NT server 4; SP 6 When using a mail resource to limit mail size the sender doesn't seem to get notified when his mail is rejected. I have ticked the "Notify Sender on Error" tab.. Does anyone have any advise as to how i can fault find this? thanks, _________________________________________ Mike Masters Dimension Data Security Durban Tel : +27 31 204 8426 (w) Tel : +27 83 263 4775 (c) E-mail : [email protected] ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 14:02:24 +0200 From: Mark van Gelder <[email protected]> Subject: Re: Mail size limit - Notify Sender on Error Hi Mike You can try putting the following in the /etc/fw/smtp.conf file: smtp_debug 3 This will log LOTs of info to the asmtp.eolg file, you might find something there. Also, you may want to ensure that you can Relay from the firewall to whatever you are using as a Error Mail server? Cheers Mark -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Michael Masters (ZA) Sent: Wednesday, October 31, 2001 7:37 AM To: [email protected] Subject: [FW-1] Mail size limit - Notify Sender on Error Hi, Checkpoint 4.1 SP4 NT server 4; SP 6 When using a mail resource to limit mail size the sender doesn't seem to get notified when his mail is rejected. I have ticked the "Notify Sender on Error" tab.. Does anyone have any advise as to how i can fault find this? thanks, _________________________________________ Mike Masters Dimension Data Security Durban Tel : +27 31 204 8426 (w) Tel : +27 83 263 4775 (c) E-mail : [email protected] ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 19:43:24 -0800 From: Wesley Maness <[email protected]> Subject: Re: Nokia and log manipulation This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C16244.4DB091C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Nokia and log manipulationTo All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden Sent: Wednesday, October 31, 2001 3:34 AM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman Sent: 30 October 2001 22:05 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Webtrends ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton Sent: 23 October 2001 10:21 To: [email protected] Subject: [FW-1] Nokia and log manipulation Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) Thanks Sam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------=_NextPart_000_0008_01C16244.4DB091C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Nokia and log manipulation</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3105.105" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D2001>To=20 All:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D2001>Can=20 anyone suggest a product (working in cohoots with FW-1 and others, = either via=20 OPSEC or other means) that can</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D2001>parse=20 large amounts of logs(fw logs) and recreate attack sequences (their = paths) etc=20 ?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D2001>Thanks...</SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion=20 of Firewall-1 = [mailto:[email protected]]<B>On=20 Behalf Of </B>Nick Ellenden<BR><B>Sent:</B> Wednesday, October 31, = 2001 3:34=20 AM<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></DIV></FONT> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial size=3D2>You=20 might want to check out OpenService, they also make an agent server = system=20 which also works on Solaris and Windows for FW1, it can also parse and = process=20 the system logs as well.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>nick</FONT></SPAN></DIV> <BLOCKQUOTE> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf Of = </B>Tim=20 Holman<BR><B>Sent:</B> 30 October 2001 22:05<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Webtrends ?</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list = for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf = Of=20 </B>Sam Denton<BR><B>Sent:</B> 23 October 2001 10:21<BR><B>To:</B> = [email protected]<BR><B>Subject:</B> = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <P><FONT size=3D2>Is there anyway to manipulate log file data on = the Nokia=20 Platform (IP330 running FW-1 4.1 SP4)</FONT> </P> <P><FONT size=3D2>Thanks</FONT> </P> <P><FONT size=3D2>Sam</FONT> </P></BLOCKQUOTE><CODE><FONT=20 = size=3D3><BR><BR>********************************************************= **************<BR>This=20 email and any files transmitted with it are confidential = and<BR>intended=20 solely for the use of the individual or entity to whom they<BR>are=20 addressed. If you have received this email in error please = notify<BR>the=20 system manager.<BR><BR>This footnote also confirms that this email = message=20 has been swept by<BR>Dimension Data mail system for the presence of = computer=20 = viruses.<BR><BR>www.uk.didata.com<BR>************************************= **********************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></= CODE></BODY></HTML> ------=_NextPart_000_0008_01C16244.4DB091C0-- ------------------------------ Date: Wed, 31 Oct 2001 10:44:25 -0200 From: Biriba's Mail <[email protected]> Subject: Re: SRV_REDIRECT You'll find it only after SP3... These services are called http_mapped, ftp_mapped and smtp_mapped. Regards, Alessandro Pagan CCSA - Maxxco Brasil ============================================ ----- Original Message ----- From: "xcc.DV-Organisation.firewall-mailinglist" <[email protected]> To: <[email protected]> Sent: Wednesday, October 31, 2001 7:55 AM Subject: [FW-1] SRV_REDIRECT Hi, I want to establish a transparent proxy via user defined service using the macro SRV_REDIRECT. Unfortunately the FW says there is no such macro. I use FW 4.1 SP2. Where is the macro SRV_REDIRECT defined? Regards Markus Markus Manck - Xcc Software AG Bahnhofplatz 8, 76137 Karlsruhe, Germany Tel. +49 (0) 721 / 93276-123 Fax +49 (0) 721 / 93276-76 Email [email protected] Web http://www.xcc.de =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 08:06:32 -0500 From: Will Schwartz <[email protected]> Subject: Re: FW GUI Display problems... I got a good tip off-list (thanks Lenny) that Im using as a temporary "solution". Since I am running Windows 2k Server on my desktop... I make a terminal server connection from my machine back to my own machine and run the Policy Manager from there - it works correctly so far. Maybe that's an option for some people. If I find more information I'll be sure to post it here. Will -----Original Message----- From: Dan Hitchcock [mailto:[email protected]] Sent: Tuesday, October 30, 2001 1:13 PM To: 'Will Schwartz' Subject: RE: [FW-1] FW GUI Display problems... We have this as well. GUI build number, operating system (NT or 2000), video adapter/resolution do not affect the problem. We've only seen it when working with large rule sets, and yes, it is somewhat intermittent. The only known fix is to try, try again :( Please do let me know if you find an answer for this. Feeling your pain, Dan Hitchcock -----Original Message----- From: Will Schwartz [mailto:[email protected]] Sent: Tuesday, October 30, 2001 8:20 AM To: [email protected] Subject: [FW-1] FW GUI Display problems... OK. Trying to find a way to describe this problem. Running the Policy Editor (build 41862) on a Win2k machine I run into a problem where at a certain rule # the display goes "wacky" on me. The screen overwrites itself with the image that was there before. Like when an application gets hung up and you get images of other windows over top of that window. Further down in the rules it displays 1 rule correctly again and then the rest of the rules get obliterated like I described above. Now, some times it works great... I don't know what sets it off to stop working. Running the Policy editor from another machine works just great. I see all the rules just fine. I know its a graphics problem, and it only happens on some machines. I've tried switching display resolutions and changing the site of the window and such things, but I cannot get it to work. Any suggestions? I've searched Checkpoints site, no luck, I've talked to my Firewall support people, They say "huh?". I don't want to have to run to another machine to push policies... =) Thanks much will =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 13:45:51 +0000 From: Rory Stewart <[email protected]> Subject: Incorrect NAT translation Has anyone heard of a problem with NAT translation resolving the http address as the internal ip address rather than the external ip address? We are setting up an http accelerator behind our Nokia 440 firewall where the box must be "seen" from the outside. I have configured address translation manually from the internal to external and back. Created both internal and external ip's as workstations. (Tried putting external ip into NAT tab of internal but made no difference). Entered "any external any accept" and "internal any any accept" on the security policy tab. Finally, went on to voyager and created static route to internal ip address range and put a proxy arp of the external ip address on the external firewall interface ( where they are both in the same ip range ). We know our accelerator sees our pings put does not reply. We have our laptop gui infront of the firewall and behind our ext router, and from there we can enter our accelerator happily using internal ip address but not external. >From outside the network, the http string automatically changes from external to internal then times out again the accelerator sees these http requests but does not reply. We are so close to cracking it (or ourselves!). Please, does anyone know what the missing piece of the jigsaw is? regards, Rory Stewart Systems Engineer [email protected] ------------------------------ Date: Wed, 31 Oct 2001 13:52:55 -0000 From: Sam Denton <[email protected]> Subject: Re: Incorrect NAT translation This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16213.57361F70 Content-Type: text/plain; charset="iso-8859-1" Hmm... try letting FW-1 auto configure the NAT. -----Original Message----- From: Rory Stewart [mailto:[email protected]] Sent: Wednesday, October 31, 2001 1:46 PM To: [email protected] Subject: [FW-1] Incorrect NAT translation Has anyone heard of a problem with NAT translation resolving the http address as the internal ip address rather than the external ip address? We are setting up an http accelerator behind our Nokia 440 firewall where the box must be "seen" from the outside. I have configured address translation manually from the internal to external and back. Created both internal and external ip's as workstations. (Tried putting external ip into NAT tab of internal but made no difference). Entered "any external any accept" and "internal any any accept" on the security policy tab. Finally, went on to voyager and created static route to internal ip address range and put a proxy arp of the external ip address on the external firewall interface ( where they are both in the same ip range ). We know our accelerator sees our pings put does not reply. We have our laptop gui infront of the firewall and behind our ext router, and from there we can enter our accelerator happily using internal ip address but not external. >From outside the network, the http string automatically changes from external to internal then times out again the accelerator sees these http requests but does not reply. We are so close to cracking it (or ourselves!). Please, does anyone know what the missing piece of the jigsaw is? regards, Rory Stewart Systems Engineer [email protected] =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------_=_NextPart_001_01C16213.57361F70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: [FW-1] Incorrect NAT translation</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hmm... try letting FW-1 auto configure the = NAT.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Rory Stewart [<A = HREF=3D"mailto:[email protected]";>mailto:[email protected]= O.UK</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, October 31, 2001 1:46 PM</FONT> <BR><FONT SIZE=3D2>To: = [email protected]</FONT> <BR><FONT SIZE=3D2>Subject: [FW-1] Incorrect NAT translation</FONT> </P> <BR> <P><FONT SIZE=3D2>Has anyone heard of a problem with NAT translation = resolving the http address as the internal ip address rather than the = external ip address?</FONT></P> <P><FONT SIZE=3D2>We are setting up an http accelerator behind our = Nokia 440 firewall where the box must be "seen" from the = outside.</FONT> <BR><FONT SIZE=3D2>I have configured address translation manually from = the internal to external and back.</FONT> <BR><FONT SIZE=3D2>Created both internal and external ip's as = workstations. (Tried putting external ip into NAT tab of internal but = made no difference).</FONT></P> <P><FONT SIZE=3D2>Entered "any external any accept" and = "internal any any accept" on the security policy tab.</FONT> <BR><FONT SIZE=3D2>Finally, went on to voyager and created static route = to internal ip address range and put a proxy arp of the external ip = address on the external firewall interface ( where they are both in the = same ip range ).</FONT></P> <P><FONT SIZE=3D2>We know our accelerator sees our pings put does not = reply. We have our laptop gui infront of the firewall and behind our = ext router, and from there we can enter our accelerator happily using = internal ip address but not external.</FONT></P> <P><FONT SIZE=3D2>From outside the network, the http string = automatically changes from external to internal then times out again = the accelerator sees these http requests but does not reply.</FONT></P> <P><FONT SIZE=3D2>We are so close to cracking it (or = ourselves!).</FONT> <BR><FONT SIZE=3D2>Please, does anyone know what the missing piece of = the jigsaw is?</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>regards,</FONT> </P> <P><FONT SIZE=3D2>Rory Stewart</FONT> <BR><FONT SIZE=3D2>Systems Engineer</FONT> </P> <P><FONT SIZE=3D2>[email protected]</FONT> </P> <P><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> <BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT> <BR><FONT SIZE=3D2>please see the instructions at</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.checkpoint.com/services/mailing.html"; = TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.html</A></F= ONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C16213.57361F70-- ------------------------------ Date: Wed, 31 Oct 2001 08:46:20 -0500 From: Yves Belle-Isle <[email protected]> Subject: Re: Stealth Mode I suppose you mean bridging mode so you don't have to reconfigure any equipement to install it in your netwrok. If so the answer is a definitive NO for FW-1 2000, i don't think it will be supported on NG too. It's a product limitation not an O/S or hardware one because Computer Associate eTrust firewall can do it even on Windows NT 4.0. If you mean than it doesn't respond to any unwanted request so outsider don't know it exist it's in theory a possibility by setting correctly your rules but in practice it's very hard to not link some hint of it's presence, if you use Security Server it's even difficult not to have it advise it is a CheckPoint FW-1 firewall... At 11:58 2001-10-31 +0530, Venkatesh Kulkarni wrote: >Hi All, > >Can Checkpoint firewall be configured in Stealth mode? If yes, how do we do >it? I need more details on that. If not, are there any other firewalls >which work in Stealth mode? > >Thanx in advance > >Venkatesh > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ------------------------------ Date: Wed, 31 Oct 2001 15:25:30 +0100 From: Nick Ellenden <[email protected]> Subject: Re: Nokia and log manipulation This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C16220.46876B40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Nokia and log manipulationHi, I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wesley Maness Sent: 01 November 2001 04:43 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation To All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden Sent: Wednesday, October 31, 2001 3:34 AM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman Sent: 30 October 2001 22:05 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Webtrends ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton Sent: 23 October 2001 10:21 To: [email protected] Subject: [FW-1] Nokia and log manipulation Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) Thanks Sam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------=_NextPart_000_0004_01C16220.46876B40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Nokia and log manipulation</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>I=20 don't work for OpenService (which is OPSEC compliant), but to toot their = horn a=20 little, you can configure the filter rules in OpenService to parse the = data as=20 you wish this could then be used to re-create such paths, although most=20 reasonable attackers will spoof or otherwise obscurant their own trail. = You=20 might also want to check out e-Security Inc products, they may have = evolved a=20 processing approach as well now.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff = size=3D2>nick</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion=20 of Firewall-1 = [mailto:[email protected]]<B>On=20 Behalf Of </B>Wesley Maness<BR><B>Sent:</B> 01 November 2001=20 04:43<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D2001>To=20 All:</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D2001>Can=20 anyone suggest a product (working in cohoots with FW-1 and others, = either via=20 OPSEC or other means) that can</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001>parse large amounts of logs(fw logs) and = recreate=20 attack sequences (their paths) etc ?</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001>Thanks...</SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf Of = </B>Nick Ellenden<BR><B>Sent:</B> Wednesday, October 31, 2001 3:34=20 AM<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></DIV></FONT> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>You might want to check out OpenService, they also make an = agent=20 server system which also works on Solaris and Windows for FW1, it = can also=20 parse and process the system logs as well.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>nick</FONT></SPAN></DIV> <BLOCKQUOTE> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list = for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf = Of=20 </B>Tim Holman<BR><B>Sent:</B> 30 October 2001 22:05<BR><B>To:</B> = [email protected]<BR><B>Subject:</B> = Re: [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Webtrends ?</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list = for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On = Behalf Of=20 </B>Sam Denton<BR><B>Sent:</B> 23 October 2001 = 10:21<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <P><FONT size=3D2>Is there anyway to manipulate log file data on = the Nokia=20 Platform (IP330 running FW-1 4.1 SP4)</FONT> </P> <P><FONT size=3D2>Thanks</FONT> </P> <P><FONT size=3D2>Sam</FONT> </P></BLOCKQUOTE><CODE><FONT=20 = size=3D3><BR><BR>********************************************************= **************<BR>This=20 email and any files transmitted with it are confidential = and<BR>intended=20 solely for the use of the individual or entity to whom they<BR>are = addressed. If you have received this email in error please = notify<BR>the=20 system manager.<BR><BR>This footnote also confirms that this email = message=20 has been swept by<BR>Dimension Data mail system for the presence = of=20 computer=20 = viruses.<BR><BR>www.uk.didata.com<BR>************************************= **********************************<BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQU= OTE></FONT></CODE></BODY></HTML> ------=_NextPart_000_0004_01C16220.46876B40-- ------------------------------ Date: Wed, 31 Oct 2001 16:05:54 +0100 From: Nick Ellenden <[email protected]> Subject: Re: Stealth Mode Hi, The Lucent Managed Firewall's default installation mode makes it Stealthy, it doesn't even have an IP address. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Yves Belle-Isle Sent: 31 October 2001 14:46 To: [email protected] Subject: Re: [FW-1] Stealth Mode I suppose you mean bridging mode so you don't have to reconfigure any equipement to install it in your netwrok. If so the answer is a definitive NO for FW-1 2000, i don't think it will be supported on NG too. It's a product limitation not an O/S or hardware one because Computer Associate eTrust firewall can do it even on Windows NT 4.0. If you mean than it doesn't respond to any unwanted request so outsider don't know it exist it's in theory a possibility by setting correctly your rules but in practice it's very hard to not link some hint of it's presence, if you use Security Server it's even difficult not to have it advise it is a CheckPoint FW-1 firewall... At 11:58 2001-10-31 +0530, Venkatesh Kulkarni wrote: >Hi All, > >Can Checkpoint firewall be configured in Stealth mode? If yes, how do we do >it? I need more details on that. If not, are there any other firewalls >which work in Stealth mode? > >Thanx in advance > >Venkatesh > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 16:08:05 +0100 From: "xcc.DV-Organisation.firewall-mailinglist" <[email protected]> Subject: Servicepacks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, does a checkpoint servicepack contain previous servicepacks or ist it necessary to install all servicepacks in their chronological order? regards markus -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQA/AwUBO+ASi4B0eczmA4/3EQK8/ACeK7t7GXoGDtbGw8of1aR8hgovenIAoPYI 0i2fuqX1jCmdmF4+vHhplYDx =TWaj -----END PGP SIGNATURE----- ------------------------------ Date: Wed, 31 Oct 2001 10:03:36 -0500 From: Chris Arnold <[email protected]> Subject: Re: Stealth Mode What do you mean by "stealth mode?" Do you want your FW to look like a bridge and be transparent to everyone? You can do this with a rule set limiting access to the FW. What _exactly_ do you want to accomplish? Chris -----Original Message----- From: Venkatesh Kulkarni [mailto:[email protected]] Sent: Wednesday, October 31, 2001 1:28 AM To: [email protected] Subject: [FW-1] Stealth Mode Hi All, Can Checkpoint firewall be configured in Stealth mode? If yes, how do we do it? I need more details on that. If not, are there any other firewalls which work in Stealth mode? Thanx in advance Venkatesh ______________________________________________________________________ The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Ernst & Young is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 07:22:09 -0800 From: Bill Husler <[email protected]> Subject: Multiple Default Routes on Nokia We have a Nokia (110) and two upstream routers in parallel and would like the firewall to use both paths. I added both router's IP addresses in the static routes panel in voyager for default and gave them both the same priority (the help panel says this will consider them equivalent), but when I setup a station before the firewall and continuously ping a station beyond the routers, it appears to only utilize the second entry. If I unplug it's ethernet cable, the other route comes alive, but if I plug it back in, all the traffic reverts to the second route again. Is there any way to set it up to use both? Bill ------------------------------ Date: Wed, 31 Oct 2001 10:38:40 -0500 From: Rocky Stefano <[email protected]> Subject: Re: Stealth Mode That's because it was designed as a layer 2 firwall and cannot do any routing. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden Sent: Wednesday, October 31, 2001 10:06 AM To: [email protected] Subject: Re: [FW-1] Stealth Mode Hi, The Lucent Managed Firewall's default installation mode makes it Stealthy, it doesn't even have an IP address. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Yves Belle-Isle Sent: 31 October 2001 14:46 To: [email protected] Subject: Re: [FW-1] Stealth Mode I suppose you mean bridging mode so you don't have to reconfigure any equipement to install it in your netwrok. If so the answer is a definitive NO for FW-1 2000, i don't think it will be supported on NG too. It's a product limitation not an O/S or hardware one because Computer Associate eTrust firewall can do it even on Windows NT 4.0. If you mean than it doesn't respond to any unwanted request so outsider don't know it exist it's in theory a possibility by setting correctly your rules but in practice it's very hard to not link some hint of it's presence, if you use Security Server it's even difficult not to have it advise it is a CheckPoint FW-1 firewall... At 11:58 2001-10-31 +0530, Venkatesh Kulkarni wrote: >Hi All, > >Can Checkpoint firewall be configured in Stealth mode? If yes, how do we do >it? I need more details on that. If not, are there any other firewalls >which work in Stealth mode? > >Thanx in advance > >Venkatesh > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 18:23:24 +0200 From: "Karasik, Vitaly" <[email protected]> Subject: How we fixed "FW-I/LINUX kmalloc" problem We've tried to replace our NOKIA FW-I box with LINUX one [FW-I v4.1 SP4 + RedHat 6.2 2.2.19 kernel]. Installation was pretty strainforward, but every time when we tried to install policy from our management station we got few messages in /var/log/messages: /var/log/messages.4:Oct 5 14:29:42 fw kernel: kmalloc: Size (786540) too large /var/log/messages.4:Oct 5 14:29:42 fw kernel: kmalloc: Size (786636) too large /var/log/messages.4:Oct 5 14:29:42 fw kernel: kmalloc: Size (789660) too large Our policy contains about 90 rules & 400 objects with few VPN. Short search with Google pointed us to a few letters with the same problems, but didn't help to solve the problem. (for instance, "[FW1] Strange things in RH62 + Fw1-41-Sp2( kmalloc: Size (275548) too large )" thread on https://www.firewall-1.org/2001-01/maillist.html) According to skl1314 from Check Point SecureKnowledge, "solution is currently not available. Issue under investigation". But this search helped me to understand what is exactly the problem: FW-1 call "kmalloc" function in order to get block of memory. But linux's kmalloc [kernels 2.2.x & 2.4.x] knows to allocate memory in blocks 2K,4K, ... 128K only. And FW-1 in our case wants to get ~800 K memory. The solution: I fixed slab.c in order to increase kmalloc limit from 128K to 1280K. Diff from orig slab.c for kernel 2.2.19 is below: 298c298 < #define SLAB_OBJ_MAX_ORDER 8 /* 32 pages */ --- > #define SLAB_OBJ_MAX_ORDER 5 /* 32 pages */ 301c301 < #define SLAB_MAX_GFP_ORDER 8 /* 32 pages */ --- > #define SLAB_MAX_GFP_ORDER 5 /* 32 pages */ 345,347d344 < {262144, NULL}, < {524288, NULL}, < {1048576, NULL}, 370,374c367 < "size-131072", < "size-262144", < "size-524288", < "size-1048576" < --- > "size-131072" After compiling & installing new kernel we're able to install fw policy without any problem. P.S.: our current problem is "ISAKMP AddNegotiation: try to handle too many negotiations" in /var/log/messages. According to Resolution 2093 from Nokia Support Knowledge Base it's pretty old [FW-1 v4.0] problem - the fw-1 table for ISAKMP connections limited by 100 entries. We haven't found solution till now... :-( Regards, Vitaly Karasik Unix System Administrator NDS Israel ------------------------------ Date: Thu, 1 Nov 2001 00:51:23 +0800 From: "Ghosh, Debashis (CORP, CIM)" <[email protected]> Subject: Re: Nokia and log manipulation This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1622C.46294F40 Content-Type: text/plain; charset="iso-8859-1" Personally I would stick with Webtrends to analyse the firewall logs. If you are looking to detect attack sequences however, there is no easy way...you need an IDS....you can try a freeware like SNORT which has amazing capabilities. -----Original Message----- From: Nick Ellenden [mailto:[email protected]] Sent: Wednesday, October 31, 2001 10:26 PM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wesley Maness Sent: 01 November 2001 04:43 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation To All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden Sent: Wednesday, October 31, 2001 3:34 AM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman Sent: 30 October 2001 22:05 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Webtrends ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton Sent: 23 October 2001 10:21 To: [email protected] Subject: [FW-1] Nokia and log manipulation Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) Thanks Sam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------_=_NextPart_001_01C1622C.46294F40 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>Nokia and log manipulation</TITLE> <META content="MSHTML 5.50.4807.2300" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>Personally I would stick with Webtrends to analyse the firewall logs. If you are looking to detect attack sequences however, there is no easy way...you need an IDS....you can try a freeware like SNORT which has amazing capabilities.</SPAN></FONT></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Nick Ellenden [mailto:[email protected]]<BR><B>Sent:</B> Wednesday, October 31, 2001 10:26 PM<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>nick</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Wesley Maness<BR><B>Sent:</B> 01 November 2001 04:43<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>To All:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ?</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>Thanks...</SPAN></FONT></DIV> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Nick Ellenden<BR><B>Sent:</B> Wednesday, October 31, 2001 3:34 AM<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></DIV></FONT> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>nick</FONT></SPAN></DIV> <BLOCKQUOTE> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Tim Holman<BR><B>Sent:</B> 30 October 2001 22:05<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Webtrends ?</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Sam Denton<BR><B>Sent:</B> 23 October 2001 10:21<BR><B>To:</B> [email protected]<BR><B>Subject:</B> [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <P><FONT size=2>Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4)</FONT> </P> <P><FONT size=2>Thanks</FONT> </P> <P><FONT size=2>Sam</FONT> </P></BLOCKQUOTE><CODE><FONT size=3><BR><BR>************************************************************* *********<BR>This email and any files transmitted with it are confidential and<BR>intended solely for the use of the individual or entity to whom they<BR>are addressed. If you have received this email in error please notify<BR>the system manager.<BR><BR>This footnote also confirms that this email message has been swept by<BR>Dimension Data mail system for the presence of computer viruses.<BR><BR>www.uk.didata.com<BR>*************************************** *******************************<BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></ BLOCKQUOTE></FONT></CODE></BODY></HTML> ------_=_NextPart_001_01C1622C.46294F40-- ------------------------------ Date: Thu, 1 Nov 2001 00:59:01 +0800 From: "Ghosh, Debashis (CORP, CIM)" <[email protected]> Subject: CLM and Linux This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1622D.5739A310 Content-Type: text/plain I am trying to run a Checkpoint Centralised Log Module (CLM) on a Red Hat Linux 7.0 box. All my 20 Firewalls log to this server. Previously this box was running NT.....we recently migrated this to a Linux box....now we face a strange issue....everytime we reboot the server it goes off the network. I then need to do a fw ctl uninstall and fw ctl install .....then it comes back on the network. I have tried with a different box and we face the same issue. Has anybody faced a similar problem with CLM on Linux?? ------_=_NextPart_001_01C1622D.5739A310 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DUS-ASCII"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2654.45"> <TITLE>CLM and Linux</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I am trying to run a Checkpoint Centralised Log = Module (CLM) on a Red Hat Linux 7.0 box. All my 20 Firewalls log to = this server. Previously this box was running NT.....we recently = migrated this to a Linux box....now we face a strange = issue....everytime we reboot the server it goes off the network. I then = need to do a fw ctl uninstall and fw ctl install .....then it = comes back on the network. I have tried with a different box and we = face the same issue. Has anybody faced a similar problem with CLM on = Linux??</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01C1622D.5739A310-- ------------------------------ Date: Wed, 31 Oct 2001 12:01:08 -0500 From: "Wesley C. Maness" <[email protected]> Subject: Re: Nokia and log manipulation I have used Snort via Razorback. And it does not correleate the data that would be needed for attack patterns. Something that has a capability to recreate attack patterns to determine what was comprimised.. Snort doesnt do this yet, unless I can configure it do to that for me. I checked out E-Security as well.. nope they don't have this full-feature either. I'll take a look at WebTrends... Thanks for you hint...!!! Mailing list for discussion of Firewall-1 <[email protected]> wrote: > Nokia and log manipulation Personally I would stick with Webtrends to analyse the firewall logs. If you are looking to detect attack sequences however, there is no easy way...you need an IDS....you can try a freeware like SNORT which has amazing capabilities. -----Original Message----- > From: Nick Ellenden [mailto:[email protected]] > Sent: Wednesday, October 31, 2001 10:26 PM > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > Hi, I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now. Bestest, nick -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wesley Maness > Sent: 01 November 2001 04:43 > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > To All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden > Sent: Wednesday, October 31, 2001 3:34 AM > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman > Sent: 30 October 2001 22:05 > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > Webtrends ? -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton > Sent: 23 October 2001 10:21 > To: [email protected] > Subject: [FW-1] Nokia and log manipulation > > <P>Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) <P>Thanks <P>Sam > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > Dimension Data mail system for the presence of computer viruses. > > www.uk.didata.com > ********************************************************************** > ------------------------------ Date: Wed, 31 Oct 2001 17:04:31 -0000 From: Sam Denton <[email protected]> Subject: Automatic Saving of Log Files This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1622E.1BB26BA0 Content-Type: text/plain; charset="iso-8859-1" Is there any way to automatically save the log files, say once a day? at the moment I go to the logging module and then click file -----> save. I have to do this daily. I would like to do this manually. Thanks in advance Sam ------_=_NextPart_001_01C1622E.1BB26BA0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>CLM and Linux</TITLE> <META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=2001><FONT size=2>Is there any way to automatically save the log files, say once a day?</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>at the moment I go to the logging module and then click file -----> save.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>I have to do this daily. I would like to do this manually.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Thanks in advance</FONT></SPAN></DIV> <DIV><SPAN class=2001></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Sam</FONT></SPAN></DIV></BODY></HTML> ------_=_NextPart_001_01C1622E.1BB26BA0-- ------------------------------ Date: Wed, 31 Oct 2001 11:43:27 -0500 From: "Carl E. Mankinen" <[email protected]> Subject: How do you hide/stealth your firewall...ideas? I know other people have asked about this, but I have never seen a solution that I liked. Traditionally, 1) You can just put in the venerable STEALTH rule and drop all ICMP traffic or otherwise that is directed at the firewall's interface. Thus, in traceroutes people will see a hop that is non-responsive. This means blackhats will know what is there, and others will just think something is broken. 2) You could allow the firewall to send ICMP responses, but of course this would let everyone see your firewall and probably fingerprint the O/S if they are good enough. This is not really an option...IMHO 3) It would be nice if Firewall-1 could pass ICMP traffic without decrementing the TTL, however I have yet to see a published method of doing this. Perhaps some inspect code could do this? (perhaps I should spend some time researching there...) Anyway, until someone can tell me how to accomplish #3, I have an idea that I haven't tried yet but I think it would probably work pretty well. (I apologize if anyone else has already posted this idea) Basically, it involves putting one of those old 25xx routers into service but without it actually routing anything. You could also put an old version of IOS on it, and probably leave all the nasty stuff running like finger service etc, to make it look a router everyone is familiar with. Address the eth0 interface on the 25xx router to be on same subnet as the hosts reachable via your firewall. Next step is to configure your firewall to actually respond to ICMP requests, send ttl-expired, unreachables, etc etc... Src, Dest, Svc, Action Firewall, any, ICMP_Evil, Accept However, in your NAT tab put a rule in place to change the source address of the ICMP packets to that of the 25xx router. Orig Src, Orig Dest, Orig Svc, Xlate Src, Xlate Dest, Xlate, Svc Firewall, ANY, ANY, 25xx_router, original, original So in this fashion, when a TTL expiration is sent, it comes from the source address of the 25xx router. Probably good idea to put the address in dns too, with something like "rtr-2514-2" etc etc. If a blackhat decides to probe that address, he will see a real router with all the trimmings. In addition, you could have this router monitored by NIDS and tell it to ignore ICMP, however the signatures for router/firewall or other type attacks tuned up. There are other various implementation details that I won't go into. I thought about drawing a text-based diagram but those never seem too look like anything but gibberish... ------------------------------ Date: Wed, 31 Oct 2001 17:00:30 -0000 From: Paul Daley <[email protected]> Subject: How do you... ... set a rule to log everything other than accepts? (or alternatively, to log just drops and rejects) I'm using v4.1 SP5... Thanks, Paul. ------------------------------ Date: Wed, 31 Oct 2001 17:14:17 -0000 From: Rodrigo Borges <[email protected]> Subject: Re: Multiple Default Routes on Nokia The only way to do that is to configure half of the stations with a default gateway to the first router and the other half with a default router to the second router. Rodrigo -----Mensagem original----- De: Bill Husler [mailto:[email protected]] Enviada: Wednesday, October 31, 2001 3:22 PM Para: [email protected] Assunto: [FW-1] Multiple Default Routes on Nokia We have a Nokia (110) and two upstream routers in parallel and would like the firewall to use both paths. I added both router's IP addresses in the static routes panel in voyager for default and gave them both the same priority (the help panel says this will consider them equivalent), but when I setup a station before the firewall and continuously ping a station beyond the routers, it appears to only utilize the second entry. If I unplug it's ethernet cable, the other route comes alive, but if I plug it back in, all the traffic reverts to the second route again. Is there any way to set it up to use both? Bill =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 12:29:11 -0500 From: "Martin, Jeffrey" <[email protected]> Subject: Re: Firewall Errors According to the Release Notes, Service Pack 5 for FW-1 4.1 fully fixes this problem -----Original Message----- From: Tim Holman [mailto:[email protected]] Sent: Tuesday, October 30, 2001 5:05 PM To: [email protected] Subject: Re: [FW-1] Firewall Errors Win 2K doesn't support proxy arp properly, hence static NAT won't work, regardless of the firewall you use. This is as of Win 2K SP1 - dunno if they've fixed it yet ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wade Sellers Sent: 24 October 2001 00:05 To: [email protected] Subject: Re: [FW-1] Firewall Errors Do you use Static NAT with your Win2K setup? I have been having a very hard time getting this work correctly. Any ideas would be appreciated. Wade Sellers Christopher Ferraro <[email protected]> To: [email protected] Sent by: Mailing list for discussion cc: of Firewall-1 Subject: Re: [FW-1] Firewall Errors <[email protected] point.com> 10/23/2001 01:01 PM Please respond to Mailing list for discussion of Firewall-1 I've been running CP2K, SP3 on Win2K with no problems. The key is to use the wrapper install for CP2K, then grab the full SP3 download from checkpoint's site. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, October 23, 2001 1:26 PM To: [email protected] Subject: Re: [FW-1] Firewall Errors I recently completed the Check Point 2000 VPN1\Firewall-1 Management 1 and 2 training and our instructor advised us to stay away from Windows 2000 for running FW 4.1. He felt that NG would be most likely be more stable on Windows 2000. That's not to say it won't work, it was just his advice. He seemed to have lots of experience in the field so I took him at his word. Tim "Rodriguez, Laz" <[email protected]> Sent by: Mailing list for discussion To: of Firewall-1 [email protected] <[email protected] cc: point.com> Subject: [FW-1] Firewall Errors 10/23/2001 10:37 AM Please respond to Mailing list for discussion of Firewall-1 Help, I was wondering if anyone out there has had the same issues as me. After we migrated from NT4.0 fw 4.1 to Windows 2000 server fw 4.1 on our firewall, the following error is coming out on the event viewer every second. I have applied service pack 3 and 4 and the error keep coming. FW1: ndis_allocate_packet: Cannot allocate new packets Can anyone give me a few pointers as to where to look! Thanks Laz The contents of this email may be confidential. If you are not the intended recipient of this email, any access to, disclosure, copying, or distribution of this information, is prohibited and may be unlawful. If you receive this email in error, please reply to the sender immediately to advise him/her of the error, and then delete this email and any attachments. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 17:48:39 +0000 From: Mark van Kerkwyk <[email protected]> Subject: Securemote to multiple gateways defined in same management server Hi, I have a seperate management server (Provider-1 CMA actually) and four gateways defined within it. I want to force securemote for all traffic which passed TO each of these gateways (for admin access etc). I started off by creating a different encryption domain for each gateway, while it works for one, every other site added to SR failes to to overlaps. I am downloading the topology from each gateway as I have no management module object anyway. When I look at the userc.c , even when one site is added, the complete topologies of all gateways are added also, thus causing any subsequent topology download from another gateway to fail, as they all overlap. How is this done normally, say for example when you have 10 secureservers and want to run SR to each of them. Does it matter whether I have a gateway license rather than a secureserver license ? Any ideas ? Mark ------------------------------ Date: Wed, 31 Oct 2001 17:46:19 -0000 From: Rodrigo Borges <[email protected]> Subject: Re: Automatic Saving of Log Files This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16233.F25D9D00 Content-Type: text/plain; charset="iso-8859-1" You can add a cron job doing a logswitch every day. The command is "fw logswitch". Check the fw man page. Rodrigo -----Mensagem original----- De: Sam Denton [mailto:[email protected]] Enviada: Wednesday, October 31, 2001 5:05 PM Para: [email protected] Assunto: [FW-1] Automatic Saving of Log Files Is there any way to automatically save the log files, say once a day? at the moment I go to the logging module and then click file -----> save. I have to do this daily. I would like to do this manually. Thanks in advance Sam ------_=_NextPart_001_01C16233.F25D9D00 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>CLM and Linux</TITLE> <META content="MSHTML 5.00.2314.1000" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=2001>You can add a cron job doing a logswitch every day. The command is "fw logswitch". Check the fw man page.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=2001>Rodrigo</SPAN></FONT></DIV> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"> <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma size=2>-----Mensagem original-----<BR><B>De:</B> Sam Denton [mailto:[email protected]]<BR><B>Enviada:</B> Wednesday, October 31, 2001 5:05 PM<BR><B>Para:</B> [email protected]<BR><B>Assunto:</B> [FW-1] Automatic Saving of Log Files<BR><BR></DIV></FONT> <DIV><SPAN class=2001><FONT size=2>Is there any way to automatically save the log files, say once a day?</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>at the moment I go to the logging module and then click file -----> save.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>I have to do this daily. I would like to do this manually.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Thanks in advance</FONT></SPAN></DIV> <DIV><SPAN class=2001></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Sam</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C16233.F25D9D00-- ------------------------------ Date: Wed, 31 Oct 2001 12:54:34 -0500 From: Bob Webber/Markham/Contr/AT&T/IJV <[email protected]> Subject: Re: Automatic Saving of Log Files Hi: There are a couple of options here. You can switch the logs using /etc/fw/bin/fw logswitch which will save the logs in a binary format. If you wanted, you could convert the binary file to ASCII format with /etc/fw/bin/fw logexport. It is a fairly trivial task to set up a cron job to handle this for you on a nightly basis. Regards. Bob Webber AT&T Global Network Services Tel:Fax:Notes: Bob Webber/Markham/IBM@IBMCA Internet: [email protected] "Logic merely enables one to be wrong with authority" - Doctor Who Sam Denton <[email protected]>@beethoven.us.checkpoint.com> on 10/31/2001 12:04:31 PM Please respond to Mailing list for discussion of Firewall-1 <[email protected]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] cc: Subject: [FW-1] Automatic Saving of Log Files Is there any way to automatically save the log files, say once a day? at the moment I go to the logging module and then click file -----> save. I have to do this daily. I would like to do this manually. Thanks in advance Sam ------------------------------ Date: Wed, 31 Oct 2001 13:11:55 -0500 From: Aeon Hale <[email protected]> Subject: Re: How do you... on each rule, for the accepts, do not put anything for the "track" column. For the rules with drops or rejects, set track to "long". -----Original Message----- From: Paul Daley [mailto:[email protected]] Sent: Wednesday, October 31, 2001 12:01 PM To: [email protected] Subject: [FW-1] How do you... ... set a rule to log everything other than accepts? (or alternatively, to log just drops and rejects) I'm using v4.1 SP5... Thanks, Paul. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 13:10:14 -0500 From: "Rodriguez, Laz" <[email protected]> Subject: Re: Firewall Errors Thanks. I will install sp5 soon. lr -----Original Message----- From: Martin, Jeffrey [mailto:[email protected]] Sent: Wednesday, October 31, 2001 12:29 PM To: [email protected] Subject: Re: [FW-1] Firewall Errors According to the Release Notes, Service Pack 5 for FW-1 4.1 fully fixes this problem -----Original Message----- From: Tim Holman [mailto:[email protected]] Sent: Tuesday, October 30, 2001 5:05 PM To: [email protected] Subject: Re: [FW-1] Firewall Errors Win 2K doesn't support proxy arp properly, hence static NAT won't work, regardless of the firewall you use. This is as of Win 2K SP1 - dunno if they've fixed it yet ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wade Sellers Sent: 24 October 2001 00:05 To: [email protected] Subject: Re: [FW-1] Firewall Errors Do you use Static NAT with your Win2K setup? I have been having a very hard time getting this work correctly. Any ideas would be appreciated. Wade Sellers Christopher Ferraro <[email protected]> To: [email protected] Sent by: Mailing list for discussion cc: of Firewall-1 Subject: Re: [FW-1] Firewall Errors <[email protected] point.com> 10/23/2001 01:01 PM Please respond to Mailing list for discussion of Firewall-1 I've been running CP2K, SP3 on Win2K with no problems. The key is to use the wrapper install for CP2K, then grab the full SP3 download from checkpoint's site. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, October 23, 2001 1:26 PM To: [email protected] Subject: Re: [FW-1] Firewall Errors I recently completed the Check Point 2000 VPN1\Firewall-1 Management 1 and 2 training and our instructor advised us to stay away from Windows 2000 for running FW 4.1. He felt that NG would be most likely be more stable on Windows 2000. That's not to say it won't work, it was just his advice. He seemed to have lots of experience in the field so I took him at his word. Tim "Rodriguez, Laz" <[email protected]> Sent by: Mailing list for discussion To: of Firewall-1 [email protected] <[email protected] cc: point.com> Subject: [FW-1] Firewall Errors 10/23/2001 10:37 AM Please respond to Mailing list for discussion of Firewall-1 Help, I was wondering if anyone out there has had the same issues as me. After we migrated from NT4.0 fw 4.1 to Windows 2000 server fw 4.1 on our firewall, the following error is coming out on the event viewer every second. I have applied service pack 3 and 4 and the error keep coming. FW1: ndis_allocate_packet: Cannot allocate new packets Can anyone give me a few pointers as to where to look! Thanks Laz The contents of this email may be confidential. If you are not the intended recipient of this email, any access to, disclosure, copying, or distribution of this information, is prohibited and may be unlawful. If you receive this email in error, please reply to the sender immediately to advise him/her of the error, and then delete this email and any attachments. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 13:01:08 -0500 From: Chris Gutierrez <[email protected]> Subject: Re: Nokia and log manipulation you might want to check us out.... www.guarded.net This software analyzes logs from FW-1, plus your IDS, router, host, etc and correlates it to determine threat levels. Next release includes correlation with vulnerability from Nessus. Great security operations platform for centrally monitoring and responding to threat the fastest with complete information. Lots of flexibility in terms of filtering events and assigning priority levels to important hosts on the network. Also does not require deploying agents. Allows one person to easily do the monitoring and analysis work of three or more. Chris-----Original Message----- From: Wesley C. Maness [mailto:[email protected]] Sent: Wednesday, October 31, 2001 12:01 PM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation I have used Snort via Razorback. And it does not correleate the data that would be needed for attack patterns. Something that has a capability to recreate attack patterns to determine what was comprimised.. Snort doesnt do this yet, unless I can configure it do to that for me. I checked out E-Security as well.. nope they don't have this full-feature either. I'll take a look at WebTrends... Thanks for you hint...!!! Mailing list for discussion of Firewall-1 <[email protected]> wrote: > Nokia and log manipulation Personally I would stick with Webtrends to analyse the firewall logs. If you are looking to detect attack sequences however, there is no easy way...you need an IDS....you can try a freeware like SNORT which has amazing capabilities. -----Original Message----- > From: Nick Ellenden [mailto:[email protected]] > Sent: Wednesday, October 31, 2001 10:26 PM > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > Hi, I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now. Bestest, nick -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wesley Maness > Sent: 01 November 2001 04:43 > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > To All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden > Sent: Wednesday, October 31, 2001 3:34 AM > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman > Sent: 30 October 2001 22:05 > To: [email protected] > Subject: Re: [FW-1] Nokia and log manipulation > > Webtrends ? -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton > Sent: 23 October 2001 10:21 > To: [email protected] > Subject: [FW-1] Nokia and log manipulation > > <P>Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) <P>Thanks <P>Sam > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > Dimension Data mail system for the presence of computer viruses. > > www.uk.didata.com > ********************************************************************** > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 18:14:00 -0000 From: Rodrigo Borges <[email protected]> Subject: Re: How do you... Try to disable logging at every accept rule and enabling it at every drop/reject rule. Create a bottom rule dropping everything and logging (Any-Any-Any-Drop-Long). Rodrigo -----Mensagem original----- De: Paul Daley [mailto:[email protected]] Enviada: Wednesday, October 31, 2001 5:01 PM Para: [email protected] Assunto: [FW-1] How do you... ... set a rule to log everything other than accepts? (or alternatively, to log just drops and rejects) I'm using v4.1 SP5... Thanks, Paul. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 19:21:27 +0100 From: Andre Doehn <[email protected]> Subject: Re: How do you... why dont you know this basic thing as fw admin? ;-) 1. open you fw-log 2. right click on Action column -> Selection 3. select only "drop" and "rejects" in the Action Selection Criteron 4. click Apply done! bye andre Paul Daley <[email protected]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> 31.10.2001 18:00 Please respond to Mailing list for discussion of Firewall-1 To: [email protected] cc: Subject: [FW-1] How do you... ... set a rule to log everything other than accepts? (or alternatively, to log just drops and rejects) I'm using v4.1 SP5... Thanks, Paul. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 12:04:26 -0600 From: "Hanke, Eric" <[email protected]> Subject: FW: Migration Headache (Problem Solved) FW1 SP5 and W2K This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16236.7A2E1140 Content-Type: text/plain; charset="iso-8859-1" Seems like a lot of comments regarding FW-1 SP5 and W2K. I posted this a week ago found (and tested) the resolution. Believe it or not, I had to add a route on the Windows 2000 server for the internal server to be NAT'ed. The route looked like this: <Public IP of Server (NAT'ed)> MASK <255.255.255.255> <NAT'ed Address (Private)> I had to tell the Firewall that I wanted to manage my routes. This route was on my one NT 4.0 FW 4.0 firewall. I just overlooked it during the new install. Hope this helps someone. Eric Eric M Hanke <mailto:[email protected]> Senior Network Engineer Tempel <http://www.tempel.com/> Steel Company Magnetic Steel Laminations for the Electronic and Electrical Industries Phone-----Original Message----- From: Hanke, Eric Sent: Wednesday, October 24, 2001 4:12 PM To: [email protected] Subject: Migration Headache Hello list: Tried a migration (fresh install) of FW-1 4.1 last night on a Windows 2000 SP 2 Compaq Proliant 1600. Thought the install went well until my users were not able to receive any e-mail, sending e-mail was ok. Here is a quick Config rundown: Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2) Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000 SVR SP2) This was a fresh install. I opted to manage my routes manually; I already had a text printout of the routes from my NT 4.0 Firewall-1 (4.0) Basically the first few rules look as such Firewall -----> Management Accept Management -----> Firewall Accept ANY -----> SMTP_SVR(NAT'ed) Accept SMTP_SVR(NAT'ed) -----> Outside_world Accept I also had the necessary DNS rules installed so the Mail server could do a DNS lookup. The strange thing is that on the Log you could see the Firewall pass the request from the public IP of the SMTP server to the NAT'ed address but the SMTP server never received the e-mail. I think this is a routing problem; I am new to routing with Windows 2000. Any ideas or a thought on what to look at next is greatly appreciated. Eric <mailto:[email protected]> Eric M Hanke Senior Network Engineer <http://www.tempel.com/> Tempel Steel Company Magnetic Steel Laminations for the Electronic and Electrical Industries Phone------_=_NextPart_001_01C16236.7A2E1140 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40";> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 9"> <meta name=3DOriginator content=3D"Microsoft Word 9"> <link rel=3DFile-List href=3D"cid:[email protected]";> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:483648 8 0 66047 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} span.EmailStyle18 {mso-style-type:personal; mso-ansi-font-size:10.0pt; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:black;} span.EmailStyle19 {mso-style-type:personal-reply; mso-ansi-font-size:10.0pt; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>S= eems like a lot of comments regarding FW-1 SP5 and W2K.<span = style=3D"mso-spacerun: yes"> </span>I posted this a week ago found (and tested) the = resolution.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>B= elieve it or not, I had to add a route on the Windows 2000 server for the = internal server to be NAT’ed.<span style=3D"mso-spacerun: yes"> </span>The = route looked like this:<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>&= lt;Public IP of Server (NAT’ed)> <b><span = style=3D'font-weight:bold'>MASK</span></b> <255.255.255.255> <NAT’ed Address = (Private)><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>I= had to tell the Firewall that I wanted to manage my = routes.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>T= his route was on my one NT 4.0 FW 4.0 firewall.<span style=3D"mso-spacerun: = yes"> </span>I just overlooked it during the new = install.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>H= ope this helps someone.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>E= ric<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoAutoSig><!--[if supportFields]><span = class=3DEmailStyle19><font=20 size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial'><span = style=3D'mso-element:field-begin'></span><span=20 style=3D"mso-spacerun: yes"> </span>AUTOTEXTLIST \s "E-mail=20 Signature" <span = style=3D'mso-element:field-separator'></span></span></font></span><![end= if]--><font color=3Dnavy face=3DArial><span = style=3D'font-family:Arial;color:navy'><a href=3D"mailto:[email protected]";>Eric M Hanke</a></span></font><font = color=3Dnavy face=3DArial><span = style=3D'font-family:Arial;color:navy;mso-color-alt:windowtext'><o:p></o= :p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'>Senior Network = Engineer</span></font><font color=3Dnavy face=3DArial><span = style=3D'font-family:Arial;color:navy;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'><a = href=3D"http://www.tempel.com/";>Tempel Steel Company</a></span></font><font color=3Dnavy face=3DArial><span style=3D'font-family:Arial;color:navy;mso-color-alt:windowtext'><o:p></o= :p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'>Magnetic Steel Laminations for the Electronic and Electrical Industries</span></font><font color=3Dnavy = face=3DArial><span style=3D'font-family:Arial;color:navy;mso-color-alt:windowtext'><o:p></o= :p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'>Phone (773) = 250-8056</span></font><font color=3Dnavy><span = style=3D'color:navy;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p class=3DMsoNormal><!--[if supportFields]><span = class=3DEmailStyle19><font=20 size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial'><span = style=3D'mso-element:field-end'></span></span></font></span><![endif]-->= <span class=3DEmailStyle19><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;color:black'>-----Original Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> Hanke, Eric <br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, October = 24, 2001 4:12 PM<br> <b><span style=3D'font-weight:bold'>To:</span></b> [email protected]<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> Migration = Headache</span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Hello list:<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Tried a migration (fresh install) of FW-1 4.1 last night on a = Windows 2000 SP 2 Compaq Proliant 1600.<span style=3D"mso-spacerun: yes"> </span>Thought the install went well until my users were not able to = receive any e-mail, sending e-mail was ok.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Here is a quick Config = rundown:<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR = SP2)<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Checkpoint FW-1 on the GUI Client and Management Module (Windows = 2000 SVR SP2)<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>This was a fresh install.<span style=3D"mso-spacerun: = yes"> </span>I opted to manage my routes manually; I already had a text printout of = the routes from my NT 4.0 Firewall-1 (4.0) <o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Basically the first few rules look as = such<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Firewall<span = style=3D'mso-tab-count:3'> &nbs= p; &nbs= p; </span>-----><span style=3D'mso-tab-count:1'> = </span>Management<span style=3D"mso-spacerun: yes"> </span><span = style=3D'mso-tab-count:1'> = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Management<span = style=3D'mso-tab-count:2'> &nbs= p; = </span>-----><span style=3D'mso-tab-count:1'> </span>Firewall<span style=3D'mso-tab-count:2'> &nbs= p; = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>ANY<span = style=3D'mso-tab-count:3'> &nbs= p; &nbs= p; = </span>-----><span style=3D'mso-tab-count:1'> = </span>SMTP_SVR(NAT’ed)<span style=3D'mso-tab-count:1'> = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>SMTP_SVR(NAT’ed)<span = style=3D'mso-tab-count:1'> = </span>-----><span style=3D'mso-tab-count:1'> = </span>Outside_world<span style=3D'mso-tab-count:1'> = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>I also had the necessary DNS rules installed so the Mail server = could do a DNS lookup.<span style=3D"mso-spacerun: yes"> </span>The = strange thing is that on the Log you could see the Firewall pass the request from the = public IP of the SMTP server to the NAT’ed address but the SMTP server = never received the e-mail.<span style=3D"mso-spacerun: yes"> = </span><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if !supportEmptyParas]> <![endif]><o:p></o:p></span></fon= t></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>I think this is a routing problem; I am new to routing with = Windows 2000.<span style=3D"mso-spacerun: yes"> </span>Any ideas or a = thought on what to look at next is greatly = appreciated.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Eric<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoAutoSig><!--[if supportFields]><font color=3Dblack = face=3DArial><span=20 style=3D'font-family:Arial;mso-bidi-font-family:"Times New = Roman";color:black'><span=20 style=3D'mso-element:field-begin'></span><span style=3D"mso-spacerun:=20 yes"> </span>AUTOTEXTLIST \s "E-mail Signature" <span=20 style=3D'mso-element:field-separator'></span></span></font><![endif]--><= font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black'><a href=3D"mailto:[email protected]";><font face=3D"Times New Roman"><span style=3D'font-family:"Times New Roman"'>Eric M = Hanke</span></font></a></span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>Senior Network = Engineer</span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'><a = href=3D"http://www.tempel.com/";><font face=3D"Times New Roman"><span style=3D'font-family:"Times New = Roman"'>Tempel Steel Company</span></font></a></span></font><font color=3Dblack = face=3DArial><span style=3D'font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></= o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>Magnetic Steel Laminations for = the Electronic and Electrical Industries</span></font><font color=3Dblack = face=3DArial><span style=3D'font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></= o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>Phone (773) = 250-8056</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font>= </p> <p class=3DMsoNormal><!--[if supportFields]><font color=3Dblack = face=3DArial><span=20 style=3D'font-family:Arial;mso-bidi-font-family:"Times New = Roman";color:black'><span=20 style=3D'mso-element:field-end'></span></span></font><![endif]--><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;mso-bidi-font-family: "Times New Roman";color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;mso-bidi-font-family: "Times New = Roman";color:black;mso-color-alt:windowtext'><o:p></o:p></span></font></= p> </div> </body> </html> ------_=_NextPart_001_01C16236.7A2E1140-- ------------------------------ Date: Wed, 31 Oct 2001 10:35:19 -0800 From: Dan Hitchcock <[email protected]> Subject: Multiple default routes on Nokia This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1623A.CB36F860 Content-Type: text/plain; charset="ISO-8859-1" As with other routers, using multiple default routes will not (as you have observed) provide "poor man's load balancing". You have a several options: #1 - run BGP on your Nokia box (not recommended - this will kill an IP110) #2 - run something more benign like RIP, run BGP on your border routers, and redistribute your BGP routes into RIP (this will probably also put quite a load on your firewall, and may become an administrative headache) #3 - use a load-balancer product like RadWare or Foundry to dynamically share the load across the two links #4 - "split the internet" by creating two routes to represent the internet. For example, I've found in the past that a routing table like this will give a decent balance of traffic on the links (although this may vary greatly depending on the nature of traffic in your network): network gateway 0.0.0.0/1 router1 128.0.0.0/2 router1 0.0.0.0/0 router2 This will send addresses 0.0.0.0-191.255.255.255 out router1, and the rest out router2. You could obviously just split in in half as well, but I found that to be lopsided in terms of utilization in my environment. HTH - any comments, disagreements, etc are, as always, welcome. Dan Hitchcock >We have a Nokia (110) and two upstream routers in parallel and would >like the firewall to use both paths. I added both router's IP addresses > >plug it back in, all the traffic reverts to the second route again. Is >there any way to set it up to use both? ------_=_NextPart_001_01C1623A.CB36F860 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DISO-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>Multiple default routes on Nokia</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Courier New">As with other routers, using = multiple default routes will not (as you have observed) provide = "poor man's load balancing". You have a several = options:</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Courier New">#1 - run BGP on your Nokia box = (not recommended - this will kill an IP110)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">#2 - run something more benign = like RIP, run BGP on your border routers, and redistribute your BGP = routes into RIP (this will probably also put quite a load on your = firewall, and may become an administrative headache)</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Courier New">#3 - use a load-balancer product = like RadWare or Foundry to dynamically share the load across the two = links</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">#4 - "split the = internet" by creating two routes to represent the internet. = For example, I've found in the past that a routing table like this will = give a decent balance of traffic on the links (although this may vary = greatly depending on the nature of traffic in your network):</FONT></P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New">network = gateway</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">0.0.0.0/1 = router1</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">128.0.0.0/2 = router1</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">0.0.0.0/0 = router2</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">This will send addresses = 0.0.0.0-191.255.255.255 out router1, and the rest out router2. = You could obviously just split in in half as well, but I found that to = be lopsided in terms of utilization in my environment.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Courier New">HTH - any comments, = disagreements, etc are, as always, welcome.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">Dan Hitchcock</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Courier New">>We have a Nokia (110) and = two upstream routers in parallel and would</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">>like the firewall to use = both paths. I added both router's IP addresses</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">></FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">>plug it back in, all the = traffic reverts to the second route again. Is</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">>there any way to set it up = to use both?</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C1623A.CB36F860-- ------------------------------ Date: Wed, 31 Oct 2001 14:00:03 -0500 From: Kevin Lundy <[email protected]> Subject: Re: How do you... I don't think that is what he wanted to do - that is filtering/sorting the actual log. What I think he wants is a rule set similar to any-webservers-80-allow any-mailservers-25-allow etc any-any-any-drop-log long In other words, make sure you have a cleanup rule at the end with log-long and all other rules no logging -----Original Message----- From: Andre Doehn [mailto:[email protected]] Sent: Wednesday, October 31, 2001 1:21 PM To: [email protected] Subject: Re: [FW-1] How do you... why dont you know this basic thing as fw admin? ;-) 1. open you fw-log 2. right click on Action column -> Selection 3. select only "drop" and "rejects" in the Action Selection Criteron 4. click Apply done! bye andre Paul Daley <[email protected]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> 31.10.2001 18:00 Please respond to Mailing list for discussion of Firewall-1 To: [email protected] cc: Subject: [FW-1] How do you... ... set a rule to log everything other than accepts? (or alternatively, to log just drops and rejects) I'm using v4.1 SP5... Thanks, Paul. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 14:12:59 -0500 From: "Paiement, Marc" <[email protected]> Subject: Illegal command in control.map This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16240.0DDAB2F0 Content-Type: text/plain; charset="iso-8859-1" Hi all, Recently, I upgraded my firewall running on Nokia IP330 from 4.0 SP3 to 4.1 SP5. The upgrade have been done without any troubles but.... everytime I do a fetch, I get these errors and then the rule is installed successfully. Authentication error: Illegal command <opsec> in control.map Authentication error: Illegal command <opsec> in control.map Authentication error: Illegal command <ioctl> in control.map Authentication error: Illegal command <opsec> in control.map If I edit the control.map I can see a different configuration as others control.map of older release. In the older release I can see "fwn1_opsec" rather than "opsec" only. See below the control.map of my release 4.1 SP5: MASTERS: getkey,gettopo,gettopossl,certreq/none opsec/fwn1 */fwa1 CLIENT : load,db_download,fetch,log/fwa1 opsec/fwn1 */none * : getkey,gettopo,gettopossl,certreq/none unload,ioctl,load,db_download,lo gswitch/deny opsec/fwn1 */fwa1 "ioctl" is not part of older release of control.map Someone have an idea? Marc ------_=_NextPart_001_01C16240.0DDAB2F0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.3103.1000" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial size=2><SPAN class=2001>Hi all,</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001> Recently, I upgraded my firewall running on Nokia IP330 from 4.0 SP3 to 4.1 SP5. The upgrade have been done without any troubles but.... everytime I do a fetch, I get these errors and then the rule is installed successfully. </SPAN></FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Authentication error: Illegal command <opsec> in control.map<BR>Authentication error: Illegal command <opsec> in control.map<BR>Authentication error: Illegal command <ioctl> in control.map<BR>Authentication error: Illegal command <opsec> in control.map</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>If I edit the control.map I can see a different configuration as others control.map of older release. In the older release I can see "fwn1_opsec" rather than "opsec" only. See below the control.map of my release 4.1 SP5:</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>MASTERS: getkey,gettopo,gettopossl,certreq/none opsec/fwn1 */fwa1<BR>CLIENT : load,db_download,fetch,log/fwa1 opsec/fwn1 */none<BR>* : getkey,gettopo,gettopossl,certreq/none unload,ioctl,load,db_download,lo<BR>gswitch/deny opsec/fwn1 */fwa1</FONT></DIV> <DIV><FONT color=#800000 face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>"ioctl" is not part of older release of control.map</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>Someone have an idea?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>Marc</SPAN></FONT></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C16240.0DDAB2F0-- ------------------------------ Date: Wed, 31 Oct 2001 12:08:55 -0800 From: Rob Michayluk <[email protected]> Subject: Simple SMTP Secure Server question This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16247.DE620390 Content-Type: text/plain; charset="ISO-8859-1" Hey there, I have been looking through Checkpoint documentation and I cannot find anything that tells me definitively that when you employ the SMTP secure server that, should your SMTP server fail, the firewall will spool the received mail until the SMTP server is back up. I have been told that this is the case, but cannot find official documentation that verifies this. Does anyone know where I can find this information, if in fact it is true? Thank you! Rob Michayluk Computer Network Services Analyst ACD Systems Ltd. The Digital Imaging Company Tel:Fax:[email protected] www.ACDSYSTEMS.com ------_=_NextPart_001_01C16247.DE620390 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DISO-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>Simple SMTP Secure Server question</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Hey there,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I have been looking through Checkpoint = documentation and I cannot find anything that tells me definitively = that when you employ the SMTP secure server that, should your SMTP = server fail, the firewall will spool the received mail until the SMTP = server is back up. I have been told that this is the case, but cannot = find official documentation that verifies this. Does anyone know where = I can find this information, if in fact it is true?</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thank you!</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Rob Michayluk</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Computer Network Services = Analyst</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">ACD Systems Ltd.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">The Digital Imaging Company</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Tel:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Fax:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">[email protected]</FONT> <BR><U><FONT COLOR=3D"#0000FF" SIZE=3D2 = FACE=3D"Arial">www.ACDSYSTEMS.com</FONT></U> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C16247.DE620390-- ------------------------------ Date: Wed, 31 Oct 2001 14:57:35 -0500 From: Macroscape Solutions <[email protected]> Subject: IKE negotiation problems This is a multi-part message in MIME format. ------=_NextPart_000_0064_01C1621C.6073C250 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable We have an interesting issue here. My client has a firewall with two = external interfaces going to 2 external routers. One interface is going = to a primary T-1, the second is going to a secondary T-1 provider. Right = now the failover is manual in nature and a pain in the ass, but that is = a seperate issue. They have a tunnel going to another remote location = which works fine when they cut over. That remote location has a tunnel = with colocation provider which is working. They also have a VPN tunnel = frmo new york to colocation provider. When we were on the primary T-1 = everything was smooth, once we cut-over (UUnet went down) it stopped = working. So the primary external interface is now set to the other = provider. Here is whats happening: The VPN tunnel works fine to the remote location and back Remote location to Colo provider works fine. The VPN tunnel to colo provider only works when the UUnet line is up and = running. They insured me that they have changed the object to point to = our cutover ip address of the firewall in NY, but this is what I am = seeing... BTW The firewalls are running IPSO 3.3 Checkpoint 4.1 SP2 First let's look at the output on the remote location firewall. As you = can see the packets going to colo provider are destined for the .23 = address. The packets that are coming back are from .24 address. 23(VRRP) = 24(Physical) (colo provider's firewalls) remote_firewall[admin]# tcpdump -i eth-s1p1c0|grep "64.x.x.23" tcpdump: listening on eth-s1p1c0 15:01:23.495922 216.x.x.70 > 64.x.x.23: ip-proto-50 532 15:01:23.759654 216.x.x.70 > 64.x.x.23: ip-proto-50 300 remote_firewall[admin]# tcpdump -i eth-s1p1c0|grep "64.x.x.24" tcpdump: listening on eth-s1p1c0 15:02:24.813542 64.x.x.24 > 216.x.x.70: ip-proto-50 140 15:02:37.970975 64.x.x.24 > 216.x.x.70: ip-proto-50 140 Now let's go over to NY(the firewall with a problem): The packets are now going to the SS VRRP address but there is nothing = coming back on .23 nor .24. ny_firewall[admin]# tcpdump -i eth-s1p2c0|grep "64.x.x.23" tcpdump: listening on eth-s1p2c0 15:17:25.309681 O 206.x.x.204 > 64.x.x.23: ip-proto-50 76 15:17:25.918394 O 206.x.x.204 > 64.x.x.23: ip-proto-50 244 Now let's look at the UUnet interface of the NY firewall. =20 ny_firewall[admin]# tcpdump -i eth-s1p1c0|grep "64.x.x.*" tcpdump: listening on eth-s1p1c0 15:24:54.612874 I 64.x.x.24 > 63.x.x.2: ip-proto-50 180 15:24:54.637762 I 64.x.x.24 > 63.x.x.2: ip-proto-50 180 this solves our dilemma to a certain extent of how are we communication = with colo facility. As you can see the incoming packets are coming in on = the UUnet interface. The outgoing packets are leaving and following our = default gateway out through Intellispace. We now have asynchrounous = routing - which is fine.=20 It seems like the NY firewall is trying to negotiate with the VRRP = address at colo: 13:56:06.130082 O 206.x.x.204.500 > 64.x.x.23.500: udp 52 13:56:06.152651 O 206.x.x.204.500 > 64.x.x.23.500: udp 48 13:56:06.240097 O 206.x.x.204.500 > 64.x.x.23.500: udp 52 but no resposne from colo facility. any time the UUnet circuit goes back up we see: 13:56:06.263279 I 64.x.x.24.500 > 63.x.x.2.500: udp 52 13:56:06.390659 I 64.x.x.24 > 63.x.x.2: ip-proto-50 84 13:56:06.428847 I 64.x.x.24 > 63.x.x.2: ip-proto-50 84 =20 Euge ------=_NextPart_000_0064_01C1621C.6073C250 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2479.6" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>We have an interesting issue here. My = client has a=20 firewall with two external interfaces going to 2 external routers. One = interface=20 is going to a primary T-1, the second is going to a secondary T-1 = provider.=20 Right now the failover is manual in nature and a pain in the ass, but = that is a=20 seperate issue. They have a tunnel going to another remote = location which=20 works fine when they cut over. That remote location has a tunnel with = colocation=20 provider which is working. They also have a VPN tunnel frmo new = york=20 to colocation provider. When we were on the primary T-1 everything = was=20 smooth, once we cut-over (UUnet went down) it stopped working. So the = primary=20 external interface is now set to the other provider. Here is whats=20 happening:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The VPN tunnel works fine to the remote = location=20 and back<BR>Remote location to Colo provider works fine.<BR>The VPN = tunnel to=20 colo provider only works when the UUnet line is up and running. They = insured me=20 that they have changed the object to point to our cutover ip address of = the=20 firewall in NY, but this is what I am seeing...</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>BTW The firewalls are running IPSO = 3.3 =20 Checkpoint 4.1 SP2</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>First let=92s look at the output on the = remote=20 location firewall. As you can see the packets going to colo provider are = destined for the .23 address. The packets that are coming back are from = .24=20 address. 23(VRRP) 24(Physical) (colo provider's firewalls)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>remote_firewall[admin]# tcpdump -i = eth-s1p1c0|grep=20 "64.x.x.23"<BR>tcpdump: listening on eth-s1p1c0<BR>15:01:23.495922 = 216.x.x.70=20 > 64.x.x.23: ip-proto-50 532<BR>15:01:23.759654 216.x.x.70 > = 64.x.x.23:=20 ip-proto-50 300</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>remote_firewall[admin]# tcpdump -i = eth-s1p1c0|grep=20 "64.x.x.24"<BR>tcpdump: listening on eth-s1p1c0<BR>15:02:24.813542 = 64.x.x.24=20 > 216.x.x.70: ip-proto-50 140<BR>15:02:37.970975 64.x.x.24 > = 216.x.x.70:=20 ip-proto-50 140</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Now let=92s go over to NY(the firewall = with a=20 problem):<BR>The packets are now going to the SS VRRP address but there = is=20 nothing coming back on .23 nor .24.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> ny_firewall[admin]# tcpdump -i=20 eth-s1p2c0|grep "64.x.x.23"</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>tcpdump: listening on = eth-s1p2c0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:17:25.309681 O 206.x.x.204 > = 64.x.x.23:=20 ip-proto-50 76</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:17:25.918394 O 206.x.x.204 > = 64.x.x.23:=20 ip-proto-50 244</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Now let=92s look at the UUnet = interface of the=20 NY firewall.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>ny_firewall[admin]# tcpdump -i = eth-s1p1c0|grep=20 "64.x.x.*"</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>tcpdump: listening on = eth-s1p1c0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:24:54.612874 I 64.x.x.24 > = 63.x.x.2:=20 ip-proto-50 180</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:24:54.637762 I 64.x.x.24 > = 63.x.x.2:=20 ip-proto-50 180</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>this solves our dilemma to a certain = extent of how=20 are we communication with colo facility. As you can see the incoming = packets are=20 coming in on the UUnet interface. The outgoing packets are leaving and = following=20 our default gateway out through Intellispace. We now have asynchrounous = routing=20 =96 which is fine. </FONT></DIV> <DIV> </DIV><FONT face=3DArial size=3D2> <DIV><BR>It seems like the NY firewall is trying to negotiate with the = VRRP=20 address at colo:</DIV> <DIV> </DIV> <DIV>13:56:06.130082 O 206.x.x.204.500 > 64.x.x.23.500: udp=20 52<BR>13:56:06.152651 O 206.x.x.204.500 > 64.x.x.23.500: udp=20 48<BR>13:56:06.240097 O 206.x.x.204.500 > 64.x.x.23.500: udp 52</DIV> <DIV> </DIV> <DIV>but no resposne from colo facility.</DIV> <DIV> </DIV> <DIV>any time the UUnet circuit goes back up we see:<BR>13:56:06.263279 = I=20 64.x.x.24.500 > 63.x.x.2.500: udp 52<BR>13:56:06.390659 I 64.x.x.24 = >=20 63.x.x.2: ip-proto-50 84<BR>13:56:06.428847 I 64.x.x.24 > 63.x.x.2:=20 ip-proto-50 84<BR> </DIV> <DIV> </DIV> <DIV>Euge</FONT></DIV></BODY></HTML> ------=_NextPart_000_0064_01C1621C.6073C250-- ------------------------------ Date: Wed, 31 Oct 2001 12:05:14 -0800 From: John Castillo <[email protected]> Subject: comparison between Pix and FW-1 can anyone highlight the differences, advantage/disadvantage of each FW solution? my boss is looking into replacing FW-1 with a Pix in a datacenter environment. no one has done much research except for the common argument that "the pix is a hardware accelerated firewall, therefore its better and faster". opinions? ------------------------------ Date: Wed, 31 Oct 2001 21:33:02 +0100 From: Alexander Hoogerhuis <[email protected]> Subject: Re: Upgrade 4.1 to NG We have had a few niggling problems with the installation on Solaris, as it is very hard to get FW-1 NG to cooperate with a machine that needs to be hardened. Examples are: * it cannot live with /usr and /opt mounted read-only. * the desktop policy package (and others) create their log-directory as a direcoty in the /opt-hierarchy, not as a symlink to /var/opt * package install scripts depends on absolute paths so it is completely useless in an automated install environmens (JumpStart+JASS). * it has a tmp-firectory under the /opt-hierarchy, which is (as with the log-directory over) an actual directory, not a symlink to /var/opt. It doesnt even check that its tmp-directory is writable and cpver and friend will happily try to run and segfault for no apparent good reason. * It will replace /usr/sbin/ndd during boot, with its home grown version. If anyone at Chekpoint is listening and wants to integrate good support for their product on a very locked down machine I'm more than willing to submit patches to the package install scripts and runtime scripts to make this a happier place. cheers, Alexander Nico De Ranter <[email protected]> writes: > We are experiencing serious problems trying to get the rulebase and objects.C > upgraded :-(. Upgrading objects.C finaly worked but the rulebase either produces > errors in the GUI or crashes the GUI completely (note: GUI on NT, modules on Solaris) > > Nico > > On Tue, Oct 23, 2001 at 09:51:36PM -0400, Juan Concepcion wrote: > > Only thing that I saw was that the firewall modules were automatically > > created for you with no option to change the intitial settings on it. > > Suggestion in the documentation is to create an identical object then > > delete the original. > > > > Nico De Ranter wrote: > > > > > Anybody attempt an upgrade from 4.1 to NG already? > > > We are getting error messages when trying to save a policy > > > from the NG policy editor (management console is NG, firewall > > > module is 4.1) > > > > > > Nico > > > > > > --------------------------------------------------------- > > > "It has been said that there are only two businesses that > > > refer to customers as users: illegal drug trade and > > > the computer industry." > > > --------------------------------------------------------- > > > Nico De Ranter > > > Sony Service Center (SDCE/VPE-B) > > > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > > > e-mail: [email protected] > > > > > > =============================================== > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > =============================================== > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > --------------------------------------------------------- > "It has been said that there are only two businesses that > refer to customers as users: illegal drug trade and > the computer industry." > --------------------------------------------------------- > Nico De Ranter > Sony Service Center (SDCE/VPE-B) > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: [email protected] > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' ------------------------------ Date: Wed, 31 Oct 2001 13:51:01 -0700 From: Hal Dorsman <[email protected]> Subject: Re: comparison between Pix and FW-1 PIX is the fastest, yes, but how fast is fast enough? Do you need a car that will do 120 when the speed limit is 75? Do you need a firewall that can keep up with a saturated 100mb interface when all you have is a T-1 to the Internet? Better, no. Checkpoint is the industry leader because of their well designed intuitive management interface. Manageability is everything. Hal > -----Original Message----- > From: John Castillo [mailto:[email protected]] > Sent: Wednesday, October 31, 2001 1:05 PM > To: [email protected] > Subject: [FW-1] comparison between Pix and FW-1 > > > can anyone highlight the differences, advantage/disadvantage > of each FW > solution? > > my boss is looking into replacing FW-1 with a Pix in a datacenter > environment. no one has done much research except for the common > argument that "the pix is a hardware accelerated firewall, > therefore its > better and faster". > > opinions? > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > ------------------------------ Date: Wed, 31 Oct 2001 21:51:12 +0100 From: Alexander Hoogerhuis <[email protected]> Subject: Re: VPN with OSPF for Failover >From what you describe, and without not knowing his requirements for security, I think you are going to have a major headache with getting a favourable assement from an independent third party. You state little about the bandwidths involved, so I cannot tell you wether it will hold up. The 7140's are a somewhat limited and dated design (and my memory cannot tell me wther you get VPN-accellerators for the 7140s?). And reading the reasoning presented by your customer with regards to why FW-1 wont cut it is somewhat strange. OSPF is not multicast, and will work quite well with FW-1 on at least Solaris and Linux. And why IPSec should not handle multicast traffic is to me a mystery (and I hold CCNP/CCDP and should have a clue). Since you are implementing hub and spoke for the frame bit, it will not help to have a secondary location location hooked into the cenrtal point, as you gain zero failover capability (i.e. if the pipe failes into the central location you are hosed anyways). cheers, Alexander "Cardona, Alberto" <[email protected]> writes: > What I want to do is for my friend's remote vpn sites (10) to fail over to > his secondary VPN HUB. > Here is his scenario. > > He just got acquired by another company. > His current company relies on a Full blown IPsec VPN mesh with a backup > ISDN. > He is running Voice over IP thru his IPsec 3DES VPN. > > This new company relies on a LARGE Frame network that runs OSPF on Cisco's. > They now want to implement a VPN running OSPF because they use OSPF. > They installed a frame link from his location (New York) to there > headquarters (Detroit). > Now they want to implements a secondary location (Houston) which has a > internet connection and a frame connection > back into the headquarters (Detroit). > They want this secondary location (Houston) to be a backup incase his > location (New York) fails for his remote sites. > > Someone within this new company mentioned that his current Nokia/Check Point > solution won't work with the > failover design because IPsec can't handle multicast broadcast traffic (ex > OSPF). > They need to run OSPF for a failover design. > > Their solution is to REMOVE all of his Nokia/Check Point and implement a > Cisco Router based VPN design. > Cisco's 1750 for Remote sites and 7140 for each Hub. > Each router both remote site and hub will have Cisco's firewall/IDS package > and encryption module > The Cisco's VPN tunnels are going to be using GRE encapsulation for the > OSPF. > Incase of a failover to the Secondary HUB and OSPF will update the Frame > network regarding the failover. > IPsec 3DES for the data encryption. > This new design is not going to be a MESH but a Hub and Spoke. > > His problem with this HUB and SPOKE design is this. > > 1). He is afraid because this design relies on a 1 tier security design. > The Cisco's routers will be handling the VPN, Routing Protocols, > Firewall, and IDS on each router. > His current design is 2 tier level. > Cisco for the Internet router and Nokia/Check Point for VPN/Firewall > > 2). He thinks his Voice over IP will fail between remote sites because the > MESH will be gone. > > 3). The performance an the Cisco. Would they be able to handle the load? > Since they will be doing everything. (VPN, Routing, and IDS) > > Has anyone implemented this solution? > > > > AC > > > > -----Original Message----- > From: Chris Arnold [mailto:[email protected]] > Sent: Wednesday, October 24, 2001 10:12 PM > To: 'Cardona, Alberto '; '[email protected] ' > Subject: RE: [FW-1] VPN with OSPF > > > That depends on what you mean by "running site to site IPsec VPNs and using > OSPF." Do you mean tunneling OSPF through an IPSec tunnel for some reason > or using OSPF to route traffic to available VPN endpoints before going > through a tunnel or on your edge routers once your VPN traffic has been > encapsulated? > > Chris > > -----Original Message----- > From: Cardona, Alberto > To: [email protected] > Sent: 10/24/01 4:16 PM > Subject: [FW-1] VPN with OSPF > > Is anyone running site to site IPsec VPNs and using OSPF? > If so did you have to implement GRE? > > > Thanks > > > AC > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' ------------------------------ Date: Wed, 31 Oct 2001 16:09:44 -0500 From: Yves Belle-Isle <[email protected]> Subject: Re: Simple SMTP Secure Server question It's not wrote anywhere as far as i checked, like it is for most of the object.c documentation which is inexistant. (I think of 95% of the options which can goes in the PROPS section). But i can say than it spool at least in all those case the mail until it can deliever it: -To external mail server, BUT IT TRY ONLY THE LOWER MX mail server -To internal mail server -To CVP server That is with FW-1 2000 (4.1 SP4) At 12:08 2001-10-31 -0800, Rob Michayluk wrote: >>>> <excerpt> <fontfamily><param>Arial</param><smaller>Hey there,</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>I have been looking through Checkpoint documentation and I cannot find anything that tells me definitively that when you employ the SMTP secure server that, should your SMTP server fail, the firewall will spool the received mail until the SMTP server is back up. I have been told that this is the case, but cannot find official documentation that verifies this. Does anyone know where I can find this information, if in fact it is true? </smaller></fontfamily> <fontfamily><param>Arial</param><smaller>Thank you!</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>Rob Michayluk</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>Computer Network Services Analyst</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>ACD Systems Ltd.</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>The Digital Imaging Company</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>Tel: (250) 544-6700</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>Fax: (250) 544-0291</smaller></fontfamily> <fontfamily><param>Arial</param><smaller>[email protected]</smaller> </fontfamily> <underline><fontfamily><param>Arial</param><color><param>0000,0000,ffff</par am><smaller>www.ACDSYSTEMS.com</smaller></color></fontfamily></underline> </excerpt><<<<<<<< ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ------------------------------ Date: Wed, 31 Oct 2001 16:12:18 -0500 From: Don Guyer <[email protected]> Subject: Re: adding a static route via GUI in NT This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16250.B914FA30 Content-Type: text/plain; charset="iso-8859-1" Erik, If I'm not mistaken, the routes you see in the firewall GUI are automatically added when necessary according to the rulebase. To add a route, you'd have to go to a command prompt. If there's any other way, I'd like to know as well. Sincerely, Don Guyer Information Systems Citadel Federal Credit Union Ph:Fax:www.citadelfcu.org -----Original Message----- From: erik witkop [mailto:[email protected]] Sent: Tuesday, October 30, 2001 6:44 PM To: [email protected] Subject: [FW-1] adding a static route via GUI in NT How can I add a static route in the GUI in NT? I see the CLI way to do it, route -p add, but I could I do it via the GUI? Erik Witkop Boston, MA For Drug Testing Kits please visit: http://www.abatekmedical.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------_=_NextPart_001_01C16250.B914FA30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: [FW-1] adding a static route via GUI in NT</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Erik,</FONT> </P> <P> <FONT SIZE=3D2>If I'm not = mistaken, the routes you see in the firewall GUI are automatically = added when necessary according to the rulebase. To add a route, you'd = have to go to a command prompt. If there's any other way, I'd like to = know as well.</FONT></P> <P><FONT SIZE=3D2>Sincerely, </FONT> </P> <P><FONT SIZE=3D2>Don Guyer</FONT> <BR><FONT SIZE=3D2>Information Systems</FONT> <BR><FONT SIZE=3D2>Citadel Federal Credit Union</FONT> <BR><FONT SIZE=3D2>Ph:</FONT> <BR><FONT SIZE=3D2>Fax:</FONT> <BR><FONT SIZE=3D2>www.citadelfcu.org</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: erik witkop [<A = HREF=3D"mailto:[email protected]";>mailto:[email protected]</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, October 30, 2001 6:44 PM</FONT> <BR><FONT SIZE=3D2>To: = [email protected]</FONT> <BR><FONT SIZE=3D2>Subject: [FW-1] adding a static route via GUI in = NT</FONT> </P> <BR> <P><FONT SIZE=3D2>How can I add a static route in the GUI in NT? I see = the CLI way to do it,</FONT> <BR><FONT SIZE=3D2>route -p add, but I could I do it via the = GUI?</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>Erik Witkop</FONT> <BR><FONT SIZE=3D2>Boston, MA</FONT> <BR><FONT SIZE=3D2>For Drug Testing Kits</FONT> <BR><FONT SIZE=3D2>please visit:</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.abatekmedical.com"; = TARGET=3D"_blank">http://www.abatekmedical.com</A></FONT> </P> <BR> <BR> <P><FONT = SIZE=3D2>_______________________________________________________________= __</FONT> <BR><FONT SIZE=3D2>Get your FREE download of MSN Explorer at <A = HREF=3D"http://explorer.msn.com/intl.asp"; = TARGET=3D"_blank">http://explorer.msn.com/intl.asp</A></FONT> </P> <P><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> <BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT> <BR><FONT SIZE=3D2>please see the instructions at</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.checkpoint.com/services/mailing.html"; = TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.html</A></F= ONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C16250.B914FA30-- ------------------------------ Date: Wed, 31 Oct 2001 16:22:24 -0500 From: Tom Sevy <[email protected]> Subject: Re: comparison between Pix and FW-1 You [your boss] should look into the FW-1 that is going to be running on Alteon [Nortel now] hardware.... http://www.checkpoint.com/opsec/platforms/nortel.html -----Original Message----- From: Hal Dorsman [mailto:[email protected]] Sent: Wednesday, October 31, 2001 3:51 PM To: [email protected] Subject: Re: [FW-1] comparison between Pix and FW-1 PIX is the fastest, yes, but how fast is fast enough? Do you need a car that will do 120 when the speed limit is 75? Do you need a firewall that can keep up with a saturated 100mb interface when all you have is a T-1 to the Internet? Better, no. Checkpoint is the industry leader because of their well designed intuitive management interface. Manageability is everything. Hal > -----Original Message----- > From: John Castillo [mailto:[email protected]] > Sent: Wednesday, October 31, 2001 1:05 PM > To: [email protected] > Subject: [FW-1] comparison between Pix and FW-1 > > > can anyone highlight the differences, advantage/disadvantage > of each FW > solution? > > my boss is looking into replacing FW-1 with a Pix in a datacenter > environment. no one has done much research except for the common > argument that "the pix is a hardware accelerated firewall, > therefore its > better and faster". > > opinions? > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 16:40:35 -0500 From: "Zeltser, Roman" <[email protected]> Subject: Re: comparison between Pix and FW-1 FYI. I just published an updated version of Internet Security Links http://www.rtek2000.com/Tech/InternetSecureLinks.html#perf ********************************** Roman Zeltser, @National Computer Center, RSIS & DNE -----Original Message----- From: John Castillo [mailto:[email protected]] Sent: Wednesday, October 31, 2001 3:05 PM To: [email protected] Subject: [FW-1] comparison between Pix and FW-1 can anyone highlight the differences, advantage/disadvantage of each FW solution? my boss is looking into replacing FW-1 with a Pix in a datacenter environment. no one has done much research except for the common argument that "the pix is a hardware accelerated firewall, therefore its better and faster". opinions? =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 15:51:19 -0600 From: Jennifer Fedewa <[email protected]> Subject: Deauthorize in SecuRemote Hello all! I'm having trouble getting SecuRemote running. I'm running Firewall-1 v4.1 sp-4 on Redhat 6.2. I can get authenticated through the client, but I am still unable to connect to anything. The log file shows a Deauthorize entry with reason: Old SecuRemote I'm using SecuRemote Client Version 4.1 SP-4 Build 4188. I'm not using the Desktop security feature. I've tried this on both win98 and win2000. I've always been running Firewall-1 4.1, so there have been no upgrades other than applying service packs. The following licences are installed on the Firewall: Host Expiration Features x.x.x.x Never cpvp-vsr-5000-v41 x.x.x.x Never cpvp-vee-u-3des-module-v41 I've been through the user and firewall object configurations a million times. What else could I have missed to get an "Old SecuRemote" error? Thanks! Jennifer ------------------------------ Date: Wed, 31 Oct 2001 17:01:27 -0500 From: "Vega, Juan R, SOBUS" <[email protected]> Subject: Re: VPN with OSPF for Failover OSPF is multicast depending on what "network type" is configured. For instance in a broadcast environment, OSPF peers will speak with the DR and BDR on a special multicast 224.0.0.5. The same is true for Frame Relay which is by default a non-broadcast network type and will use multicast. This can easily be avoided though through OSPF network manipulation on the Cisco routers. Juan Vega -----Original Message----- From: Alexander Hoogerhuis [mailto:[email protected]] Sent: Wednesday, October 31, 2001 8:51 PM To: [email protected] Subject: Re: [FW-1] VPN with OSPF for Failover >From what you describe, and without not knowing his requirements for security, I think you are going to have a major headache with getting a favourable assement from an independent third party. You state little about the bandwidths involved, so I cannot tell you wether it will hold up. The 7140's are a somewhat limited and dated design (and my memory cannot tell me wther you get VPN-accellerators for the 7140s?). And reading the reasoning presented by your customer with regards to why FW-1 wont cut it is somewhat strange. OSPF is not multicast, and will work quite well with FW-1 on at least Solaris and Linux. And why IPSec should not handle multicast traffic is to me a mystery (and I hold CCNP/CCDP and should have a clue). Since you are implementing hub and spoke for the frame bit, it will not help to have a secondary location location hooked into the cenrtal point, as you gain zero failover capability (i.e. if the pipe failes into the central location you are hosed anyways). cheers, Alexander "Cardona, Alberto" <[email protected]> writes: > What I want to do is for my friend's remote vpn sites (10) to fail over to > his secondary VPN HUB. > Here is his scenario. > > He just got acquired by another company. > His current company relies on a Full blown IPsec VPN mesh with a backup > ISDN. > He is running Voice over IP thru his IPsec 3DES VPN. > > This new company relies on a LARGE Frame network that runs OSPF on Cisco's. > They now want to implement a VPN running OSPF because they use OSPF. > They installed a frame link from his location (New York) to there > headquarters (Detroit). > Now they want to implements a secondary location (Houston) which has a > internet connection and a frame connection > back into the headquarters (Detroit). > They want this secondary location (Houston) to be a backup incase his > location (New York) fails for his remote sites. > > Someone within this new company mentioned that his current Nokia/Check Point > solution won't work with the > failover design because IPsec can't handle multicast broadcast traffic (ex > OSPF). > They need to run OSPF for a failover design. > > Their solution is to REMOVE all of his Nokia/Check Point and implement a > Cisco Router based VPN design. > Cisco's 1750 for Remote sites and 7140 for each Hub. > Each router both remote site and hub will have Cisco's firewall/IDS package > and encryption module > The Cisco's VPN tunnels are going to be using GRE encapsulation for the > OSPF. > Incase of a failover to the Secondary HUB and OSPF will update the Frame > network regarding the failover. > IPsec 3DES for the data encryption. > This new design is not going to be a MESH but a Hub and Spoke. > > His problem with this HUB and SPOKE design is this. > > 1). He is afraid because this design relies on a 1 tier security design. > The Cisco's routers will be handling the VPN, Routing Protocols, > Firewall, and IDS on each router. > His current design is 2 tier level. > Cisco for the Internet router and Nokia/Check Point for VPN/Firewall > > 2). He thinks his Voice over IP will fail between remote sites because the > MESH will be gone. > > 3). The performance an the Cisco. Would they be able to handle the load? > Since they will be doing everything. (VPN, Routing, and IDS) > > Has anyone implemented this solution? > > > > AC > > > > -----Original Message----- > From: Chris Arnold [mailto:[email protected]] > Sent: Wednesday, October 24, 2001 10:12 PM > To: 'Cardona, Alberto '; '[email protected] ' > Subject: RE: [FW-1] VPN with OSPF > > > That depends on what you mean by "running site to site IPsec VPNs and using > OSPF." Do you mean tunneling OSPF through an IPSec tunnel for some reason > or using OSPF to route traffic to available VPN endpoints before going > through a tunnel or on your edge routers once your VPN traffic has been > encapsulated? > > Chris > > -----Original Message----- > From: Cardona, Alberto > To: [email protected] > Sent: 10/24/01 4:16 PM > Subject: [FW-1] VPN with OSPF > > Is anyone running site to site IPsec VPNs and using OSPF? > If so did you have to implement GRE? > > > Thanks > > > AC > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Wed, 31 Oct 2001 17:35:59 -0500 From: Steven Wu <[email protected]> Subject: [Fwd: Re: [FW-1] CDE lock frozen on solaris] -------- Original Message -------- Subject: Re: [FW-1] CDE lock frozen on solaris Date: Wed, 31 Oct 2001 17:07:41 -0500 From: Steven Wu <[email protected]> To: Mailing list for discussion of Firewall-1 <[email protected]> References: <[email protected]><224CFA964 [email protected]> <[email protected]> Sounds like a memory leak problem, you might need to apply some patch or replace your memory. Why don't you ssh in and disable the dtlogin script at the startup..and this will disable CDE on the fw and see what will happen. Good luck ! Steven Ilana Gamburd wrote: > Has anyone ever encountered this error? > > We use open windows on an Ultra 2 solaris 2.6 with FW1 4.0 sp1. > Somehow the screen was locked on CDE. > When you try and type in the password to unlock, nothing happens. > I gave the systems a reboot, and even cycled the power. > But the screen is still in the same lock froozen state. > Server has rebooted and fw1 4.0 software is back up and running, but can't > access > the console. > > Any Help?? > Thanks > Ilana > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== ------------------------------ Date: Wed, 31 Oct 2001 17:36:25 -0500 From: Steven Wu <[email protected]> Subject: [Fwd: Re: [FW-1] comparison between Pix and FW-1] -------- Original Message -------- Subject: Re: [FW-1] comparison between Pix and FW-1 Date: Wed, 31 Oct 2001 16:59:45 -0500 From: Steven Wu <[email protected]> To: Mailing list for discussion of Firewall-1 <[email protected]> References: <[email protected]> Just my 2 cents: It totally depends on what way you look at it. If cost is not an issue, I would stick with Checkpoint at this time, especially you already have a CP FW-1. Checkpoint does provide a lot of features within its fw-1 software. I think as being a network admin, checkpoint log does a better job than most of the firewalls(netscreen, watchguard ...)and PIX is still using the syslog level, not easy to maintain and not secure enough. For the obvious comparison I can think of : PIX over Checkpoint: 1. Cost. PIX is a lot cheaper. 2. Document. Cisco provide much much better documentation web site and great tech support than no one can beat at this market. CP over PIX : 1. Log maintnance. 2. Nice Gui for policy editor and various security server features for content filtering. Easy for security admin trouble shoot. 3. Load Balance cluster feature. I think most people right now use Nokia with CP HA solution to cut down the cost. There is another hardware platform you might need to pay attention to is Netscreen products. Personally, I think Netscreen is doing the right direction : low cost and also combine both PIX and Checkpoint FW-1 advantages together with a nice Web configuration GUI and log maintanance. Good luck, Steven John Castillo wrote: > can anyone highlight the differences, advantage/disadvantage of each FW > solution? > > my boss is looking into replacing FW-1 with a Pix in a datacenter > environment. no one has done much research except for the common > argument that "the pix is a hardware accelerated firewall, therefore its > better and faster". > > opinions? > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== ------------------------------ Date: Wed, 31 Oct 2001 16:12:18 -0500 From: Don Guyer <[email protected]> Subject: Re: adding a static route via GUI in NT This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16250.B914FA30 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Erik, If I'm not mistaken, the routes you see in the firewall GUI are automatically added when necessary according to the rulebase. To add a route, you'd have to go to a command prompt. If there's any other way, I'd like to know as well. Sincerely, Don Guyer Information Systems Citadel Federal Credit Union Ph:Fax:www.citadelfcu.org -----Original Message----- From: erik witkop [mailto:[email protected]] Sent: Tuesday, October 30, 2001 6:44 PM To: [email protected] Subject: [FW-1] adding a static route via GUI in NT How can I add a static route in the GUI in NT? I see the CLI way to do it, route -p add, but I could I do it via the GUI? Erik Witkop Boston, MA For Drug Testing Kits please visit: http://www.abatekmedical.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------_=_NextPart_001_01C16250.B914FA30 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: [FW-1] adding a static route via GUI in NT</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Erik,</FONT> </P> <P> <FONT SIZE=3D2>If I'm not = mistaken, the routes you see in the firewall GUI are automatically = added when necessary according to the rulebase. To add a route, you'd = have to go to a command prompt. If there's any other way, I'd like to = know as well.</FONT></P> <P><FONT SIZE=3D2>Sincerely, </FONT> </P> <P><FONT SIZE=3D2>Don Guyer</FONT> <BR><FONT SIZE=3D2>Information Systems</FONT> <BR><FONT SIZE=3D2>Citadel Federal Credit Union</FONT> <BR><FONT SIZE=3D2>Ph:</FONT> <BR><FONT SIZE=3D2>Fax:</FONT> <BR><FONT SIZE=3D2>www.citadelfcu.org</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: erik witkop [<A = HREF=3D"mailto:[email protected]";>mailto:[email protected]</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, October 30, 2001 6:44 PM</FONT> <BR><FONT SIZE=3D2>To: = [email protected]</FONT> <BR><FONT SIZE=3D2>Subject: [FW-1] adding a static route via GUI in = NT</FONT> </P> <BR> <P><FONT SIZE=3D2>How can I add a static route in the GUI in NT? I see = the CLI way to do it,</FONT> <BR><FONT SIZE=3D2>route -p add, but I could I do it via the = GUI?</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>Erik Witkop</FONT> <BR><FONT SIZE=3D2>Boston, MA</FONT> <BR><FONT SIZE=3D2>For Drug Testing Kits</FONT> <BR><FONT SIZE=3D2>please visit:</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.abatekmedical.com"; = TARGET=3D"_blank">http://www.abatekmedical.com</A></FONT> </P> <BR> <BR> <P><FONT = SIZE=3D2>_______________________________________________________________= __</FONT> <BR><FONT SIZE=3D2>Get your FREE download of MSN Explorer at <A = HREF=3D"http://explorer.msn.com/intl.asp"; = TARGET=3D"_blank">http://explorer.msn.com/intl.asp</A></FONT> </P> <P><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> <BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT> <BR><FONT SIZE=3D2>please see the instructions at</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.checkpoint.com/services/mailing.html"; = TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.html</A></F= ONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C16250.B914FA30-- ------------------------------ Date: Wed, 31 Oct 2001 14:57:35 -0500 From: Macroscape Solutions <[email protected]> Subject: IKE negotiation problems This is a multi-part message in MIME format. ------=_NextPart_000_0064_01C1621C.6073C250 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable We have an interesting issue here. My client has a firewall with two = external interfaces going to 2 external routers. One interface is going = to a primary T-1, the second is going to a secondary T-1 provider. Right = now the failover is manual in nature and a pain in the ass, but that is = a seperate issue. They have a tunnel going to another remote location = which works fine when they cut over. That remote location has a tunnel = with colocation provider which is working. They also have a VPN tunnel = frmo new york to colocation provider. When we were on the primary T-1 = everything was smooth, once we cut-over (UUnet went down) it stopped = working. So the primary external interface is now set to the other = provider. Here is whats happening: The VPN tunnel works fine to the remote location and back Remote location to Colo provider works fine. The VPN tunnel to colo provider only works when the UUnet line is up and = running. They insured me that they have changed the object to point to = our cutover ip address of the firewall in NY, but this is what I am = seeing... BTW The firewalls are running IPSO 3.3 Checkpoint 4.1 SP2 First let's look at the output on the remote location firewall. As you = can see the packets going to colo provider are destined for the .23 = address. The packets that are coming back are from .24 address. 23(VRRP) = 24(Physical) (colo provider's firewalls) remote_firewall[admin]# tcpdump -i eth-s1p1c0|grep "64.x.x.23" tcpdump: listening on eth-s1p1c0 15:01:23.495922 216.x.x.70 > 64.x.x.23: ip-proto-50 532 15:01:23.759654 216.x.x.70 > 64.x.x.23: ip-proto-50 300 remote_firewall[admin]# tcpdump -i eth-s1p1c0|grep "64.x.x.24" tcpdump: listening on eth-s1p1c0 15:02:24.813542 64.x.x.24 > 216.x.x.70: ip-proto-50 140 15:02:37.970975 64.x.x.24 > 216.x.x.70: ip-proto-50 140 Now let's go over to NY(the firewall with a problem): The packets are now going to the SS VRRP address but there is nothing = coming back on .23 nor .24. ny_firewall[admin]# tcpdump -i eth-s1p2c0|grep "64.x.x.23" tcpdump: listening on eth-s1p2c0 15:17:25.309681 O 206.x.x.204 > 64.x.x.23: ip-proto-50 76 15:17:25.918394 O 206.x.x.204 > 64.x.x.23: ip-proto-50 244 Now let's look at the UUnet interface of the NY firewall. =20 ny_firewall[admin]# tcpdump -i eth-s1p1c0|grep "64.x.x.*" tcpdump: listening on eth-s1p1c0 15:24:54.612874 I 64.x.x.24 > 63.x.x.2: ip-proto-50 180 15:24:54.637762 I 64.x.x.24 > 63.x.x.2: ip-proto-50 180 this solves our dilemma to a certain extent of how are we communication = with colo facility. As you can see the incoming packets are coming in on = the UUnet interface. The outgoing packets are leaving and following our = default gateway out through Intellispace. We now have asynchrounous = routing - which is fine.=20 It seems like the NY firewall is trying to negotiate with the VRRP = address at colo: 13:56:06.130082 O 206.x.x.204.500 > 64.x.x.23.500: udp 52 13:56:06.152651 O 206.x.x.204.500 > 64.x.x.23.500: udp 48 13:56:06.240097 O 206.x.x.204.500 > 64.x.x.23.500: udp 52 but no resposne from colo facility. any time the UUnet circuit goes back up we see: 13:56:06.263279 I 64.x.x.24.500 > 63.x.x.2.500: udp 52 13:56:06.390659 I 64.x.x.24 > 63.x.x.2: ip-proto-50 84 13:56:06.428847 I 64.x.x.24 > 63.x.x.2: ip-proto-50 84 =20 Euge ------=_NextPart_000_0064_01C1621C.6073C250 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2479.6" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>We have an interesting issue here. My = client has a=20 firewall with two external interfaces going to 2 external routers. One = interface=20 is going to a primary T-1, the second is going to a secondary T-1 = provider.=20 Right now the failover is manual in nature and a pain in the ass, but = that is a=20 seperate issue. They have a tunnel going to another remote = location which=20 works fine when they cut over. That remote location has a tunnel with = colocation=20 provider which is working. They also have a VPN tunnel frmo new = york=20 to colocation provider. When we were on the primary T-1 everything = was=20 smooth, once we cut-over (UUnet went down) it stopped working. So the = primary=20 external interface is now set to the other provider. Here is whats=20 happening:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The VPN tunnel works fine to the remote = location=20 and back<BR>Remote location to Colo provider works fine.<BR>The VPN = tunnel to=20 colo provider only works when the UUnet line is up and running. They = insured me=20 that they have changed the object to point to our cutover ip address of = the=20 firewall in NY, but this is what I am seeing...</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>BTW The firewalls are running IPSO = 3.3 =20 Checkpoint 4.1 SP2</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>First let=92s look at the output on the = remote=20 location firewall. As you can see the packets going to colo provider are = destined for the .23 address. The packets that are coming back are from = ..24=20 address. 23(VRRP) 24(Physical) (colo provider's firewalls)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>remote_firewall[admin]# tcpdump -i = eth-s1p1c0|grep=20 "64.x.x.23"<BR>tcpdump: listening on eth-s1p1c0<BR>15:01:23.495922 = 216.x.x.70=20 > 64.x.x.23: ip-proto-50 532<BR>15:01:23.759654 216.x.x.70 > = 64.x.x.23:=20 ip-proto-50 300</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>remote_firewall[admin]# tcpdump -i = eth-s1p1c0|grep=20 "64.x.x.24"<BR>tcpdump: listening on eth-s1p1c0<BR>15:02:24.813542 = 64.x.x.24=20 > 216.x.x.70: ip-proto-50 140<BR>15:02:37.970975 64.x.x.24 > = 216.x.x.70:=20 ip-proto-50 140</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Now let=92s go over to NY(the firewall = with a=20 problem):<BR>The packets are now going to the SS VRRP address but there = is=20 nothing coming back on .23 nor .24.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> ny_firewall[admin]# tcpdump -i=20 eth-s1p2c0|grep "64.x.x.23"</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>tcpdump: listening on = eth-s1p2c0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:17:25.309681 O 206.x.x.204 > = 64.x.x.23:=20 ip-proto-50 76</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:17:25.918394 O 206.x.x.204 > = 64.x.x.23:=20 ip-proto-50 244</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Now let=92s look at the UUnet = interface of the=20 NY firewall.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>ny_firewall[admin]# tcpdump -i = eth-s1p1c0|grep=20 "64.x.x.*"</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>tcpdump: listening on = eth-s1p1c0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:24:54.612874 I 64.x.x.24 > = 63.x.x.2:=20 ip-proto-50 180</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>15:24:54.637762 I 64.x.x.24 > = 63.x.x.2:=20 ip-proto-50 180</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>this solves our dilemma to a certain = extent of how=20 are we communication with colo facility. As you can see the incoming = packets are=20 coming in on the UUnet interface. The outgoing packets are leaving and = following=20 our default gateway out through Intellispace. We now have asynchrounous = routing=20 =96 which is fine. </FONT></DIV> <DIV> </DIV><FONT face=3DArial size=3D2> <DIV><BR>It seems like the NY firewall is trying to negotiate with the = VRRP=20 address at colo:</DIV> <DIV> </DIV> <DIV>13:56:06.130082 O 206.x.x.204.500 > 64.x.x.23.500: udp=20 52<BR>13:56:06.152651 O 206.x.x.204.500 > 64.x.x.23.500: udp=20 48<BR>13:56:06.240097 O 206.x.x.204.500 > 64.x.x.23.500: udp 52</DIV> <DIV> </DIV> <DIV>but no resposne from colo facility.</DIV> <DIV> </DIV> <DIV>any time the UUnet circuit goes back up we see:<BR>13:56:06.263279 = I=20 64.x.x.24.500 > 63.x.x.2.500: udp 52<BR>13:56:06.390659 I 64.x.x.24 = >=20 63.x.x.2: ip-proto-50 84<BR>13:56:06.428847 I 64.x.x.24 > 63.x.x.2:=20 ip-proto-50 84<BR> </DIV> <DIV> </DIV> <DIV>Euge</FONT></DIV></BODY></HTML> ------=_NextPart_000_0064_01C1621C.6073C250-- ------------------------------ Date: Wed, 31 Oct 2001 12:08:55 -0800 From: Rob Michayluk <[email protected]> Subject: Simple SMTP Secure Server question This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16247.DE620390 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hey there, I have been looking through Checkpoint documentation and I cannot find anything that tells me definitively that when you employ the SMTP secure server that, should your SMTP server fail, the firewall will spool the received mail until the SMTP server is back up. I have been told that this is the case, but cannot find official documentation that verifies this. Does anyone know where I can find this information, if in fact it is true? Thank you! Rob Michayluk Computer Network Services Analyst ACD Systems Ltd. The Digital Imaging Company Tel:Fax:[email protected] www.ACDSYSTEMS.com ------_=_NextPart_001_01C16247.DE620390 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DISO-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>Simple SMTP Secure Server question</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Hey there,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I have been looking through Checkpoint = documentation and I cannot find anything that tells me definitively = that when you employ the SMTP secure server that, should your SMTP = server fail, the firewall will spool the received mail until the SMTP = server is back up. I have been told that this is the case, but cannot = find official documentation that verifies this. Does anyone know where = I can find this information, if in fact it is true?</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thank you!</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Rob Michayluk</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Computer Network Services = Analyst</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">ACD Systems Ltd.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">The Digital Imaging Company</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Tel:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Fax:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">[email protected]</FONT> <BR><U><FONT COLOR=3D"#0000FF" SIZE=3D2 = FACE=3D"Arial">www.ACDSYSTEMS.com</FONT></U> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C16247.DE620390-- ------------------------------ Date: Wed, 31 Oct 2001 17:46:19 -0000 From: Rodrigo Borges <[email protected]> Subject: Re: Automatic Saving of Log Files This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16233.F25D9D00 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit You can add a cron job doing a logswitch every day. The command is "fw logswitch". Check the fw man page. Rodrigo -----Mensagem original----- De: Sam Denton [mailto:[email protected]] Enviada: Wednesday, October 31, 2001 5:05 PM Para: [email protected] Assunto: [FW-1] Automatic Saving of Log Files Is there any way to automatically save the log files, say once a day? at the moment I go to the logging module and then click file -----> save. I have to do this daily. I would like to do this manually. Thanks in advance Sam ------_=_NextPart_001_01C16233.F25D9D00 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>CLM and Linux</TITLE> <META content="MSHTML 5.00.2314.1000" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=2001>You can add a cron job doing a logswitch every day. The command is "fw logswitch". Check the fw man page.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=2001>Rodrigo</SPAN></FONT></DIV> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"> <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma size=2>-----Mensagem original-----<BR><B>De:</B> Sam Denton [mailto:[email protected]]<BR><B>Enviada:</B> Wednesday, October 31, 2001 5:05 PM<BR><B>Para:</B> [email protected]<BR><B>Assunto:</B> [FW-1] Automatic Saving of Log Files<BR><BR></DIV></FONT> <DIV><SPAN class=2001><FONT size=2>Is there any way to automatically save the log files, say once a day?</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>at the moment I go to the logging module and then click file -----> save.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>I have to do this daily. I would like to do this manually.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Thanks in advance</FONT></SPAN></DIV> <DIV><SPAN class=2001></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Sam</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C16233.F25D9D00-- ------------------------------ Date: Wed, 31 Oct 2001 14:12:59 -0500 From: "Paiement, Marc" <[email protected]> Subject: Illegal command in control.map This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16240.0DDAB2F0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hi all, Recently, I upgraded my firewall running on Nokia IP330 from 4.0 SP3 to 4.1 SP5. The upgrade have been done without any troubles but.... everytime I do a fetch, I get these errors and then the rule is installed successfully. Authentication error: Illegal command <opsec> in control.map Authentication error: Illegal command <opsec> in control.map Authentication error: Illegal command <ioctl> in control.map Authentication error: Illegal command <opsec> in control.map If I edit the control.map I can see a different configuration as others control.map of older release. In the older release I can see "fwn1_opsec" rather than "opsec" only. See below the control.map of my release 4.1 SP5: MASTERS: getkey,gettopo,gettopossl,certreq/none opsec/fwn1 */fwa1 CLIENT : load,db_download,fetch,log/fwa1 opsec/fwn1 */none * : getkey,gettopo,gettopossl,certreq/none unload,ioctl,load,db_download,lo gswitch/deny opsec/fwn1 */fwa1 "ioctl" is not part of older release of control.map Someone have an idea? Marc ------_=_NextPart_001_01C16240.0DDAB2F0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.3103.1000" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial size=2><SPAN class=2001>Hi all,</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001> Recently, I upgraded my firewall running on Nokia IP330 from 4.0 SP3 to 4.1 SP5. The upgrade have been done without any troubles but.... everytime I do a fetch, I get these errors and then the rule is installed successfully. </SPAN></FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Authentication error: Illegal command <opsec> in control.map<BR>Authentication error: Illegal command <opsec> in control.map<BR>Authentication error: Illegal command <ioctl> in control.map<BR>Authentication error: Illegal command <opsec> in control.map</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>If I edit the control.map I can see a different configuration as others control.map of older release. In the older release I can see "fwn1_opsec" rather than "opsec" only. See below the control.map of my release 4.1 SP5:</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>MASTERS: getkey,gettopo,gettopossl,certreq/none opsec/fwn1 */fwa1<BR>CLIENT : load,db_download,fetch,log/fwa1 opsec/fwn1 */none<BR>* : getkey,gettopo,gettopossl,certreq/none unload,ioctl,load,db_download,lo<BR>gswitch/deny opsec/fwn1 */fwa1</FONT></DIV> <DIV><FONT color=#800000 face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>"ioctl" is not part of older release of control.map</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>Someone have an idea?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2001>Marc</SPAN></FONT></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C16240.0DDAB2F0-- ------------------------------ Date: Wed, 31 Oct 2001 12:04:26 -0600 From: "Hanke, Eric" <[email protected]> Subject: FW: Migration Headache (Problem Solved) FW1 SP5 and W2K This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16236.7A2E1140 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Seems like a lot of comments regarding FW-1 SP5 and W2K. I posted this a week ago found (and tested) the resolution. Believe it or not, I had to add a route on the Windows 2000 server for the internal server to be NAT'ed. The route looked like this: <Public IP of Server (NAT'ed)> MASK <255.255.255.255> <NAT'ed Address (Private)> I had to tell the Firewall that I wanted to manage my routes. This route was on my one NT 4.0 FW 4.0 firewall. I just overlooked it during the new install. Hope this helps someone. Eric Eric M Hanke <mailto:[email protected]> Senior Network Engineer Tempel <http://www.tempel.com/> Steel Company Magnetic Steel Laminations for the Electronic and Electrical Industries Phone-----Original Message----- From: Hanke, Eric Sent: Wednesday, October 24, 2001 4:12 PM To: [email protected] Subject: Migration Headache Hello list: Tried a migration (fresh install) of FW-1 4.1 last night on a Windows 2000 SP 2 Compaq Proliant 1600. Thought the install went well until my users were not able to receive any e-mail, sending e-mail was ok. Here is a quick Config rundown: Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2) Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000 SVR SP2) This was a fresh install. I opted to manage my routes manually; I already had a text printout of the routes from my NT 4.0 Firewall-1 (4.0) Basically the first few rules look as such Firewall -----> Management Accept Management -----> Firewall Accept ANY -----> SMTP_SVR(NAT'ed) Accept SMTP_SVR(NAT'ed) -----> Outside_world Accept I also had the necessary DNS rules installed so the Mail server could do a DNS lookup. The strange thing is that on the Log you could see the Firewall pass the request from the public IP of the SMTP server to the NAT'ed address but the SMTP server never received the e-mail. I think this is a routing problem; I am new to routing with Windows 2000. Any ideas or a thought on what to look at next is greatly appreciated. Eric <mailto:[email protected]> Eric M Hanke Senior Network Engineer <http://www.tempel.com/> Tempel Steel Company Magnetic Steel Laminations for the Electronic and Electrical Industries Phone------_=_NextPart_001_01C16236.7A2E1140 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40";> <head> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 9"> <meta name=3DOriginator content=3D"Microsoft Word 9"> <link rel=3DFile-List href=3D"cid:[email protected]";> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:483648 8 0 66047 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} span.EmailStyle18 {mso-style-type:personal; mso-ansi-font-size:10.0pt; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:black;} span.EmailStyle19 {mso-style-type:personal-reply; mso-ansi-font-size:10.0pt; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>S= eems like a lot of comments regarding FW-1 SP5 and W2K.<span = style=3D"mso-spacerun: yes"> </span>I posted this a week ago found (and tested) the = resolution.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>B= elieve it or not, I had to add a route on the Windows 2000 server for the = internal server to be NAT’ed.<span style=3D"mso-spacerun: yes"> </span>The = route looked like this:<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>&= lt;Public IP of Server (NAT’ed)> <b><span = style=3D'font-weight:bold'>MASK</span></b> <255.255.255.255> <NAT’ed Address = (Private)><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>I= had to tell the Firewall that I wanted to manage my = routes.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>T= his route was on my one NT 4.0 FW 4.0 firewall.<span style=3D"mso-spacerun: = yes"> </span>I just overlooked it during the new = install.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>H= ope this helps someone.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>E= ric<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle19><font size=3D2 = color=3Dnavy face=3DArial><span style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><= ![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoAutoSig><!--[if supportFields]><span = class=3DEmailStyle19><font=20 size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial'><span = style=3D'mso-element:field-begin'></span><span=20 style=3D"mso-spacerun: yes"> </span>AUTOTEXTLIST \s "E-mail=20 Signature" <span = style=3D'mso-element:field-separator'></span></span></font></span><![end= if]--><font color=3Dnavy face=3DArial><span = style=3D'font-family:Arial;color:navy'><a href=3D"mailto:[email protected]";>Eric M Hanke</a></span></font><font = color=3Dnavy face=3DArial><span = style=3D'font-family:Arial;color:navy;mso-color-alt:windowtext'><o:p></o= :p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'>Senior Network = Engineer</span></font><font color=3Dnavy face=3DArial><span = style=3D'font-family:Arial;color:navy;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'><a = href=3D"http://www.tempel.com/";>Tempel Steel Company</a></span></font><font color=3Dnavy face=3DArial><span style=3D'font-family:Arial;color:navy;mso-color-alt:windowtext'><o:p></o= :p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'>Magnetic Steel Laminations for the Electronic and Electrical Industries</span></font><font color=3Dnavy = face=3DArial><span style=3D'font-family:Arial;color:navy;mso-color-alt:windowtext'><o:p></o= :p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy'>Phone (773) = 250-8056</span></font><font color=3Dnavy><span = style=3D'color:navy;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p class=3DMsoNormal><!--[if supportFields]><span = class=3DEmailStyle19><font=20 size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size: 12.0pt;font-family:Arial'><span = style=3D'mso-element:field-end'></span></span></font></span><![endif]-->= <span class=3DEmailStyle19><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;color:black'>-----Original Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> Hanke, Eric <br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, October = 24, 2001 4:12 PM<br> <b><span style=3D'font-weight:bold'>To:</span></b> [email protected]<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> Migration = Headache</span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Hello list:<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Tried a migration (fresh install) of FW-1 4.1 last night on a = Windows 2000 SP 2 Compaq Proliant 1600.<span style=3D"mso-spacerun: yes"> </span>Thought the install went well until my users were not able to = receive any e-mail, sending e-mail was ok.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Here is a quick Config = rundown:<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR = SP2)<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Checkpoint FW-1 on the GUI Client and Management Module (Windows = 2000 SVR SP2)<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if !supportEmptyParas]> <![endif]><o:p></o:p></span></fon= t></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>This was a fresh install.<span style=3D"mso-spacerun: = yes"> </span>I opted to manage my routes manually; I already had a text printout of = the routes from my NT 4.0 Firewall-1 (4.0) <o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Basically the first few rules look as = such<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Firewall<span = style=3D'mso-tab-count:3'> &nbs= p; &nbs= p; </span>-----><span style=3D'mso-tab-count:1'> = </span>Management<span style=3D"mso-spacerun: yes"> </span><span = style=3D'mso-tab-count:1'> = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Management<span = style=3D'mso-tab-count:2'> &nbs= p; = </span>-----><span style=3D'mso-tab-count:1'> </span>Firewall<span style=3D'mso-tab-count:2'> &nbs= p; = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>ANY<span = style=3D'mso-tab-count:3'> &nbs= p; &nbs= p; = </span>-----><span style=3D'mso-tab-count:1'> = </span>SMTP_SVR(NAT’ed)<span style=3D'mso-tab-count:1'> = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>SMTP_SVR(NAT’ed)<span = style=3D'mso-tab-count:1'> = </span>-----><span style=3D'mso-tab-count:1'> = </span>Outside_world<span style=3D'mso-tab-count:1'> = </span>Accept<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>I also had the necessary DNS rules installed so the Mail server = could do a DNS lookup.<span style=3D"mso-spacerun: yes"> </span>The = strange thing is that on the Log you could see the Firewall pass the request from the = public IP of the SMTP server to the NAT’ed address but the SMTP server = never received the e-mail.<span style=3D"mso-spacerun: yes"> </span><o:p></o:p></span= ></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>I think this is a routing problem; I am new to routing with = Windows 2000.<span style=3D"mso-spacerun: yes"> </span>Any ideas or a = thought on what to look at next is greatly = appreciated.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'>Eric<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoNormal><span class=3DEmailStyle18><font size=3D2 = color=3Dblack face=3DArial><span = style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family: Arial'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>= <p class=3DMsoAutoSig><!--[if supportFields]><font color=3Dblack = face=3DArial><span=20 style=3D'font-family:Arial;mso-bidi-font-family:"Times New = Roman";color:black'><span=20 style=3D'mso-element:field-begin'></span><span style=3D"mso-spacerun:=20 yes"> </span>AUTOTEXTLIST \s "E-mail Signature" <span=20 style=3D'mso-element:field-separator'></span></span></font><![endif]--><= font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black'><a href=3D"mailto:[email protected]";><font face=3D"Times New Roman"><span style=3D'font-family:"Times New Roman"'>Eric M = Hanke</span></font></a></span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>Senior Network = Engineer</span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'><a = href=3D"http://www.tempel.com/";><font face=3D"Times New Roman"><span style=3D'font-family:"Times New = Roman"'>Tempel Steel Company</span></font></a></span></font><font color=3Dblack = face=3DArial><span style=3D'font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></= o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>Magnetic Steel Laminations for = the Electronic and Electrical Industries</span></font><font color=3Dblack = face=3DArial><span style=3D'font-family:Arial;color:black;mso-color-alt:windowtext'><o:p></= o:p></span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dblack face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:black'>Phone (773) = 250-8056</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font>= </p> <p class=3DMsoNormal><!--[if supportFields]><font color=3Dblack = face=3DArial><span=20 style=3D'font-family:Arial;mso-bidi-font-family:"Times New = Roman";color:black'><span=20 style=3D'mso-element:field-end'></span></span></font><![endif]--><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;mso-bidi-font-family: "Times New Roman";color:black'><![if = !supportEmptyParas]> <![endif]></span></font><font color=3Dblack face=3DArial><span = style=3D'font-family:Arial;mso-bidi-font-family: "Times New = Roman";color:black;mso-color-alt:windowtext'><o:p></o:p></span></font></= p> </div> </body> </html> ------_=_NextPart_001_01C16236.7A2E1140-- ------------------------------ Date: Wed, 31 Oct 2001 10:35:19 -0800 From: Dan Hitchcock <[email protected]> Subject: Multiple default routes on Nokia This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1623A.CB36F860 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit As with other routers, using multiple default routes will not (as you have observed) provide "poor man's load balancing". You have a several options: #1 - run BGP on your Nokia box (not recommended - this will kill an IP110) #2 - run something more benign like RIP, run BGP on your border routers, and redistribute your BGP routes into RIP (this will probably also put quite a load on your firewall, and may become an administrative headache) #3 - use a load-balancer product like RadWare or Foundry to dynamically share the load across the two links #4 - "split the internet" by creating two routes to represent the internet. For example, I've found in the past that a routing table like this will give a decent balance of traffic on the links (although this may vary greatly depending on the nature of traffic in your network): network gateway 0.0.0.0/1 router1 128.0.0.0/2 router1 0.0.0.0/0 router2 This will send addresses 0.0.0.0-191.255.255.255 out router1, and the rest out router2. You could obviously just split in in half as well, but I found that to be lopsided in terms of utilization in my environment. HTH - any comments, disagreements, etc are, as always, welcome. Dan Hitchcock >We have a Nokia (110) and two upstream routers in parallel and would >like the firewall to use both paths. I added both router's IP addresses > >plug it back in, all the traffic reverts to the second route again. Is >there any way to set it up to use both? ------_=_NextPart_001_01C1623A.CB36F860 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>Multiple default routes on Nokia</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Courier New">As with other routers, using = multiple default routes will not (as you have observed) provide = "poor man's load balancing". You have a several = options:</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Courier New">#1 - run BGP on your Nokia box = (not recommended - this will kill an IP110)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">#2 - run something more benign = like RIP, run BGP on your border routers, and redistribute your BGP = routes into RIP (this will probably also put quite a load on your = firewall, and may become an administrative headache)</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Courier New">#3 - use a load-balancer product = like RadWare or Foundry to dynamically share the load across the two = links</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">#4 - "split the = internet" by creating two routes to represent the internet. = For example, I've found in the past that a routing table like this will = give a decent balance of traffic on the links (although this may vary = greatly depending on the nature of traffic in your network):</FONT></P> <P> <FONT SIZE=3D2 = FACE=3D"Courier New">network = gateway</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">0.0.0.0/1 = router1</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">128.0.0.0/2 = router1</FONT> <BR> <FONT SIZE=3D2 = FACE=3D"Courier New">0.0.0.0/0 = router2</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">This will send addresses = 0.0.0.0-191.255.255.255 out router1, and the rest out router2. = You could obviously just split in in half as well, but I found that to = be lopsided in terms of utilization in my environment.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Courier New">HTH - any comments, = disagreements, etc are, as always, welcome.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Courier New">Dan Hitchcock</FONT> </P> <BR> <P><FONT SIZE=3D2 FACE=3D"Courier New">>We have a Nokia (110) and = two upstream routers in parallel and would</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">>like the firewall to use = both paths. I added both router's IP addresses</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">></FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">>plug it back in, all the = traffic reverts to the second route again. Is</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">>there any way to set it up = to use both?</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C1623A.CB36F860-- ------------------------------ Date: Wed, 31 Oct 2001 19:43:24 -0800 From: Wesley Maness <[email protected]> Subject: Re: Nokia and log manipulation This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C16244.4DB091C0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit To All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden Sent: Wednesday, October 31, 2001 3:34 AM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman Sent: 30 October 2001 22:05 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Webtrends ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton Sent: 23 October 2001 10:21 To: [email protected] Subject: [FW-1] Nokia and log manipulation Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) Thanks Sam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------=_NextPart_000_0008_01C16244.4DB091C0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Nokia and log manipulation</TITLE> <META content=3D"MSHTML 5.00.3105.105" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D2001>To=20 All:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D2001>Can=20 anyone suggest a product (working in cohoots with FW-1 and others, = either via=20 OPSEC or other means) that can</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D2001>parse=20 large amounts of logs(fw logs) and recreate attack sequences (their = paths) etc=20 ?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D2001>Thanks...</SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion=20 of Firewall-1 = [mailto:[email protected]]<B>On=20 Behalf Of </B>Nick Ellenden<BR><B>Sent:</B> Wednesday, October 31, = 2001 3:34=20 AM<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></DIV></FONT> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial size=3D2>You=20 might want to check out OpenService, they also make an agent server = system=20 which also works on Solaris and Windows for FW1, it can also parse = and process=20 the system logs as well.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>nick</FONT></SPAN></DIV> <BLOCKQUOTE> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list = for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf = Of </B>Tim=20 Holman<BR><B>Sent:</B> 30 October 2001 22:05<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=3D2001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Webtrends ?</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list = for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf = Of=20 </B>Sam Denton<BR><B>Sent:</B> 23 October 2001 = 10:21<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <P><FONT size=3D2>Is there anyway to manipulate log file data on = the Nokia=20 Platform (IP330 running FW-1 4.1 SP4)</FONT> </P> <P><FONT size=3D2>Thanks</FONT> </P> <P><FONT size=3D2>Sam</FONT> </P></BLOCKQUOTE><CODE><FONT=20 = size=3D3><BR><BR>*******************************************************= ***************<BR>This=20 email and any files transmitted with it are confidential = and<BR>intended=20 solely for the use of the individual or entity to whom they<BR>are=20 addressed. If you have received this email in error please = notify<BR>the=20 system manager.<BR><BR>This footnote also confirms that this email = message=20 has been swept by<BR>Dimension Data mail system for the presence of = computer=20 = viruses.<BR><BR>www.uk.didata.com<BR>***********************************= ***********************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT>= </CODE></BODY></HTML> ------=_NextPart_000_0008_01C16244.4DB091C0-- ------------------------------ Date: Thu, 1 Nov 2001 00:51:23 +0800 From: "Ghosh, Debashis (CORP, CIM)" <[email protected]> Subject: Re: Nokia and log manipulation This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1622C.46294F40 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Personally I would stick with Webtrends to analyse the firewall logs. If you are looking to detect attack sequences however, there is no easy way...you need an IDS....you can try a freeware like SNORT which has amazing capabilities. -----Original Message----- From: Nick Ellenden [mailto:[email protected]] Sent: Wednesday, October 31, 2001 10:26 PM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wesley Maness Sent: 01 November 2001 04:43 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation To All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden Sent: Wednesday, October 31, 2001 3:34 AM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman Sent: 30 October 2001 22:05 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Webtrends ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton Sent: 23 October 2001 10:21 To: [email protected] Subject: [FW-1] Nokia and log manipulation Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) Thanks Sam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------_=_NextPart_001_01C1622C.46294F40 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <TITLE>Nokia and log manipulation</TITLE> <META content="MSHTML 5.50.4807.2300" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>Personally I would stick with Webtrends to analyse the firewall logs. If you are looking to detect attack sequences however, there is no easy way...you need an IDS....you can try a freeware like SNORT which has amazing capabilities.</SPAN></FONT></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Nick Ellenden [mailto:[email protected]]<BR><B>Sent:</B> Wednesday, October 31, 2001 10:26 PM<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>nick</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Wesley Maness<BR><B>Sent:</B> 01 November 2001 04:43<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>To All:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ?</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2001>Thanks...</SPAN></FONT></DIV> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Nick Ellenden<BR><B>Sent:</B> Wednesday, October 31, 2001 3:34 AM<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></DIV></FONT> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>nick</FONT></SPAN></DIV> <BLOCKQUOTE> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Tim Holman<BR><B>Sent:</B> 30 October 2001 22:05<BR><B>To:</B> [email protected]<BR><B>Subject:</B> Re: [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=2001><FONT face=Arial color=#0000ff size=2>Webtrends ?</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Mailing list for discussion of Firewall-1 [mailto:[email protected]]<B>On Behalf Of </B>Sam Denton<BR><B>Sent:</B> 23 October 2001 10:21<BR><B>To:</B> [email protected]<BR><B>Subject:</B> [FW-1] Nokia and log manipulation<BR><BR></FONT></DIV> <P><FONT size=2>Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4)</FONT> </P> <P><FONT size=2>Thanks</FONT> </P> <P><FONT size=2>Sam</FONT> </P></BLOCKQUOTE><CODE><FONT size=3><BR><BR>************************************************************* *********<BR>This email and any files transmitted with it are confidential and<BR>intended solely for the use of the individual or entity to whom they<BR>are addressed. If you have received this email in error please notify<BR>the system manager.<BR><BR>This footnote also confirms that this email message has been swept by<BR>Dimension Data mail system for the presence of computer viruses.<BR><BR>www.uk.didata.com<BR>*************************************** *******************************<BR></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></ BLOCKQUOTE></FONT></CODE></BODY></HTML> ------_=_NextPart_001_01C1622C.46294F40-- ------------------------------ Date: Wed, 31 Oct 2001 17:04:31 -0000 From: Sam Denton <[email protected]> Subject: Automatic Saving of Log Files This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1622E.1BB26BA0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Is there any way to automatically save the log files, say once a day? at the moment I go to the logging module and then click file -----> save. I have to do this daily. I would like to do this manually. Thanks in advance Sam ------_=_NextPart_001_01C1622E.1BB26BA0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <TITLE>CLM and Linux</TITLE> <META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=2001><FONT size=2>Is there any way to automatically save the log files, say once a day?</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>at the moment I go to the logging module and then click file -----> save.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>I have to do this daily. I would like to do this manually.</FONT></SPAN></DIV> <DIV><SPAN class=2001><FONT size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Thanks in advance</FONT></SPAN></DIV> <DIV><SPAN class=2001></SPAN> </DIV> <DIV><SPAN class=2001><FONT size=2>Sam</FONT></SPAN></DIV></BODY></HTML> ------_=_NextPart_001_01C1622E.1BB26BA0-- ------------------------------ Date: Wed, 31 Oct 2001 13:52:55 -0000 From: Sam Denton <[email protected]> Subject: Re: Incorrect NAT translation This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C16213.57361F70 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hmm... try letting FW-1 auto configure the NAT. -----Original Message----- From: Rory Stewart [ mailto:[email protected] <mailto:[email protected]> ] Sent: Wednesday, October 31, 2001 1:46 PM To: [email protected] Subject: [FW-1] Incorrect NAT translation Has anyone heard of a problem with NAT translation resolving the http address as the internal ip address rather than the external ip address? We are setting up an http accelerator behind our Nokia 440 firewall where the box must be "seen" from the outside. I have configured address translation manually from the internal to external and back. Created both internal and external ip's as workstations. (Tried putting external ip into NAT tab of internal but made no difference). Entered "any external any accept" and "internal any any accept" on the security policy tab. Finally, went on to voyager and created static route to internal ip address range and put a proxy arp of the external ip address on the external firewall interface ( where they are both in the same ip range ). We know our accelerator sees our pings put does not reply. We have our laptop gui infront of the firewall and behind our ext router, and from there we can enter our accelerator happily using internal ip address but not external. >From outside the network, the http string automatically changes from external to internal then times out again the accelerator sees these http requests but does not reply. We are so close to cracking it (or ourselves!). Please, does anyone know what the missing piece of the jigsaw is? regards, Rory Stewart Systems Engineer [email protected] =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html <http://www.checkpoint.com/services/mailing.html> =============================================== ------_=_NextPart_001_01C16213.57361F70 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: [FW-1] Incorrect NAT translation</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hmm... try letting FW-1 auto configure the = NAT.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Rory Stewart [<A = HREF=3D"mailto:[email protected]";>mailto:[email protected]= O.UK</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, October 31, 2001 1:46 PM</FONT> <BR><FONT SIZE=3D2>To: = [email protected]</FONT> <BR><FONT SIZE=3D2>Subject: [FW-1] Incorrect NAT translation</FONT> </P> <BR> <P><FONT SIZE=3D2>Has anyone heard of a problem with NAT translation = resolving the http address as the internal ip address rather than the = external ip address?</FONT></P> <P><FONT SIZE=3D2>We are setting up an http accelerator behind our = Nokia 440 firewall where the box must be "seen" from the = outside.</FONT> <BR><FONT SIZE=3D2>I have configured address translation manually from = the internal to external and back.</FONT> <BR><FONT SIZE=3D2>Created both internal and external ip's as = workstations. (Tried putting external ip into NAT tab of internal but = made no difference).</FONT></P> <P><FONT SIZE=3D2>Entered "any external any accept" and = "internal any any accept" on the security policy tab.</FONT> <BR><FONT SIZE=3D2>Finally, went on to voyager and created static route = to internal ip address range and put a proxy arp of the external ip = address on the external firewall interface ( where they are both in the = same ip range ).</FONT></P> <P><FONT SIZE=3D2>We know our accelerator sees our pings put does not = reply. We have our laptop gui infront of the firewall and behind our = ext router, and from there we can enter our accelerator happily using = internal ip address but not external.</FONT></P> <P><FONT SIZE=3D2>From outside the network, the http string = automatically changes from external to internal then times out again = the accelerator sees these http requests but does not reply.</FONT></P> <P><FONT SIZE=3D2>We are so close to cracking it (or = ourselves!).</FONT> <BR><FONT SIZE=3D2>Please, does anyone know what the missing piece of = the jigsaw is?</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>regards,</FONT> </P> <P><FONT SIZE=3D2>Rory Stewart</FONT> <BR><FONT SIZE=3D2>Systems Engineer</FONT> </P> <P><FONT SIZE=3D2>[email protected]</FONT> </P> <P><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> <BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT> <BR><FONT SIZE=3D2>please see the instructions at</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.checkpoint.com/services/mailing.html"; = TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.html</A></F= ONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C16213.57361F70-- ------------------------------ Date: Wed, 31 Oct 2001 15:25:30 +0100 From: Nick Ellenden <[email protected]> Subject: Re: Nokia and log manipulation This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C16220.46876B40 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hi, I don't work for OpenService (which is OPSEC compliant), but to toot their horn a little, you can configure the filter rules in OpenService to parse the data as you wish this could then be used to re-create such paths, although most reasonable attackers will spoof or otherwise obscurant their own trail. You might also want to check out e-Security Inc products, they may have evolved a processing approach as well now. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Wesley Maness Sent: 01 November 2001 04:43 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation To All: Can anyone suggest a product (working in cohoots with FW-1 and others, either via OPSEC or other means) that can parse large amounts of logs(fw logs) and recreate attack sequences (their paths) etc ? Thanks... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nick Ellenden Sent: Wednesday, October 31, 2001 3:34 AM To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Hi, You might want to check out OpenService, they also make an agent server system which also works on Solaris and Windows for FW1, it can also parse and process the system logs as well. Bestest, nick -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Tim Holman Sent: 30 October 2001 22:05 To: [email protected] Subject: Re: [FW-1] Nokia and log manipulation Webtrends ? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Sam Denton Sent: 23 October 2001 10:21 To: [email protected] Subject: [FW-1] Nokia and log manipulation Is there anyway to manipulate log file data on the Nokia Platform (IP330 running FW-1 4.1 SP4) Thanks Sam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------=_NextPart_000_0004_01C16220.46876B40 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Nokia and log manipulation</TITLE> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff size=3D2>I=20 don't work for OpenService (which is OPSEC compliant), but to toot = their horn a=20 little, you can configure the filter rules in OpenService to parse the = data as=20 you wish this could then be used to re-create such paths, although most = reasonable attackers will spoof or otherwise obscurant their own trail. = You=20 might also want to check out e-Security Inc products, they may have = evolved a=20 processing approach as well now.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>nick</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion=20 of Firewall-1 = [mailto:[email protected]]<B>On=20 Behalf Of </B>Wesley Maness<BR><B>Sent:</B> 01 November 2001=20 04:43<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D2001>To=20 All:</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D2001>Can=20 anyone suggest a product (working in cohoots with FW-1 and others, = either via=20 OPSEC or other means) that can</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001>parse large amounts of logs(fw logs) and = recreate=20 attack sequences (their paths) etc ?</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D2001>Thanks...</SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list = for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf = Of=20 </B>Nick Ellenden<BR><B>Sent:</B> Wednesday, October 31, 2001 3:34=20 AM<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> Re: = [FW-1]=20 Nokia and log manipulation<BR><BR></DIV></FONT> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Hi,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>You might want to check out OpenService, they also make an = agent=20 server system which also works on Solaris and Windows for FW1, it = can also=20 parse and process the system logs as well.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Bestest,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>nick</FONT></SPAN></DIV> <BLOCKQUOTE> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list = for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On Behalf = Of=20 </B>Tim Holman<BR><B>Sent:</B> 30 October 2001 = 22:05<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> = Re: [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Webtrends ?</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing = list for=20 discussion of Firewall-1=20 [mailto:[email protected]]<B>On = Behalf Of=20 </B>Sam Denton<BR><B>Sent:</B> 23 October 2001 = 10:21<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> = [FW-1]=20 Nokia and log manipulation<BR><BR></FONT></DIV> <P><FONT size=3D2>Is there anyway to manipulate log file data = on the Nokia=20 Platform (IP330 running FW-1 4.1 SP4)</FONT> </P> <P><FONT size=3D2>Thanks</FONT> </P> <P><FONT size=3D2>Sam</FONT> </P></BLOCKQUOTE><CODE><FONT=20 = size=3D3><BR><BR>*******************************************************= ***************<BR>This=20 email and any files transmitted with it are confidential = and<BR>intended=20 solely for the use of the individual or entity to whom = they<BR>are=20 addressed. If you have received this email in error please = notify<BR>the=20 system manager.<BR><BR>This footnote also confirms that this = email message=20 has been swept by<BR>Dimension Data mail system for the presence = of=20 computer=20 = viruses.<BR><BR>www.uk.didata.com<BR>***********************************= ***********************************<BR></BLOCKQUOTE></BLOCKQUOTE></BLOCK= QUOTE></FONT></CODE></BODY></HTML> ------=_NextPart_000_0004_01C16220.46876B40-- ------------------------------ Date: Thu, 1 Nov 2001 00:59:01 +0800 From: "Ghosh, Debashis (CORP, CIM)" <[email protected]> Subject: CLM and Linux This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1622D.5739A310 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I am trying to run a Checkpoint Centralised Log Module (CLM) on a Red Hat Linux 7.0 box. All my 20 Firewalls log to this server. Previously this box was running NT.....we recently migrated this to a Linux box....now we face a strange issue....everytime we reboot the server it goes off the network. I then need to do a fw ctl uninstall and fw ctl install .....then it comes back on the network. I have tried with a different box and we face the same issue. Has anybody faced a similar problem with CLM on Linux?? ------_=_NextPart_001_01C1622D.5739A310 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2654.45"> <TITLE>CLM and Linux</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I am trying to run a Checkpoint Centralised Log = Module (CLM) on a Red Hat Linux 7.0 box. All my 20 Firewalls log to = this server. Previously this box was running NT.....we recently = migrated this to a Linux box....now we face a strange = issue....everytime we reboot the server it goes off the network. I then = need to do a fw ctl uninstall and fw ctl install .....then it = comes back on the network. I have tried with a different box and we = face the same issue. Has anybody faced a similar problem with CLM on = Linux??</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01C1622D.5739A310-- ------------------------------ Date: Thu, 1 Nov 2001 10:50:38 +0800 From: "K.H. Cheung" <[email protected]> Subject: Using SAM on CP4.1 Hi all, Does anyone try the SAM on CheckPoint Firewall 4.1? Do you encounter any problem on using SAM? KH Cheung HKUST ------------------------------ Date: Wed, 31 Oct 2001 18:54:04 -0800 From: Bill Husler <[email protected]> Subject: Re: Multiple Default Routes on Nokia Thanks Rodrigo, That's what it looked like, I was hoping I missed something. Bill On Wednesday, October 31, 2001, at 09:14 AM, Rodrigo Borges wrote: > The only way to do that is to configure half of the stations with a > default > gateway to the first router and the other half with a default router to > the > second router. > > Rodrigo > > -----Mensagem original----- > De: Bill Husler [mailto:[email protected]] > Enviada: Wednesday, October 31, 2001 3:22 PM > Para: [email protected] > Assunto: [FW-1] Multiple Default Routes on Nokia > > > We have a Nokia (110) and two upstream routers in parallel and would > like the firewall to use both paths. I added both router's IP addresses > in the static routes panel in voyager for default and gave them both the > same priority (the help panel says this will consider them equivalent), > but when I setup a station before the firewall and continuously ping a > station beyond the routers, it appears to only utilize the second entry. > If I unplug it's ethernet cable, the other route comes alive, but if I > plug it back in, all the traffic reverts to the second route again. Is > there any way to set it up to use both? > Bill > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > ------------------------------ Date: Thu, 1 Nov 2001 11:19:43 +0800 From: Simon Kwek <[email protected]> Subject: Simon KWEK/EDB is out of the office. I will be out of the office starting 11/01/2001 and will not return until 11/15/2001. I will respond to your message when I return. ------------------------------ Date: Thu, 1 Nov 2001 14:42:07 +1100 From: Rajesh <[email protected]> Subject: VPN Hi, I need some information on VPN. I am running checkpoint Firewall-1 ver 4.1 on an E220R (solaris 2.6) machine. I don't have license for encryption. Do I need to have license for encryption to configure VPN. Is there any documentation for VPN on the web? Thanks, Rajesh. Unix System Administrator State Library of NSW Macquire Street Sydney - 2000 Email: [email protected] Ph: 02-92731711 ==================================== This email and any attachments to it are privileged and confidential. If you are not the intended recipient, please notify the sender and delete it. The contents of this email are not given or endorsed by the State Library of New South Wales unless otherwise indicated by an authorised officer of the Library. Copyright law may also apply to this contents of this email. ==================================== ------------------------------ Date: Wed, 31 Oct 2001 21:11:11 -0800 From: Ramakrishnan <[email protected]> Subject: A strange problem with citrix connection through CP -1 SP2 Hi all, One of our customers have a strange problem in allowing citrix client through his firewall. The web client of citrix works fine through the firewall. But if the native citirx client is used , the firewall responds requests to 5 to 6 sessions and do not allow sessions there after. Even if the sessions are disconnected and retried , the sessions do not get established. If we restart the firewall , then it allows 6 more sessions. We have changed the source port range, removed NATting . Still the problem continues. We understand that the FW stops dropping packets. Has anybody faced similar problems. Please suggest a solution. THe option of upgrading the SP is ruled out. A ticket has been opened in citrix and CP for the same. Any ideas Rama __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ------------------------------ Date: Thu, 1 Nov 2001 14:41:44 +0800 From: Kok-Hong <[email protected]> Subject: NAT on PDS2100 This is a multi-part message in MIME format. ------=_NextPart_000_005B_01C162E3.5391B200 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hmm, I thought I had this nailed. But when I tried to add additional machines with static NAT, I'm getting reply from ip ..xxx.xxx :destination port unreachable. The ARP is already published. And static route added to map ext. ip to the internal host. Default route on the internal host is pointing to pds2100 as the default gw. Host is able to ping the pds2100 internal interface, but unable to reach the external. Basically perform the following: 1) Edit/publish ARP on PDS2100 2) Add static route mapping for ext ip to internal ip 3) Create workstation object with internal ip and automatic static external ip. 4) Add object into existing rules for other NAT host. 5) Publish policy 6) FWSTOP FWSTART. but unable to get NAT working. Any ideas? Rgds, Kok-Hong Beenet Singapore Pte Ltd 31 International Business Park #03-05 Creative Resource Building Singapore 609921 Tel: +65-822-8108 Fax: +65-822-8107 ------=_NextPart_000_005B_01C162E3.5391B200 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Hmm, I = thought I had=20 this nailed. But when I tried to add additional machines with static = NAT, I'm=20 getting reply from ip xxx.xxx.xxx.xxx :destination port=20 unreachable.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>The = ARP is already=20 published. And static route added to map ext. ip to the internal host. = Default=20 route on the internal host is pointing to pds2100 as the default gw. = Host is=20 able to ping the pds2100 internal interface, but unable to reach the=20 external.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = size=3D2>Basically perform=20 the following:</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>1) = Edit/publish ARP=20 on PDS2100</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>2) Add = static route=20 mapping for ext ip to internal ip</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>3) = Create=20 workstation object with internal ip and automatic static external=20 ip.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>4) Add = object into=20 existing rules for other NAT host.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>5) = Publish=20 policy</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>6) = FWSTOP=20 FWSTART.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>but = unable to get=20 NAT working.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Any=20 ideas?</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>Rgds,</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>Kok-Hong</FONT></SPAN></DIV> <DIV><FONT face=3DArial size=3D2>Beenet Singapore Pte Ltd</FONT></DIV> <DIV><FONT face=3DArial size=3D2>31 International Business = Park</FONT></DIV> <DIV><FONT face=3DArial size=3D2>#03-05 Creative Resource = Building</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Singapore 609921</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Tel: +65-822-8108</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Fax: +65-822-8107</FONT></DIV> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_005B_01C162E3.5391B200-- ------------------------------ Date: Thu, 1 Nov 2001 08:51:58 +0200 From: Levent Can Ersoydan <[email protected]> Subject: Re: Nokia and log manipulation have you got an fw-1 4.1 user guide pdf or other print ready document? thank you Thursday, November 01, 2001, 5:43:24 AM, you wrote: WM> To All: WM> Can anyone suggest a product (working in cohoots with FW-1 and others, WM> either via OPSEC or other means) that can WM> parse large amounts of logs(fw logs) and recreate attack sequences WM> (their paths) etc ? WM> Thanks... WM> -----Original Message----- WM> From: Mailing list for discussion of Firewall-1 WM> [mailto:[email protected]]On Behalf Of Nick WM> Ellenden WM> Sent: Wednesday, October 31, 2001 3:34 AM WM> To: [email protected] WM> Subject: Re: [FW-1] Nokia and log manipulation WM> Hi, WM> You might want to check out OpenService, they also make an agent server WM> system which also works on Solaris and Windows for FW1, it can also WM> parse and process the system logs as well. WM> Bestest, WM> nick WM> -----Original Message----- WM> From: Mailing list for discussion of Firewall-1 WM> [mailto:[email protected]]On Behalf Of Tim WM> Holman WM> Sent: 30 October 2001 22:05 WM> To: [email protected] WM> Subject: Re: [FW-1] Nokia and log manipulation WM> Webtrends ? WM> -----Original Message----- WM> From: Mailing list for discussion of Firewall-1 WM> [mailto:[email protected]]On Behalf Of Sam WM> Denton WM> Sent: 23 October 2001 10:21 WM> To: [email protected] WM> Subject: [FW-1] Nokia and log manipulation WM> Is there anyway to manipulate log file data on the Nokia Platform (IP330 WM> running FW-1 4.1 SP4) WM> Thanks WM> Sam WM> ********************************************************************** WM> This email and any files transmitted with it are confidential and WM> intended solely for the use of the individual or entity to whom they WM> are addressed. If you have received this email in error please notify WM> the system manager. WM> This footnote also confirms that this email message has been swept by WM> Dimension Data mail system for the presence of computer viruses. WM> www.uk.didata.com WM> ********************************************************************** -- Levent C. Ersoydan Comnet Iletisim Hizmetleri A.S. Tel:------------------------------ Date: Thu, 1 Nov 2001 08:23:03 +0100 From: Alexander Hoogerhuis <[email protected]> Subject: Re: VPN with OSPF for Failover My bad, I confused it with MOSPF and the M did something in my head late at night. But you are correct, you can configure OSPF to work about the fact that frame relay is inherently non-broadcast. mvh, A "Vega, Juan R, SOBUS" <[email protected]> writes: > OSPF is multicast depending on what "network type" is configured. For > instance in a broadcast environment, OSPF peers will speak with the DR and > BDR on a special multicast 224.0.0.5. The same is true for Frame Relay > which is by default a non-broadcast network type and will use multicast. > This can easily be avoided though through OSPF network manipulation on the > Cisco routers. > > Juan Vega > > -----Original Message----- > From: Alexander Hoogerhuis [mailto:[email protected]] > Sent: Wednesday, October 31, 2001 8:51 PM > To: [email protected] > Subject: Re: [FW-1] VPN with OSPF for Failover > > > >From what you describe, and without not knowing his requirements for > security, I think you are going to have a major headache with getting > a favourable assement from an independent third party. > > You state little about the bandwidths involved, so I cannot tell you > wether it will hold up. The 7140's are a somewhat limited and dated > design (and my memory cannot tell me wther you get VPN-accellerators > for the 7140s?). > > And reading the reasoning presented by your customer with regards to > why FW-1 wont cut it is somewhat strange. OSPF is not multicast, and > will work quite well with FW-1 on at least Solaris and Linux. And why > IPSec should not handle multicast traffic is to me a mystery (and I > hold CCNP/CCDP and should have a clue). > > Since you are implementing hub and spoke for the frame bit, it will > not help to have a secondary location location hooked into the cenrtal > point, as you gain zero failover capability (i.e. if the pipe failes > into the central location you are hosed anyways). > > cheers, > Alexander > > "Cardona, Alberto" <[email protected]> writes: > > > What I want to do is for my friend's remote vpn sites (10) to fail over to > > his secondary VPN HUB. > > Here is his scenario. > > > > He just got acquired by another company. > > His current company relies on a Full blown IPsec VPN mesh with a backup > > ISDN. > > He is running Voice over IP thru his IPsec 3DES VPN. > > > > This new company relies on a LARGE Frame network that runs OSPF on > Cisco's. > > They now want to implement a VPN running OSPF because they use OSPF. > > They installed a frame link from his location (New York) to there > > headquarters (Detroit). > > Now they want to implements a secondary location (Houston) which has a > > internet connection and a frame connection > > back into the headquarters (Detroit). > > They want this secondary location (Houston) to be a backup incase his > > location (New York) fails for his remote sites. > > > > Someone within this new company mentioned that his current Nokia/Check > Point > > solution won't work with the > > failover design because IPsec can't handle multicast broadcast traffic (ex > > OSPF). > > They need to run OSPF for a failover design. > > > > Their solution is to REMOVE all of his Nokia/Check Point and implement a > > Cisco Router based VPN design. > > Cisco's 1750 for Remote sites and 7140 for each Hub. > > Each router both remote site and hub will have Cisco's firewall/IDS > package > > and encryption module > > The Cisco's VPN tunnels are going to be using GRE encapsulation for the > > OSPF. > > Incase of a failover to the Secondary HUB and OSPF will update the Frame > > network regarding the failover. > > IPsec 3DES for the data encryption. > > This new design is not going to be a MESH but a Hub and Spoke. > > > > His problem with this HUB and SPOKE design is this. > > > > 1). He is afraid because this design relies on a 1 tier security design. > > The Cisco's routers will be handling the VPN, Routing Protocols, > > Firewall, and IDS on each router. > > His current design is 2 tier level. > > Cisco for the Internet router and Nokia/Check Point for VPN/Firewall > > > > 2). He thinks his Voice over IP will fail between remote sites because > the > > MESH will be gone. > > > > 3). The performance an the Cisco. Would they be able to handle the load? > > Since they will be doing everything. (VPN, Routing, and IDS) > > > > Has anyone implemented this solution? > > > > > > > > AC > > > > > > > > -----Original Message----- > > From: Chris Arnold [mailto:[email protected]] > > Sent: Wednesday, October 24, 2001 10:12 PM > > To: 'Cardona, Alberto '; '[email protected] ' > > Subject: RE: [FW-1] VPN with OSPF > > > > > > That depends on what you mean by "running site to site IPsec VPNs and > using > > OSPF." Do you mean tunneling OSPF through an IPSec tunnel for some reason > > or using OSPF to route traffic to available VPN endpoints before going > > through a tunnel or on your edge routers once your VPN traffic has been > > encapsulated? > > > > Chris > > > > -----Original Message----- > > From: Cardona, Alberto > > To: [email protected] > > Sent: 10/24/01 4:16 PM > > Subject: [FW-1] VPN with OSPF > > > > Is anyone running site to site IPsec VPNs and using OSPF? > > If so did you have to implement GRE? > > > > > > Thanks > > > > > > AC > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > -- > Alexander Hoogerhuis > FYI: perl -e 'print > $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' ------------------------------ Date: Thu, 1 Nov 2001 00:15:35 -0700 From: James Lee Bell <[email protected]> Subject: Re: Automatic Saving of Log Files And if you do happen to be running the management module on an NT box, you can do something similar to all the "cron" answers you've gotten from the *nix guys using "at". Make certain the scheduler service is running, and run "at /?" at a command prompt to get the command line syntax. In one case I've set up in the past, I "rotated" the logs every 8 hours at midnight, 8am, 4pm with something like: at 12:01am /every:m,t,w,th,f,s,su fw logswitch at 8:01am /every:m,t,w,th,f,s,su fw logswitch at 4:01pm /every:m,t,w,th,f,s,su fw logswitch Then do "at" by itself to view them. Sam Denton wrote: > > Is there any way to automatically save the log files, say once a day? > > at the moment I go to the logging module and then click file -----> > save. > > I have to do this daily. I would like to do this manually. > > Thanks in advance > > Sam ------------------------------ End of FW-1-MAILINGLIST Digest - 30 Oct 2001 to 31 Oct 2001 (#2001-28) ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
