[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1-MAILINGLIST Digest - 4 Nov 2001 to 5 Nov 2001 (#2001-34)
> -----Message d'origine----- > De: Automatic digest processor > [mailto:[email protected]] > Date: mardi 6 novembre 2001 09:01 > À: Recipients of FW-1-MAILINGLIST digests > Objet: FW-1-MAILINGLIST Digest - 4 Nov 2001 to 5 Nov 2001 (#2001-34) > > > There are 39 messages totalling 2060 lines in this issue. > > Topics of the day: > > 1. multicast on Checkpoint FW-1 > 2. FW1 v4.1 on NT 4, Single external IP > 3. Bernard Lee/RMD/Raytheon/CA is out of the office. > 4. SecureClient - No Policy > 5. Multiple default routes on Nokia (2) > 6. Checkpoint NG (2) > 7. Arp messages (2) > 8. virtuel ip address on sun 2.6 hardened built (3) > 9. Cliff Payne/CAMBAR is out of the office. > 10. Error opening Lotus Notes databases (8) > 11. Changing firewall object IP address (3) > 12. direction?? (6) > 13. SMTP Security Server Rejecting/Ignoring Mail > 14. Thanks and g'bye > 15. Adding bad IP to firewall > 16. Eric Fauchereau est absent. > 17. Pix - firewall keeps going up and down....loses > connection, then comes > back > 18. I have Checkpoint NG SOHO running at point A, B, and C. > I have ... > 19. Ray Warrier/Health/Torex is out of the office. > 20. Pix - firewall keeps going up and down....loses > connection, > then comes back > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ---------------------------------------------------------------------- > > Date: Mon, 5 Nov 2001 10:07:11 +0200 > From: "Haapala, Juuso" <[email protected]> > Subject: Re: multicast on Checkpoint FW-1 > > Hello Christophe, > > I've been trying to set up multicast rounting in 4.1/SP3 > running on Linux > Redhat 7.0 and by using mrouted... and it didn't work. If > firewall's not > running, then routing works. When FW module is up, rule 0 > anti-spoofing > stops multicast packets by default. I've set antispoofing off > in interface > level, but it doesn't work. Among checkpoint local support, > they say rule 0 > is enforced in kernel level and cannot be altered by > configuring rules. > > I did some minor kernel hacking but it still wouldn't work. > > Officially multicast routing is not supported by checkpoint. > > The basic problem why this is not supported by Checkpoint is > that it's a > major security issue becayse multicast address are not > individual machine > addresses, rather services... > > > If you really get this working with mrouted, please let me know. > > > > > > -----Original Message----- > From: Christophe Barberet [mailto:[email protected]] > Sent: 2. marraskuuta 2001 12:14 > To: [email protected] > Subject: [FW-1] multicast on Checkpoint FW-1 > > > Hi everybody, > > How may i enable multicast on my Checkpoint FW-1 ? > > Some idea ? > > Christophe Barberet > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 09:24:29 +0100 > From: Patrick Lotti <[email protected]> > Subject: Re: FW1 v4.1 on NT 4, Single external IP > > Regarding other posts: > It's done with "Logical Web Servers", not with NAT. > Requires "load balancing" feature! > > I just don't remember right now, I think routing wasn't > necessary. But if routing was necessary: It does work > if the servers are in the same lan segment! > > Search CP KB (public) for > "How to set up a Web Server behind the FireWall-1 external IP address" > The "Solution" is not very clear, so I kept notes: > --- > But the checkpoint solution works fine. Note to point 4: Set "Server > Type" to "Other" and "Balance Method" to "Random". Only one rule to > allow access to the logical server is required. > If you try to set "Server Type" to "HTTP" then the firewall will send > "HTTP redirects" out, even if you use a private ip address for your > server... > --- > And it forgets on thing: You must allow ICMP echo request from the > firewall to the servers, and allow ICMP echo replies from them back > to the firewall. The servers must be running, then restart the > firewall. > --- > > Best Regards, > Patrick > > ------------------------------ > > Date: Mon, 5 Nov 2001 01:00:56 -0800 > From: [email protected] > Subject: Bernard Lee/RMD/Raytheon/CA is out of the office. > > I will be out of the office from 11/03/2001 until 11/13/2001. > > I will respond to your message when I return. > > ------------------------------ > > Date: Mon, 5 Nov 2001 10:16:33 +0100 > From: Joern Seemann <[email protected]> > Subject: SecureClient - No Policy > > Hi ! > > I have massive problems with a VPN-1 SP4 and SecureClient. I > have a VPN-1 > Module on the Internet and a Management-Console with a > private IP (which > has a public ip via nat). SecurRemote works fine with Hybrid IKE and > SecurID-Authentication. > > Now I'm trying to use SecureClient. I read several docs but > nothing helps > there will be no policy download. SecureClient says allways > "Allow All" > and the other options are grayed out. When I try to connect the > Policy-Server the Authentication works but there is no message about > the Status like "The Policy has changed" or so. Even the firewall > logs shows nothing unlike. > > Any advise is appriciated. > > Regards Jörn > -- > overnewsed but underinformed > > ------------------------------ > > Date: Mon, 5 Nov 2001 09:58:21 -0000 > From: Rodrigo Borges <[email protected]> > Subject: Re: Multiple default routes on Nokia > > You know that BGP wont do load-balancing... :) > > -----Mensagem original----- > De: Bill Husler [mailto:[email protected]] > Enviada: Friday, November 02, 2001 3:03 PM > Para: [email protected] > Assunto: Re: [FW-1] Multiple default routes on Nokia > > > > Dan, > > Thanks for the great response, luckily the 110 is only > in the lab > > and > > would not be pressed into service in this sort of environment. > > Would option 1 (BGP) be viable if there were a pair of 530s > and a pair > > of routers supporting a multiple DS3 internet connection. > > Bill > > > > On Wednesday, October 31, 2001, at 10:35 AM, Dan Hitchcock wrote: > > > >> As with other routers, using multiple default routes will > not (as you > >> have observed) provide "poor man's load balancing". You > have several > >> options: > >> > >> #1 - run BGP on your Nokia box (not recommended - this will kill an > >> IP110) > >> #2 - run something more benign like RIP, run BGP on your border > >> routers, and redistribute your BGP routes into RIP (this > will probably > >> also put quite a load on your firewall, and may become an > >> administrative headache) > >> > >> #3 - use a load-balancer product like RadWare or Foundry to > >> dynamically share the load across the two links > >> #4 - "split the internet" by creating two routes to represent the > >> internet. For example, I've found in the past that a routing table > >> like this will give a decent balance of traffic on the > links (although > >> this may vary greatly depending on the nature of traffic in your > >> network): > >> > >> network gateway > >> 0.0.0.0/1 router1 > >> 128.0.0.0/2 router1 > >> 0.0.0.0/0 router2 > >> > >> This will send addresses 0.0.0.0-191.255.255.255 out > router1, and the > >> rest out router2. You could obviously just split in in > half as well, > >> but I found that to be lopsided in terms of utilization in my > >> environment. > >> > >> HTH - any comments, disagreements, etc are, as always, welcome. > >> > >> Dan Hitchcock > >> > >> > >>> We have a Nokia (110) and two upstream routers in > parallel and would > >>> like the firewall to use both paths. I added both router's IP > >>> addresses > >>> plug it back in, all the traffic reverts to the second > route again. Is > >>> there any way to set it up to use both? > >> > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 10:56:20 +0100 > From: Andrea Paparelli <[email protected]> > Subject: Checkpoint NG > > Hi all, I'm running Checkpoint NG on a Sun Netra T1 with Solaris 8 > During this weekend I noticed that one of my boxes stopped responding > to the http service apparently without any reason. > Looking at the log file the only thing that came up to me was that > the service started to respond as "packet out of state". > Now I'm trying to modify tcptimeouts or connections tables but > does anybody know why this happened or how can I prevent this to > happen again? > The NG box performs a static nat and the only services that > are allowed > on the "hidden" servers are just http and https. > > Regards, > Andrea > > ========================================== > Andrea Paparelli > Senior System Administrator > > E-mail: [email protected] > www.integra-europe.it www.genuity.com > > Integra is now part of Genuity > Integra / Genuity > Via Muzio Attendolo 4 > I-20141 Milano Italy > Tel.: +39 02 45444.1 > Fax.: +39 02 45444.300 > ========================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 03:00:24 -0800 > From: Adeyemi Atanda <[email protected]> > Subject: Arp messages > > 4 of my machines are sending/receiving repeated arp > messages from strange ip addresses that do not belong > to my network.My network is of type 9.9.1.xx and the > strange adds are of type 9.9.yy.xx.This is depleting > my bandwidth performance.Could this be a security > issue? > Does anyone know what i should do? > Your urgent response will be appreciated. > > __________________________________________________ > Do You Yahoo!? > Find a job, post your resume. > http://careers.yahoo.com > > ------------------------------ > > Date: Mon, 5 Nov 2001 12:42:13 +0100 > From: [email protected] > Subject: virtuel ip address on sun 2.6 hardened built > > hi > > i have a sun 2.6 hardened built. i try to get one > interface to accept a second virtual ip address. > i tryed arp -s ip mac as described in phoneboy. > tryed everything on phoneboy nothing worked. > as soon as i reboot the machine the address is > gone. > any ideas ??? > tia > rolf > > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > ------------------------------ > > Date: Tue, 6 Nov 2001 02:13:04 +1230 > From: Symon Thurlow <[email protected]> > Subject: Re: Arp messages > > Check your subnet mask is correct. > > Symon > > ------------------- > > 4 of my machines are sending/receiving repeated arp > > messages from strange ip addresses that do not belong > > to my network.My network is of type 9.9.1.xx and the > > strange adds are of type 9.9.yy.xx.This is depleting > > my bandwidth performance.Could this be a security > > issue? > > Does anyone know what i should do? > > Your urgent response will be appreciated. > > > > __________________________________________________ > > Do You Yahoo!? > > Find a job, post your resume. > > http://careers.yahoo.com > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > Cheers, > > Symon > > ------------------------------ > > Date: Mon, 5 Nov 2001 06:59:18 -0500 > From: [email protected] > Subject: Cliff Payne/CAMBAR is out of the office. > > I will be out of the office starting 11/03/2001 and will not > return until > 11/11/2001. > > ------------------------------ > > Date: Mon, 5 Nov 2001 14:01:19 +0100 > From: David Gasca <[email protected]> > Subject: Error opening Lotus Notes databases > > Hi everyone! > > I´m using Securemote client on windows 98 station. Everything > is working, > but when I´d tryed to open a Lotus Notes DataBase, I'd > obtained a TCP/IP > communication error. > My Securemote sever is a 4.1 SP4 on a NT machine. > > Anyone has experienced any similar problem with Lotus Notes? > > Thanks everyone! > > David Gasca > [email protected] > Tlf.> Fax.> Alberto Alcocer 46B > Madrid, Spain > > ------------------------------ > > Date: Mon, 5 Nov 2001 08:15:47 -0500 > From: "Barkell, Bill" <[email protected]> > Subject: Re: virtuel ip address on sun 2.6 hardened built > > Try this: > > 1) hostname# ifconfig qfe0:3 plumb > 2) hostname# ifconfig qfe0:3 192.168.199.23 netmask 255.255.255.0 up > 3) then create a file /etc/hostname.qfe0:3 > hostname # vi /etc/hostname.qfe0:3 > This file should only have one entry: mynewservername.mycompany.com > This name will then map to the new virtual interface you just created. > > Hope that helps. > > > Bill Barkell > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, November 05, 2001 6:42 AM > To: [email protected] > Subject: [FW-1] virtuel ip address on sun 2.6 hardened built > > > hi > > i have a sun 2.6 hardened built. i try to get one > interface to accept a second virtual ip address. > i tryed arp -s ip mac as described in phoneboy. > tryed everything on phoneboy nothing worked. > as soon as i reboot the machine the address is > gone. > any ideas ??? > tia > rolf > > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 15:20:40 +0200 > From: Szemely Arpad <[email protected]> > Subject: Re: Error opening Lotus Notes databases > > You have to let the port 1352 (I think that is Domino Lotus > Notes) port open > for communication > > > David Gasca wrote: > > > Hi everyone! > > > > I´m using Securemote client on windows 98 station. > Everything is working, > > but when I´d tryed to open a Lotus Notes DataBase, I'd > obtained a TCP/IP > > communication error. > > My Securemote sever is a 4.1 SP4 on a NT machine. > > > > Anyone has experienced any similar problem with Lotus Notes? > > > > Thanks everyone! > > > > David Gasca > > [email protected] > > Tlf.> > Fax.> > Alberto Alcocer 46B > > Madrid, Spain > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 09:10:44 -0500 > From: [email protected] > Subject: Re: Error opening Lotus Notes databases > > Could be a number of things. I am assuming that you refer to > your Lotus > system using an unqualified name so the first thing to check > is DNS. If > you are using a DSL connection (especially one using PPPoE) > it is possible > that you are running into an issue with the MTU. We have had > a few people > with this problem. They are able to authenticate and can > ping things fine > but connectivity to Notes is terrible. Dropping the MTU to > 1428 resolves > this. > > Keith White > > > > David Gasca > <[email protected]> > To: [email protected] > Sent by: Mailing list for discussion cc: > of Firewall-1 > Subject: [FW-1] Error opening Lotus Notes databases > <[email protected] > point.com> > > > 11/05/01 08:01 AM > Please respond to Mailing list for > discussion of Firewall-1 > > > > > > > Hi everyone! > > I´m using Securemote client on windows 98 station. Everything > is working, > but when I´d tryed to open a Lotus Notes DataBase, I'd > obtained a TCP/IP > communication error. > My Securemote sever is a 4.1 SP4 on a NT machine. > > Anyone has experienced any similar problem with Lotus Notes? > > Thanks everyone! > > David Gasca > [email protected] > Tlf.> Fax.> Alberto Alcocer 46B > Madrid, Spain > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 15:35:30 +0100 > From: [email protected] > Subject: Re: virtuel ip address on sun 2.6 hardened built > > hi Bill > > thanks it's working. > > rolf > > -----Original Message----- > From: Bill.Barkell > Sent: Montag, 5. November 2001 14:16 > To: FW-1-MAILINGLIST > Subject: Re: [FW-1] virtuel ip address on sun 2.6 hardened built > > > Try this: > > 1) hostname# ifconfig qfe0:3 plumb > 2) hostname# ifconfig qfe0:3 192.168.199.23 netmask 255.255.255.0 up > 3) then create a file /etc/hostname.qfe0:3 > hostname # vi /etc/hostname.qfe0:3 > This file should only have one entry: mynewservername.mycompany.com > This name will then map to the new virtual interface you just created. > > Hope that helps. > > > Bill Barkell > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, November 05, 2001 6:42 AM > To: [email protected] > Subject: [FW-1] virtuel ip address on sun 2.6 hardened built > > > hi > > i have a sun 2.6 hardened built. i try to get one > interface to accept a second virtual ip address. > i tryed arp -s ip mac as described in phoneboy. > tryed everything on phoneboy nothing worked. > as soon as i reboot the machine the address is > gone. > any ideas ??? > tia > rolf > > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > ------------------------------ > > Date: Mon, 5 Nov 2001 10:03:17 -0500 > From: "Hawkins, Michael" <[email protected]> > Subject: Changing firewall object IP address > > Hello Checkpoint world, > > We have a Checkpoint 4.0 Stonebeat HA unit containing two firewalls. > > The original people who put it together used a particularly weird > configuration that has the firewall objects IP addresses set to the > heartbeat interface IP address between the two firewalls. > > Apart from being the wrong way to do it, this configuration makes it > impossible to view the logs from a managment workstation > inside our network. > The only place you can get to the logs is a machine actually on the > heartbeat network. > > So now we want to change the IP address of the firewall > objects to arped > inside addresses. Stonebeat switches the inside IP from one > firewall to the > other. So I intend to ARP two new addresses on the inside interfaces. > > Those new addresses will become the new IP addresses for the firewall > objects in Firewall-1. > > Will this work? Am I missing something that would need to be done in > addition? I only ask because these firewalls are very > production sensitive > so I appreciate anyones comments on my design change idea. > > Also, these firewalls have VPN's going out to several sites. > Will changing > the firewall objects necessitate refreshing keys or not? I > don't think I > need to refresh keys but I'm not sure. > > Guess I should go do that Firewall-1 training right? > > Thanks in advance, > > Mike H > > > <<Disclaimer>> > > This electronic mail is intended only for the use of the > addressee(s) named > herein. Unless otherwise specifically stated, the views contained and > expressed in this electronic mail are strictly those of the individual > sender and are not the views of the Company or any of its > Directors or other > employees. If you are not the intended recipient of this > electronic mail, > you are hereby notified that any dissemination, distribution > or coping of > this electronic mail is strictly prohibited. If you received > this electronic > mail in error please immediately notify us by return > electronic mail and > delete this electronic mail from your system. > > ------------------------------ > > Date: Mon, 5 Nov 2001 16:17:57 +0100 > From: David Gasca <[email protected]> > Subject: Re: Error opening Lotus Notes databases > > First of all, in the past we have problems with MTU when trying > authentication with firewall-1. This isue only has happened > on Windows 98 > stations. And we solve it. I don´t think that Lotus Domino > Server needs > another MTU, because then we couldn't be authenticated by > firewall-1 (using > FWZ with DES enc.). Our clients connects to our VPN with a > modem (dial-in). > > About the rule allowing port 1352, we have a rule that says: > ANY OUR > DOMAIN ANY(SERVICE) CLIENT ENCRPT. > I think that this rule will grant access to any service, > including port > 1352. Isn't it? > > Thanks for your answers. > > > David Gasca > [email protected] > Tlf.> Fax.> Alberto Alcocer 46B > Madrid, Spain > > ------------------------------ > > Date: Mon, 5 Nov 2001 07:40:38 -0800 > From: erik witkop <[email protected]> > Subject: direction?? > > I am missing an important fundamental. In my rule base, I can > change the > pull down menu for the direction to inbound, outbound, or > eitherbound. This > appears to be a global command, meaning applies to all lines > in my policy. > What if I want to have one line in my policy going outbound, > and then the > next one is inbound. I am sure this is possible, I just don't > know how it > works? > > > > Erik Witkop > Boston, MA > For Drug Testing Kits > please visit: > http://www.abatekmedical.com > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > ------------------------------ > > Date: Mon, 5 Nov 2001 17:48:11 +0200 > From: Szemely Arpad <[email protected]> > Subject: Re: Error opening Lotus Notes databases > > I had a problem with NT with service pack 3,4,5,6 . The same > problem with you > that the lotus client responded me that " server not > responding " and I > installed servicepack 6a and the problem disapeared. > Try to install servicepack 6a. > > > David Gasca wrote: > > > First of all, in the past we have problems with MTU when trying > > authentication with firewall 1. This isue only has happened > on Windows 98 > > stations. And we solve it. I don´t think that Lotus Domino > Server needs > > another MTU, because then we couldn't be authenticated by > firewall 1 (using > > FWZ with DES enc.). Our clients connects to our VPN with a > modem (dial-in). > > > > About the rule allowing port 1352, we have a rule that > says: ANY OUR > > DOMAIN ANY(SERVICE) CLIENT ENCRPT. > > I think that this rule will grant access to any service, > including port > > 1352. Isn't it? > > > > Thanks for your answers. > > > > David Gasca > > [email protected] > > Tlf.> > Fax.> > Alberto Alcocer 46B > > Madrid, Spain > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 17:05:27 +0100 > From: Patrick Lotti <[email protected]> > Subject: Re: Changing firewall object IP address > > I think you just need a rule to allow a gui client > from the "lan" to access your managment server in > the "heartbeat" network. Maybe some NAT & routing > is required as well, it depends. I'm pretty sure > you don't have to change your firewall object at > all. > > Get working backups and training before doing any > change, just in case. > > ------------------------------ > > Date: Mon, 5 Nov 2001 11:20:14 -0500 > From: Iztok Umek <[email protected]> > Subject: Re: direction?? > > You are missing an important fundamental, yes. > > Inbound = traversing up the TCP/IP stack > Outbound = traversing down the TCP/IP stack > > > Regards, > Iztok > > > --- > Iztok Umek > Elogex, Inc. > 212 S Tryon Street > Charlotte, NC 28281 > Phone:> Fax:> URL: http://www.elogex.com/ > > > -----Original Message----- > > From: erik witkop [mailto:[email protected]] > > Sent: Monday, November 05, 2001 10:41 > > To: [email protected] > > Subject: [FW-1] direction?? > > > > > > I am missing an important fundamental. In my rule base, I can > > change the pull down menu for the direction to inbound, > > outbound, or eitherbound. This appears to be a global > > command, meaning applies to all lines in my policy. What if I > > want to have one line in my policy going outbound, and then > > the next one is inbound. I am sure this is possible, I just > > don't know how it works? > > > > > > > > Erik Witkop > > Boston, MA > > For Drug Testing Kits > > please visit: > > http://www.abatekmedical.com > > > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp > > > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.htm> l > > > > =============================================== > > > > ------------------------------ > > Date: Mon, 5 Nov 2001 16:28:33 -0000 > From: Rodrigo Borges <[email protected]> > Subject: Re: direction?? > > I think you have the wrong idea about that inbound, outbound and > eitherbound. > This only refers to checking the policy against the connection at its > arrival at the firewall (inbound), when its leaving the > firewall (outbound) > or both (eitherbound). > You don't have to define traffic direction for each rule. > > Rodrigo > > -----Mensagem original----- > De: erik witkop [mailto:[email protected]] > Enviada: Monday, November 05, 2001 3:41 PM > Para: [email protected] > Assunto: [FW-1] direction?? > > > I am missing an important fundamental. In my rule base, I can > change the > pull down menu for the direction to inbound, outbound, or > eitherbound. This > appears to be a global command, meaning applies to all lines > in my policy. > What if I want to have one line in my policy going outbound, > and then the > next one is inbound. I am sure this is possible, I just don't > know how it > works? > > > > Erik Witkop > Boston, MA > For Drug Testing Kits > please visit: > http://www.abatekmedical.com > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 08:33:50 -0800 > From: erik witkop <[email protected]> > Subject: Re: direction?? > > that does not sound right. Can I have your reference, becuase > everything I > have read states that inbound is entering the FW, and visa versa. > > > And besides, you still have not answered the question at hand! > > > > Erik Witkop > Boston, MA > For Drug Testing Kits > please visit: > http://www.abatekmedical.com > > > > > >From: "Iztok Umek" <[email protected]> > >To: "Mailing list for discussion of Firewall-1" > ><[email protected]> > >CC: <[email protected]> > >Subject: RE: [FW-1] direction?? > >Date: Mon, 5 Nov 2001 11:20:14 -0500 > > > >You are missing an important fundamental, yes. > > > >Inbound = traversing up the TCP/IP stack > >Outbound = traversing down the TCP/IP stack > > > > > >Regards, > > Iztok > > > > > >--- > >Iztok Umek > >Elogex, Inc. > >212 S Tryon Street > >Charlotte, NC 28281 > >Phone:> >Fax:> >URL: http://www.elogex.com/ > > > > > -----Original Message----- > > > From: erik witkop [mailto:[email protected]] > > > Sent: Monday, November 05, 2001 10:41 > > > To: [email protected] > > > Subject: [FW-1] direction?? > > > > > > > > > I am missing an important fundamental. In my rule base, I can > > > change the pull down menu for the direction to inbound, > > > outbound, or eitherbound. This appears to be a global > > > command, meaning applies to all lines in my policy. What if I > > > want to have one line in my policy going outbound, and then > > > the next one is inbound. I am sure this is possible, I just > > > don't know how it works? > > > > > > > > > > > > Erik Witkop > > > Boston, MA > > > For Drug Testing Kits > > > please visit: > > > http://www.abatekmedical.com > > > > > > > > > > > > _________________________________________________________________ > > > Get your FREE download of MSN Explorer at > > > http://explorer.msn.com/intl.asp > > > > > > > > > =============================================== > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.htm> l > > > > > > =============================================== > > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > ------------------------------ > > Date: Mon, 5 Nov 2001 18:21:45 +0100 > From: David Gasca <[email protected]> > Subject: Re: Error opening Lotus Notes databases > > Szemely, Did you mean to reinstall Sp6a on server that has > Domino Server or > in the Firewall 1 sever? > > David Gasca > [email protected] > Tlf.> Fax.> Alberto Alcocer 46B > Madrid, Spain > > > > > I had a problem with NT with service pack 3,4,5,6 . The same > problem with > you > that the lotus client responded me that " server not > responding " and I > installed servicepack 6a and the problem disapeared. > Try to install servicepack 6a. > > > > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 12:18:49 -0500 > From: "Hawkins, Michael" <[email protected]> > Subject: Re: Changing firewall object IP address > > Thanks for the reply but I have to change the architecture > because I have > done what you said and I cannot use the GUI client to get the > logs from a > management server on the heartbeat network either. I've > checked the rule > base very, verycarefully - it's not the rules stopping it > from working. > > I hear you on the backup issue. I'm quite good a doing the > backups before I > change stuff! > > The real problem is that the heart beat network is a > registered address. > Crazy people did the original install. I'm left to pick up the pieces. > > Thanks again, > > Mike H > > -----Original Message----- > From: Patrick Lotti [mailto:[email protected]] > Sent: Monday, November 05, 2001 11:05 AM > To: [email protected] > Subject: Re: [FW-1] Changing firewall object IP address > > > I think you just need a rule to allow a gui client > from the "lan" to access your managment server in > the "heartbeat" network. Maybe some NAT & routing > is required as well, it depends. I'm pretty sure > you don't have to change your firewall object at > all. > > Get working backups and training before doing any > change, just in case. > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > > <<Disclaimer>> > > This electronic mail is intended only for the use of the > addressee(s) named > herein. Unless otherwise specifically stated, the views contained and > expressed in this electronic mail are strictly those of the individual > sender and are not the views of the Company or any of its > Directors or other > employees. If you are not the intended recipient of this > electronic mail, > you are hereby notified that any dissemination, distribution > or coping of > this electronic mail is strictly prohibited. If you received > this electronic > mail in error please immediately notify us by return > electronic mail and > delete this electronic mail from your system. > > ------------------------------ > > Date: Mon, 5 Nov 2001 19:34:40 +0200 > From: Szemely Arpad <[email protected]> > Subject: Re: Error opening Lotus Notes databases > > You don't need to reinstall sp 6a > You only have to install on the Domino Server's NT. > > > > David Gasca wrote: > > > Szemely, Did you mean to reinstall Sp6a on server that has > Domino Server or > > in the Firewall 1 sever? > > > > David Gasca > > [email protected] > > Tlf.> > Fax.> > Alberto Alcocer 46B > > Madrid, Spain > > > > I had a problem with NT with service pack 3,4,5,6 . The > same problem with > > you > > that the lotus client responded me that " server not > responding " and I > > installed servicepack 6a and the problem disapeared. > > Try to install servicepack 6a. > > > > =============================================== > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 09:41:50 -0800 > From: erik witkop <[email protected]> > Subject: Re: direction?? > > I see what you mean. The way you would choose direction on a > rule by rule > basis, is via the source and destination fields. Thanks. > > Erik Witkop > Boston, MA > For Drug Testing Kits > please visit: > http://www.abatekmedical.com > > > > > >From: Rodrigo Borges <[email protected]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] direction?? > >Date: Mon, 5 Nov 2001 16:28:33 -0000 > > > >I think you have the wrong idea about that inbound, outbound and > >eitherbound. > >This only refers to checking the policy against the connection at its > >arrival at the firewall (inbound), when its leaving the > firewall (outbound) > >or both (eitherbound). > >You don't have to define traffic direction for each rule. > > > >Rodrigo > > > >-----Mensagem original----- > >De: erik witkop [mailto:[email protected]] > >Enviada: Monday, November 05, 2001 3:41 PM > >Para: [email protected] > >Assunto: [FW-1] direction?? > > > > > >I am missing an important fundamental. In my rule base, I > can change the > >pull down menu for the direction to inbound, outbound, or > eitherbound. This > >appears to be a global command, meaning applies to all lines > in my policy. > >What if I want to have one line in my policy going outbound, > and then the > >next one is inbound. I am sure this is possible, I just > don't know how it > >works? > > > > > > > >Erik Witkop > >Boston, MA > >For Drug Testing Kits > >please visit: > >http://www.abatekmedical.com > > > > > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > >=============================================== > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >=============================================== > > > >=============================================== > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >=============================================== > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > ------------------------------ > > Date: Mon, 5 Nov 2001 10:45:03 -0700 > From: Hal Dorsman <[email protected]> > Subject: Re: direction?? > > > -----Original Message----- > > From: erik witkop [mailto:[email protected]] > > Sent: Monday, November 05, 2001 9:34 AM > > To: [email protected] > > Subject: Re: [FW-1] direction?? > > > > > > that does not sound right. Can I have your reference, becuase > > everything I > > have read states that inbound is entering the FW, and visa versa. > > Yes, that's what he said. It defines whether the rule is read entering > or leaving the FW. That has nothing to do with the direction of the > rule. > > > > > > > And besides, you still have not answered the question at hand! > > He tried, you just aren't getting it. Have you RTFM? > > Hal > > > > > > > > > > Erik Witkop > > Boston, MA > > For Drug Testing Kits > > please visit: > > http://www.abatekmedical.com > > > > > > > > > > >From: "Iztok Umek" <[email protected]> > > >To: "Mailing list for discussion of Firewall-1" > > ><[email protected]> > > >CC: <[email protected]> > > >Subject: RE: [FW-1] direction?? > > >Date: Mon, 5 Nov 2001 11:20:14 -0500 > > > > > >You are missing an important fundamental, yes. > > > > > >Inbound = traversing up the TCP/IP stack > > >Outbound = traversing down the TCP/IP stack > > > > > > > > >Regards, > > > Iztok > > > > > > > > >--- > > >Iztok Umek > > >Elogex, Inc. > > >212 S Tryon Street > > >Charlotte, NC 28281 > > >Phone:> > >Fax:> > >URL: http://www.elogex.com/ > > > > > > > -----Original Message----- > > > > From: erik witkop [mailto:[email protected]] > > > > Sent: Monday, November 05, 2001 10:41 > > > > To: [email protected] > > > > Subject: [FW-1] direction?? > > > > > > > > > > > > I am missing an important fundamental. In my rule base, I can > > > > change the pull down menu for the direction to inbound, > > > > outbound, or eitherbound. This appears to be a global > > > > command, meaning applies to all lines in my policy. What if I > > > > want to have one line in my policy going outbound, and then > > > > the next one is inbound. I am sure this is possible, I just > > > > don't know how it works? > > > > > > > > > > > > > > > > Erik Witkop > > > > Boston, MA > > > > For Drug Testing Kits > > > > please visit: > > > > http://www.abatekmedical.com > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > Get your FREE download of MSN Explorer at > > > > http://explorer.msn.com/intl.asp > > > > > > > > > > > > =============================================== > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.htm> l > > > > > > > > =============================================== > > > > > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > > ------------------------------ > > Date: Mon, 5 Nov 2001 19:55:42 +0200 > From: Szemely Arpad <[email protected]> > Subject: Re: Error opening Lotus Notes databases > > In checkponit firewall you have a log that log's every events > that hapens > incoming and outgoing events > What does it log when somebody try to logon with lotus notes client? > > > David Gasca wrote: > > > First of all, in the past we have problems with MTU when trying > > authentication with firewall 1. This isue only has happened > on Windows 98 > > stations. And we solve it. I don´t think that Lotus Domino > Server needs > > another MTU, because then we couldn't be authenticated by > firewall 1 (using > > FWZ with DES enc.). Our clients connects to our VPN with a > modem (dial-in). > > > > About the rule allowing port 1352, we have a rule that > says: ANY OUR > > DOMAIN ANY(SERVICE) CLIENT ENCRPT. > > I think that this rule will grant access to any service, > including port > > 1352. Isn't it? > > > > Thanks for your answers. > > > > David Gasca > > [email protected] > > Tlf.> > Fax.> > Alberto Alcocer 46B > > Madrid, Spain > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 12:45:52 -0500 > From: Dante Mercurio <[email protected]> > Subject: SMTP Security Server Rejecting/Ignoring Mail > > Checkpoint 4.1 SP3 running on Windows 2000 SP2. > > The issue is that the SMTP security server seems to ignore > some incoming > email messages. According to my log, often an incoming SMTP > packets are > denied by my cleanup rule. It seems it blows by my SMTP rule > (16) and I > see an SMTP denied by rule 25 (clean-up). When this happens, > the sender > eventually gets a non-deliverable message back. Also in the log, there > are packets denied by the SMTP rule that show nothing but a > 'len' at the > end. Using a standard SMTP pass through, this never happens. The queue > is working fine, when the message gets to it. I've checked, and these > messages never get that far. > > The SMTP security server has been configured to strip *.exe and *.vbs. > Also, it has been configured to accept non-RFC compliant > addresses (when > email addresses are not sent in brackets<>). This problem was occuring > before either was put in place however, and were put in during the > troubleshooting process. > > Any ideas would be appreciated. > > M. Dante Mercurio, CCNA, MCSE+I, CCSA > Consulting Services Manager > Continental Consulting Group, LLC > www.ccgsecurity.com <http://www.ccgsecurity.com> > [email protected] <mailto:[email protected]> > > > > -----Original Message----- > > From: Symon Thurlow [mailto:[email protected]] > > Sent: Monday, November 05, 2001 8:43 AM > > To: [email protected] > > Subject: Re: [FW-1] Arp messages > > > > > > Check your subnet mask is correct. > > > > Symon > > > > ------------------- > > > 4 of my machines are sending/receiving repeated arp > > > messages from strange ip addresses that do not belong > > > to my network.My network is of type 9.9.1.xx and the > > > strange adds are of type 9.9.yy.xx.This is depleting > > > my bandwidth performance.Could this be a security > > > issue? > > > Does anyone know what i should do? > > > Your urgent response will be appreciated. > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Find a job, post your resume. > > > http://careers.yahoo.com > > > > > > =============================================== > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > =============================================== > > > > > Cheers, > > > > Symon > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > > ------------------------------ > > Date: Mon, 5 Nov 2001 10:10:22 -0800 > From: Micah Baker <[email protected]> > Subject: Re: Checkpoint NG > > Are you utilizing any kind of content filtering software? We > have had that > happen on our Firewall-1 NG (Hotfix-2 and RDP hotfix) with > WebSense on a > different server. We have to reboot the firewall to get HTTP > services back > up. Checkpoint and WebSense tech support are both working on > our issue > right now. > > Micah > > -----Original Message----- > From: Andrea Paparelli [mailto:[email protected]] > Sent: Monday, November 05, 2001 1:56 AM > To: [email protected] > Subject: [FW-1] Checkpoint NG > > Hi all, I'm running Checkpoint NG on a Sun Netra T1 with Solaris 8 > During this weekend I noticed that one of my boxes stopped responding > to the http service apparently without any reason. > Looking at the log file the only thing that came up to me was that > the service started to respond as "packet out of state". > Now I'm trying to modify tcptimeouts or connections tables but > does anybody know why this happened or how can I prevent this to > happen again? > The NG box performs a static nat and the only services that > are allowed > on the "hidden" servers are just http and https. > > Regards, > Andrea > > ========================================== > Andrea Paparelli > Senior System Administrator > > E-mail: [email protected] > www.integra-europe.it www.genuity.com > > Integra is now part of Genuity > Integra / Genuity > Via Muzio Attendolo 4 > I-20141 Milano Italy > Tel.: +39 02 45444.1 > Fax.: +39 02 45444.300 > ========================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 13:28:58 -0500 > From: [email protected] > Subject: Thanks and g'bye > > Well folks, being a longtime lurker on this list and a > longtime sufferer > with Checkpoint and VAR licensing and support issues, I > wanted to say thanks > to all of you for your help over the years before I unsub. > I've moved on to > a Netscreen firewall, which, in my opinion has a better > infrastructure of > resellers and manufacturer support. > > Thanks again, and good luck! > > Evan > > ------------------------------ > > Date: Mon, 5 Nov 2001 13:58:06 -0500 > From: "Wesley C. Maness" <[email protected]> > Subject: Adding bad IP to firewall > > Guys, > > Can you tell me if there is anything wrong in having an > application that can configure itself to an FW and tell it to > block an IP ? > > Thanks! > > Wesley > > Mailing list for discussion of Firewall-1 > <[email protected]> wrote: > > Thanks for the reply but I have to change the architecture > because I have > done what you said and I cannot use the GUI client to get the > logs from a > management server on the heartbeat network either. I've > checked the rule > base very, verycarefully - it's not the rules stopping it > from working. > > I hear you on the backup issue. I'm quite good a doing the > backups before I > change stuff! > > The real problem is that the heart beat network is a > registered address. > Crazy people did the original install. I'm left to pick up the pieces. > > Thanks again, > > Mike H > > -----Original Message----- > From: Patrick Lotti [mailto:[email protected]] > Sent: Monday, November 05, 2001 11:05 AM > To: [email protected] > Subject: Re: [FW-1] Changing firewall object IP address > > > I think you just need a rule to allow a gui client > from the "lan" to access your managment server in > the "heartbeat" network. Maybe some NAT & routing > is required as well, it depends. I'm pretty sure > you don't have to change your firewall object at > all. > > Get working backups and training before doing any > change, just in case. > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > > > > > This electronic mail is intended only for the use of the > addressee(s) named > herein. Unless otherwise specifically stated, the views contained and > expressed in this electronic mail are strictly those of the individual > sender and are not the views of the Company or any of its > Directors or other > employees. If you are not the intended recipient of this > electronic mail, > you are hereby notified that any dissemination, distribution > or coping of > this electronic mail is strictly prohibited. If you received > this electronic > mail in error please immediately notify us by return > electronic mail and > delete this electronic mail from your system. > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------------------------------ > > Date: Mon, 5 Nov 2001 11:39:53 -0800 > From: Dan Hitchcock <[email protected]> > Subject: Re: Multiple default routes on Nokia > > This message is in MIME format. Since your mail reader does > not understand > this format, some or all of this message may not be legible. > > ------_=_NextPart_001_01C16631.A4E29F00 > Content-Type: text/plain; > charset="ISO-8859-1" > > Assuming your DS3s were both from the same provider, BGP could provide > load-balancing. Otherwise, Rodrigo is correct. > > HTH > > Dan > > -----Original Message----- > From: Rodrigo Borges [mailto:[email protected]] > Sent: Monday, November 05, 2001 1:58 AM > To: [email protected] > Subject: Re: [FW-1] Multiple default routes on Nokia > > > You know that BGP wont do load-balancing... :) > > -----Mensagem original----- > De: Bill Husler [mailto:[email protected]] > Enviada: Friday, November 02, 2001 3:03 PM > Para: [email protected] > Assunto: Re: [FW-1] Multiple default routes on Nokia > > > > Dan, > > Thanks for the great response, luckily the 110 is only > in the lab > > and > > would not be pressed into service in this sort of environment. > > Would option 1 (BGP) be viable if there were a pair of 530s > and a pair > > of routers supporting a multiple DS3 internet connection. > > Bill > > > > On Wednesday, October 31, 2001, at 10:35 AM, Dan Hitchcock wrote: > > > >> As with other routers, using multiple default routes will > not (as you > >> have observed) provide "poor man's load balancing". You > have several > >> options: > >> > >> #1 - run BGP on your Nokia box (not recommended - this will kill an > >> IP110) > >> #2 - run something more benign like RIP, run BGP on your border > >> routers, and redistribute your BGP routes into RIP (this > will probably > >> also put quite a load on your firewall, and may become an > >> administrative headache) > >> > >> #3 - use a load-balancer product like RadWare or Foundry to > >> dynamically share the load across the two links > >> #4 - "split the internet" by creating two routes to represent the > >> internet. For example, I've found in the past that a routing table > >> like this will give a decent balance of traffic on the > links (although > >> this may vary greatly depending on the nature of traffic in your > >> network): > >> > >> network gateway > >> 0.0.0.0/1 router1 > >> 128.0.0.0/2 router1 > >> 0.0.0.0/0 router2 > >> > >> This will send addresses 0.0.0.0-191.255.255.255 out > router1, and the > >> rest out router2. You could obviously just split in in > half as well, > >> but I found that to be lopsided in terms of utilization in my > >> environment. > >> > >> HTH - any comments, disagreements, etc are, as always, welcome. > >> > >> Dan Hitchcock > >> > >> > >>> We have a Nokia (110) and two upstream routers in > parallel and would > >>> like the firewall to use both paths. I added both router's IP > >>> addresses > >>> plug it back in, all the traffic reverts to the second > route again. Is > >>> there any way to set it up to use both? > >> > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > ------_=_NextPart_001_01C16631.A4E29F00 > Content-Type: text/html; > charset="ISO-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> > <HTML> > <HEAD> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > charset=3DISO-8859-1"> > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = > 5.5.2650.12"> > <TITLE>RE: [FW-1] Multiple default routes on Nokia</TITLE> > </HEAD> > <BODY> > > <P><FONT SIZE=3D2>Assuming your DS3s were both from the same > provider, = > BGP could provide load-balancing. Otherwise, Rodrigo is = > correct.</FONT> > </P> > > <P><FONT SIZE=3D2>HTH</FONT> > </P> > > <P><FONT SIZE=3D2>Dan</FONT> > </P> > > <P><FONT SIZE=3D2>-----Original Message-----</FONT> > <BR><FONT SIZE=3D2>From: Rodrigo Borges [<A = > HREF=3D"mailto:[email protected]">mailto:Rodrigo. > Borges@LIS= > 2.SIEMENS.PT</A>]</FONT> > <BR><FONT SIZE=3D2>Sent: Monday, November 05, 2001 1:58 AM</FONT> > <BR><FONT SIZE=3D2>To: = > [email protected]</FONT> > <BR><FONT SIZE=3D2>Subject: Re: [FW-1] Multiple default routes on = > Nokia</FONT> > </P> > <BR> > > <P><FONT SIZE=3D2>You know that BGP wont do load-balancing... > :)</FONT> > </P> > > <P><FONT SIZE=3D2>-----Mensagem original-----</FONT> > <BR><FONT SIZE=3D2>De: Bill Husler [<A = > HREF=3D"mailto:[email protected]">mailto:[email protected] > </A>]</FON= > T> > <BR><FONT SIZE=3D2>Enviada: Friday, November 02, 2001 3:03 PM</FONT> > <BR><FONT SIZE=3D2>Para: = > [email protected]</FONT> > <BR><FONT SIZE=3D2>Assunto: Re: [FW-1] Multiple default routes on = > Nokia</FONT> > </P> > <BR> > > <P><FONT SIZE=3D2>> Dan,</FONT> > <BR><FONT SIZE=3D2>> Thanks for the great = > response, luckily the 110 is only in the lab</FONT> > <BR><FONT SIZE=3D2>> and</FONT> > <BR><FONT SIZE=3D2>> would not be pressed into service in > this sort = > of environment.</FONT> > <BR><FONT SIZE=3D2>> Would option 1 (BGP) be viable if > there were a = > pair of 530s and a pair</FONT> > <BR><FONT SIZE=3D2>> of routers supporting a multiple DS3 > internet = > connection.</FONT> > <BR><FONT SIZE=3D2>> Bill</FONT> > <BR><FONT SIZE=3D2>></FONT> > <BR><FONT SIZE=3D2>> On Wednesday, October 31, 2001, at 10:35 AM, = > Dan Hitchcock wrote:</FONT> > <BR><FONT SIZE=3D2>></FONT> > <BR><FONT SIZE=3D2>>> As with other routers, using multiple = > default routes will not (as you</FONT> > <BR><FONT SIZE=3D2>>> have observed) provide "poor man's = > load balancing". You have several</FONT> > <BR><FONT SIZE=3D2>>> options:</FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>> #1 - run BGP on your Nokia box (not = > recommended - this will kill an</FONT> > <BR><FONT SIZE=3D2>>> IP110)</FONT> > <BR><FONT SIZE=3D2>>> #2 - run something more benign like RIP, = > run BGP on your border</FONT> > <BR><FONT SIZE=3D2>>> routers, and redistribute your > BGP routes = > into RIP (this will probably</FONT> > <BR><FONT SIZE=3D2>>> also put quite a load on your > firewall, and = > may become an</FONT> > <BR><FONT SIZE=3D2>>> administrative headache)</FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>> #3 - use a load-balancer product like = > RadWare or Foundry to</FONT> > <BR><FONT SIZE=3D2>>> dynamically share the load across > the two = > links</FONT> > <BR><FONT SIZE=3D2>>> #4 - "split the internet" by = > creating two routes to represent the</FONT> > <BR><FONT SIZE=3D2>>> internet. For example, I've found in the = > past that a routing table</FONT> > <BR><FONT SIZE=3D2>>> like this will give a decent balance of = > traffic on the links (although</FONT> > <BR><FONT SIZE=3D2>>> this may vary greatly depending on the = > nature of traffic in your</FONT> > <BR><FONT SIZE=3D2>>> network):</FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>> = > network gateway</FONT> > <BR><FONT SIZE=3D2>>> = > 0.0.0.0/1 router1</FONT> > <BR><FONT SIZE=3D2>>> 128.0.0.0/2 router1</FONT> > <BR><FONT SIZE=3D2>>> 0.0.0.0/0 = > router2</FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>> This will send addresses = > 0.0.0.0-191.255.255.255 out router1, and the</FONT> > <BR><FONT SIZE=3D2>>> rest out router2. You could > obviously just = > split in in half as well,</FONT> > <BR><FONT SIZE=3D2>>> but I found that to be lopsided > in terms of = > utilization in my</FONT> > <BR><FONT SIZE=3D2>>> environment.</FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>> HTH - any comments, > disagreements, etc are, = > as always, welcome.</FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>> Dan Hitchcock</FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>></FONT> > <BR><FONT SIZE=3D2>>>> We have a Nokia (110) and two > upstream = > routers in parallel and would</FONT> > <BR><FONT SIZE=3D2>>>> like the firewall to use both > paths. I = > added both router's IP</FONT> > <BR><FONT SIZE=3D2>>>> addresses</FONT> > <BR><FONT SIZE=3D2>>>> plug it back in, all the traffic = > reverts to the second route again. Is</FONT> > <BR><FONT SIZE=3D2>>>> there any way to set it up to use = > both?</FONT> > <BR><FONT SIZE=3D2>>></FONT> > </P> > > <P><FONT = > SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D</FONT> > <BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT> > <BR><FONT SIZE=3D2>please see the instructions at</FONT> > <BR><FONT SIZE=3D2><A = > HREF=3D"http://www.checkpoint.com/services/mailing.html" = > TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.h > tml</A></F= > ONT> > <BR><FONT = > SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D</FONT> > </P> > > <P><FONT = > SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D</FONT> > <BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT> > <BR><FONT SIZE=3D2>please see the instructions at</FONT> > <BR><FONT SIZE=3D2><A = > HREF=3D"http://www.checkpoint.com/services/mailing.html" = > TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.h > tml</A></F= > ONT> > <BR><FONT = > SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 > D=3D=3D=3D= > =3D=3D</FONT> > </P> > > </BODY> > </HTML> > ------_=_NextPart_001_01C16631.A4E29F00-- > > ------------------------------ > > Date: Tue, 6 Nov 2001 01:00:40 +0100 > From: Eric Fauchereau <[email protected]> > Subject: Eric Fauchereau est absent. > > Je serai absent(e) du 05/11/2001 jusqu'au 09/11/2001. > > Je répondrai à votre message dès mon retour. > > > > -------------------------------------------------------------- > --------- > Ce message et toutes les pieces jointes (ci-apres le "message") > est etabli a l'intention exclusive de ses destinataires et est > confidentiel. Si vous recevez ce message par erreur, merci d'en > avertir l'expediteur et de detruire le message. > > Toute diffusion ou publication, totale ou partielle, est interdite, > sauf autorisation expresse de l'emetteur. > > L'integrite de ce message n'est pas assuree sur Internet, et son > contenu ne peut engager la responsabilite de 3 SUISSES et de > ses filiales s'il a ete altere ou falsifie. > > 3 SUISSES vous remercie de votre attention > -------------------------------------------------------------- > --------- > This message and any attachments (the "message") is intended solely > for the adressees and is confidential. If you receive this message > in error, please notify the sender and delete the message. > > Any dissemination or disclosure, either whole or partial, is > prohibited except formal approval of the sender. > > Integrity of this message is not guaranteed through the Internet, and > its content cannot bind 3 SUISSES and its subsidiaries if altered > or falsified. > -------------------------------------------------------------- > --------- > > ------------------------------ > > Date: Mon, 5 Nov 2001 18:31:55 -0600 > From: "Timothy K. Cornelius" <[email protected]> > Subject: Pix - firewall keeps going up and down....loses connection, > then comes back > > We cutover to a new ISP Friday and are have a itermitant > problem. For about > 2-4 minutes the connection is fine, then it stops and you > cannot get out for > say 2-5 minutes. We are doing failover, so I thought it might > be cutting > back and forth from pix to pix and that was cuasingf the up > and down stuff. > But I cut off one of the pix's and it still does the same thing. It is > better after I took out a statement "rip inside passive" and > added "no rip > inside passive" this seemed to help. Has anyone had a similar > problem or > might know what would cause this? Also traceroutes seem real > flaky, they * > out about 2/3 of the time. > > Thanks, > > Tim > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.293 / Virus Database: 158 - Release Date: 10/29/2001 > > ------------------------------ > > Date: Tue, 6 Nov 2001 08:28:25 +0800 > From: Stuart Teo <[email protected]> > Subject: I have Checkpoint NG SOHO running at point A, B, and > C. I have ... > > I have Checkpoint NG SOHO running at point A, B, and C. I have > Checkpoint NG unlimited IP (non-SOHO) running at point D. I also > want to manage A, B, and C from D. What's the product that I need to > get at D? There used to be this Enterprise Management Center during > Checkpoint 4.0 times... > > ------------------------------ > > Date: Tue, 6 Nov 2001 01:01:01 +0000 > From: Ray Warrier <[email protected]> > Subject: Ray Warrier/Health/Torex is out of the office. > > I will be out of the office starting 05/11/2001 and will not > return until > 12/11/2001. > > I will respond to your message when I return. > > ------------------------------ > > Date: Mon, 5 Nov 2001 21:04:24 -0500 > From: Macroscape Solutions <[email protected]> > Subject: Re: Pix - firewall keeps going up and down....loses > connection, > then comes back > > Traceroute is layer 3. I would start troubleshooting this at > lower layers. > Make sure your cabling ok first. then check any Layer 2 devices before > starting to do pings. What does your infrastructure look like. Are you > talking rip to your internal, external. Please fill us in... > > Thanks, Eugene B > ----- Original Message ----- > From: "Timothy K. Cornelius" <[email protected]> > To: <[email protected]> > Sent: Monday, November 05, 2001 7:31 PM > Subject: [FW-1] Pix - firewall keeps going up and > down....loses connection, > then comes back > > > > We cutover to a new ISP Friday and are have a itermitant > problem. For > about > > 2-4 minutes the connection is fine, then it stops and you > cannot get out > for > > say 2-5 minutes. We are doing failover, so I thought it > might be cutting > > back and forth from pix to pix and that was cuasingf the up and down > stuff. > > But I cut off one of the pix's and it still does the same > thing. It is > > better after I took out a statement "rip inside passive" > and added "no rip > > inside passive" this seemed to help. Has anyone had a > similar problem or > > might know what would cause this? Also traceroutes seem > real flaky, they * > > out about 2/3 of the time. > > > > Thanks, > > > > Tim > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.293 / Virus Database: 158 - Release Date: 10/29/2001 > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > > > ------------------------------ > > End of FW-1-MAILINGLIST Digest - 4 Nov 2001 to 5 Nov 2001 (#2001-34) > ******************************************************************** > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|