Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FW-1-MAILINGLIST Digest - 14 Nov 2001 to 15 Nov 2001 (#2001-4 4)

To: [email protected]
Subject: Re: [FW-1] FW-1-MAILINGLIST Digest - 14 Nov 2001 to 15 Nov 2001 (#2001-4 4)
From: "Pasquini, Paul" <[email protected]>
Date: Fri, 16 Nov 2001 09:38:32 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: FW-1-MAILINGLIST Digest - 14 Nov 2001 to 15 Nov 2001 (#2001-44)

Hello folks,

I have an issue with my firewall log displaying the time as one hour behind the correct time. We are running Checkpoint FW1 version 3.0b which resides on a BLN router. My management station displays the correct date and time. I have to set my router time to be one hour ahead of the correct time in order for my firewall log to display the correct time.

When I use Site Manager to change all the router date and time fields to be correct, the hour still displays in the firewall log as one hour behind. I've tried telneting to the router and inputting the correct time using the "date" command, then pushing the policy, then bringing up the log...but it's still one hour behind. What I ended up doing was setting the router one hour ahead of current time in order for the firewall log to display the correct time. Anyone have any clue as to why I can't change the hour ?

Paul
[email protected]

-----Original Message-----
From: Automatic digest processor
[mailto:[email protected]]
Sent: Friday, November 16, 2001 3:00 AM
To: Recipients of FW-1-MAILINGLIST digests
Subject: FW-1-MAILINGLIST Digest - 14 Nov 2001 to 15 Nov 2001 (#2001-44)

There are 33 messages totalling 2188 lines in this issue.

Topics of the day:

1. AW: [FW-1] fwgui (4)
2. License schema question (4)
3. AW: Re: [FW-1] Is NG ready for general use ?
4. Why not produce the GUIs in Java (2)
5. FW-1 snmpd does not return MAC addresses from local arp table
6. UNSUBSCRIBE
7. Messages getting stuck in SMTP security server spool?
8. Firewall limitations (2)
9. NAT-ing an entire subnet (2)
10. Problem when using opsec lea server to connect to netf orensics
11. WINS Resolution
12. SecureClient encryption domains and NAT'd user networks.
13. SecureClient encryption domains and NAT'd user network s.
14. Checkpoint Sizing... HELP!
15. NOKIA boot critical error
16. Adding remote firewall modules
17. Help configuring FTP PAssive mode
18. Striping VBS files.
19. FTP Security Server giving a lot of trouble!
20. why there is only one way connection?
21. Novell File and Print Services
22. NAT problem (2)
23. NG or Provider-1?

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

----------------------------------------------------------------------

Date: Thu, 15 Nov 2001 09:07:47 +0100
From: [email protected]
Subject: AW: [FW-1] fwgui

Hello,

as far as I know, there is no such animal. No GUI for Linux.

Regards,
--Joerg

-----Ursprüngliche Nachricht-----
Von: tolits [mailto:[email protected]]
Gesendet: Donnerstag, 15. November 2001 01:55
An: [email protected]
Betreff: [FW-1] fwgui

Hello All,

What is the fwgui (Policy Editor) in Linux of FW-1? what package do i
need? I have FW-1 running in Solaris and I would like to admister it
using fwgui in a Linux management station, because currentlly, im using
Windows fwgui and im tired shifting back from Linux to Windows just to
edit my firewall policy. I think if it runs in X/Motif then it will also
run in Linux, is it?

tia,

Lito

------------------------------

Date: Thu, 15 Nov 2001 16:21:07 +0800
From: Fang Jin <[email protected]>
Subject: Re: License schema question

Hi, Jacky

I have the same concern as you last year. You have no choice but choosing
unlimited license for both firewalls.
This is CP license policy. You can't save 1 cent on that.

Regards,
Jin

                    Jacky Liu <[email protected]>
                    Sent by: Mailing list for discussion        To:     [email protected]
                    of Firewall-1                               cc:
                    <[email protected]        Subject:     [FW-1] License schema question
                    point.com>

                    11/15/2001 03:16 PM
                    Please respond to Mailing list for
                    discussion of Firewall-1

Hi all,

I would like to ask a question about license calculation for this design

                                        Intrusion Detection
                                        System
                                            |
                                            |
Internet --- FW (Bastion) --- Email&WWW --- FW (Choke) --- Internal Network

For FW (Choke), I will order unlimited license. I am just wondering which
kind of license schema I should pick for FW (Bastion) in order to save
money. Can I just pick 25-user license schema, because the FW (Bastion) is
only protect the servers between itself and FW (Choke).

Best Regards,
JL

------------------------------

Date:    Sun, 11 Nov 2001 08:55:26 +0100
From:    Alexander Hoogerhuis <[email protected]>
Subject: Re: AW:      Re: [FW-1] Is NG ready for general use ?

I am currently involved in migrating to older installs in to a new NG
install for a relatively large site, and I have one nag, and this
annoys me a lot:

If you hit "abort" during ruleset builds, verifications, etc, or
"abort" during SNMP queires (system name, location, interfaces, etc.)
it whole connection between the management server and GUI will be
terminated.

And another thing on the wish list would be to have the interfaces in
the topology default to "This network" and not "undefined".

cheers,
Alexander

"Schönfelder, Sven" <[email protected]> writes:

> Hi,
>
> we use NG with W2K at one of our customer sites and it works fine. But
> it is very important to install the Hotfix-2. Than the problems with ARP
> and W2k are solved.
>
> But if you don't need the new features (e.g Active directory
> Authentification) you should waite until the release of Service Pack 1
> for NG. SP1 is right now in Betatesting and it will be propably ready
> for release in december. With SP1 there are also some improvements
> building VPN sites.
>
> Sven Schoenfelder
> iCOMcept GmbH
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Kim Longenbaugh [mailto:[email protected]]
> Gesendet: Donnerstag, 8. November 2001 15:14
> An: [email protected]
> Betreff: Re: [FW-1] Is NG ready for general use ?
>
>
> We run NG on NT4.0. We don't use the vpn portions, so I don't know how
> it does with vpns. It works well as 'just' a firewall.
> We did find that there were still some big problems trying to run NG on
> W2K. There were nat problems, and routing issues to do with how W2k
> handled arp.
>
> >>> [email protected] 11/08/01 07:45AM >>>
> Hi
>
> Couple of resellers say they won't implement/support NG yet - probably
> not
> for another few months or so.
>
> Also couldn't see any NG-specific training in their schedules.
>
> We need to upgrade FW soon (few weeks or so) and must make choice 4.1 or
> NG.
>
>
> Questions:-
>
> 1. What are others doing ?
> 2. Any idea if this is widespread attitude amongst resellers - is it
> really
> too risky to implement NG for 3 site VPN at the moment ?
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

--
Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

------------------------------

Date: Thu, 15 Nov 2001 11:21:06 +0200
From: andre' <[email protected]>
Subject: Re: AW: [FW-1] fwgui

There is a fwgui for Motif. you do need a Motif lic to actually use it.
currently there is no fwgui for a Linux based box.

(how hard can it be to port the fwgui for motif to work under X on linux?)

rgds
andre'
#include <std-disclaimer.h>

[email protected] wrote:

>Hello,
>
>as far as I know, there is no such animal. No GUI for Linux.
>
>Regards,
>--Joerg
>
>
>-----Ursprüngliche Nachricht-----
>Von: tolits [mailto:[email protected]]
>Gesendet: Donnerstag, 15. November 2001 01:55
>An: [email protected]
>Betreff: [FW-1] fwgui
>
>
>Hello All,
>
>What is the fwgui (Policy Editor) in Linux of FW-1? what package do i
>need? I have FW-1 running in Solaris and I would like to admister it
>using fwgui in a Linux management station, because currentlly, im using
>Windows fwgui and im tired shifting back from Linux to Windows just to
>edit my firewall policy. I think if it runs in X/Motif then it will also
>run in Linux, is it?
>
>tia,
>
>Lito
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>.
>

------------------------------

Date: Thu, 15 Nov 2001 10:47:29 +0100
From: "Reed Mohn, Anders" <[email protected]>
Subject: Re: License schema question

Hmm.. don't know how they interpret that,
I mean, indirectly, the outer firewall is also protecting your internal
network, no matter how you look at it,
though it's far from obivous whether you fall in under this:

"It is a violation of this End User License Agreement to create,
set up, or design any hardware, software or system which alters
the number of readable IP-addresses presented to the Product with the
intent, or resulting effect, of circumventing the Licensed Configuration."

The words "or resulting effect" seems to bind you, even if your intention
in the design is not to circumvent the number of licensed IP's.

My guess:
If there is never any traffic from the internal network through the bastion,
then you wouldn't need the licenses.
If your internal hosts communicate through the outer firewall, though,
I would guess you need an according number of licenses.

What do you experts out there say?

Cheers,
Anders :)

> -----Original Message-----
> From: Jacky Liu [mailto:[email protected]]
> Sent: 15. november 2001 08:16
> To: [email protected]
> Subject: [FW-1] License schema question
>
>
> Hi all,
>
> I would like to ask a question about license calculation for
> this design
>
>
>                                         Intrusion Detection
>                                         System
>                                             |
>                                             |
> Internet --- FW (Bastion) --- Email&WWW --- FW (Choke) ---
> Internal Network
>
>
> For FW (Choke), I will order unlimited license. I am just
> wondering which
> kind of license schema I should pick for FW (Bastion) in order to save
> money. Can I just pick 25-user license schema, because the FW
> (Bastion) is
> only protect the servers between itself and FW (Choke).
>
> Best Regards,
> JL
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

------------------------------

Date: Thu, 15 Nov 2001 11:08:18 +0100
From: [email protected]
Subject: Why not produce the GUIs in Java

like for instance Citrix has done which their MetaFrame XP. Then Checkpoint could
concentrate on making one version for all platforms and the GUIs, which is an
important part of the product would become truly multiplatform.

Gandalf.
_______________________________________________________________________
Get your free @pakistanmail.com email address http://pakistanmail.com

------------------------------

Date: Thu, 15 Nov 2001 11:10:07 +0100
From: [email protected]
Subject: FW-1 snmpd does not return MAC addresses from local arp table

Running FW-1 4.1 SP3 on Linux 2.2.19. Has anyone had similar experiences.
Is this done by feature or is there a bug fix?

Gandalf.
_______________________________________________________________________
Get your free @pakistanmail.com email address http://pakistanmail.com

------------------------------

Date: Fri, 16 Nov 2001 01:14:12 +1230
From: Symon Thurlow <[email protected]>
Subject: Re: License schema question

I am in the same situation, I asked checkpoint, their official reply
was that both have to have the same licensing.

I can dig out the email if anyone is interested.

Cheers,

Symon

-------------------
> Hmm.. don't know how they interpret that,
> I mean, indirectly, the outer firewall is also protecting your
internal
> network, no matter how you look at it,
> though it's far from obivous whether you fall in under this:
>
> "It is a violation of this End User License Agreement to create,
> set up, or design any hardware, software or system which alters
> the number of readable IP-addresses presented to the Product with
the
> intent, or resulting effect, of circumventing the Licensed
Configuration."
>
> The words "or resulting effect" seems to bind you, even if your
intention
> in the design is not to circumvent the number of licensed IP's.
>
> My guess:
> If there is never any traffic from the internal network through the
bastion,
> then you wouldn't need the licenses.
> If your internal hosts communicate through the outer firewall,
though,
> I would guess you need an according number of licenses.
>
> What do you experts out there say?
>
> Cheers,
> Anders :)
>
>
>
>
> > -----Original Message-----
> > From: Jacky Liu [mailto:[email protected]]
> > Sent: 15. november 2001 08:16
> > To: [email protected]
> > Subject: [FW-1] License schema question
> >
> >
> > Hi all,
> >
> > I would like to ask a question about license calculation for
> > this design
> >
> >
> >                                         Intrusion Detection
> >                                         System
> >                                             |
> >                                             |
> > Internet --- FW (Bastion) --- Email&WWW --- FW (Choke) ---
> > Internal Network
> >
> >
> > For FW (Choke), I will order unlimited license. I am just
> > wondering which
> > kind of license schema I should pick for FW (Bastion) in order to
save
> > money. Can I just pick 25-user license schema, because the FW
> > (Bastion) is
> > only protect the servers between itself and FW (Choke).
> >
> > Best Regards,
> > JL
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
> >
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
Cheers,

Symon

------------------------------

Date: Thu, 15 Nov 2001 12:58:48 -0000
From: Alee Stevenson <[email protected]>
Subject: UNSUBSCRIBE

The contents of this e-mail are confidential and may be privileged and
protected by law and are intended solely for the use of the person to whom
they are addressed. If you are not the intended recipient of this message
please notify the sender immediately, disclosure of its content to any other
person is prohibited and may be unlawful. Please note that any views
expressed in this e-mail may be those of the originator and do not
necessarily reflect those of this organisation. Copyright in this e-mail and
attachment(s) belongs to Sphinx CST.

Internet e-mail is not a secure communications medium. Please note this
lack of security when responding by e-mail. Accordingly, we give no
warranties or assurances about the safety and content of this e-mail and its
attachments.

Neither Sphinx CST nor the sender accepts any responsibility for viruses and
it is your responsibility to scan the e-mail and attachments. Any liability
arising from any third party acting on any information contained in this
e-mail is hereby excluded.

------------------------------

Date: Thu, 15 Nov 2001 15:26:28 +0100
From: Volker Tanger <[email protected]>
Subject: Re: AW: [FW-1] fwgui

Greetings!

[email protected] wrote:

>
> as far as I know, there is no such animal. No GUI for Linux.

No _G_UI - but an UI. One simply has to edit the *.C and *.W files with
an editor (e.g. VI) and issue the proper fw... commands. Works
faithfully via SSH and even via 9600baud modem dial-in i.e. for a "dead"
or remote Sun server (where keyboard/graphics died or network unreachable).

Didding through the logs for connection debugging is a bit unwieldy if
you only have a single (9600) line, though. Tools
(http://www.wyae.de/software/fwtools.html) can help a lot dissecting the
configuration.

It is wise to make a backup of your config files prior to editing as
that is not for the faint-hearted. In defense of Checkpoint I have to
note that the config files are well structured and good to read and
understand - esp. in contrast to e.g. the Raptor config file nightmare.

Good luck!
Volker

Volker Tanger <[email protected]>
   Wrangelstr. 100, 10997 Berlin, Germany
      DiSCON GmbH - Internet Solutions
           http://www.discon.de/

Volker Tanger <[email protected]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/

------------------------------

Date: Thu, 15 Nov 2001 19:20:20 +0500
From: Vitaly Fedrushkov <[email protected]>
Subject: Messages getting stuck in SMTP security server spool?

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [email protected] for more info.

--020=:29859
Content-Type: TEXT/PLAIN; charset=US-ASCII

Good $daytime,

I have rather strange symptom with 4.1 Build 41814 (Solaris 7).

There is _exactly one_ external user whose mail is orbiting within
FW-1 for many hours before it gets through. Here are the facts:

External user is sending similar emails every so often to our users.
At some point, recipients have noticed one-day delivery delays not
seen before.

Nothing has been done to firewall within time frame between last good
and first delayed message.

All messages from the user are affected.

Examined logs (about 6 months back) show no such events. All other
messages are also going through well during an event.

Message lives in $FWDIR/CPfw1-41/spool/Rnnnnnnnn, for no apparent
reason. It differs from all others in that it has a duplicate spool
header. Example is included below, slightly obfuscated.

Delivery delay varies from 19 to 30 hours.

At some random moment message gets delivered to its destination.

Message is checked by the CVP server just before sending to internal
SMTP gateway (172.16.15.14). Message is marked OK by the CVP server.

There are no open TCP connections related to the message in question
all the time.

Relevant FW-1 rule says:

Any 172.16.15.14 smtp->CVP-inbound accept Long Gateways Any

Value of resend_period in $FWDIR/conf/smtp.conf is 600.

http://www.phoneboy.com/faq/0418.html had no effect.

Neither of FW-1, firewall host, or CVP server restart attempts had any
effect.

Otherwise swift, this time my support contract gurus weren't of any
help, either.

Any ideas? Further questions are welcome.

Thanks in advance.

Regards,
Willy.

--
No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
Shall bring us to our goal, | Control Systems and Processes Division
But iron sacrifice          | LUKOIL Company, Chelyabinsk Branch
Of Body, Will and Soul.     | [email protected] +7 3512 620367
                  R.Kipling | VVF1-RIPE

--020=:29859
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=Rnnnnnnnnnn
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description: Spooled message header
Content-Disposition: attachment; filename=Rnnnnnnnnnn

QVZfU0VUVElORzoJY3VyZQ0KQVZfSVBBRERSOgkxNzIuMTYuMTcuMTgNCkFW
X1BPUlQ6CTE4MTgxDQpBVl9IRUFERVJTOgkwDQpDT01QT1VORDoJMQ0KU1JD
OgkxMC4xMS4xMi4xMw0KU1BPUlQ6CTQ2MzUNCkRTVDoJMTcyLjE2LjE1LjE0
DQpEUE9SVDoJMjUNCkVSUl9TRVJWRVI6CTE3Mi4xNi4xNS4xNA0KUlVMRToJ
Nw0KUlVMRUFDVDoJMA0KRVJSTUFJTDoJMA0KQUNDVDoJMA0KTE9HX09LOgkJ
IE1EUV9MT0cNCkxPR19CQUQ6CSBNRFFfQUxFUlQNCkxPR19FUlI6CSBNRFFf
QUxFUlQNCg0KTUFJTCBGUk9NOiA8c2VuZGVyQHNlbmRlci5leGFtcGxlLmNv
bT4NClJDUFQgVE86IDxyY3B0MUBtZS5leGFtcGxlLmNvbT4NClJDUFQgVE86
IDxyY3B0MkBtZS5leGFtcGxlLmNvbT4NCkRBVEENClJlY2VpdmVkOiBieSBF
eGNoYW5nZS5zZW5kZXIuZXhhbXBsZS5jb20gd2l0aCBJbnRlcm5ldCBNYWls
IFNlcnZpY2UgKDUuNS4yNjUzLjE5KQ0NCglpZCA8VlEwWlJOR1c+OyBGcmks
IDIgTm92IDIwMDEgMTA6MTY6MDQgKzA1MDANDQpNZXNzYWdlLUlEOiA8QUFF
MjFBNEFDQTE3RDUxMTk1MzgwMEQwQjc0NkJCREQ5MDBEQzdARXhjaGFuZ2U+
DQ0KRnJvbTogPT9rb2k4LXI/UT89RjM9RDU9Q0I9Q0Q9QzE9Q0U9Q0Y9RDc9
QzFfPUY0PTJFPUU3PTJFPz0NDQoJIDxzZW5kZXJAc2VuZGVyLmV4YW1wbGUu
Y29tPg0NClRvOiA9P2tvaTgtcj9RPz1FQy09RkU9RTU9RUM9RjE9RTI9RUU9
RTU9RTY9RjQ9RTU9RjA9RjI9RUY9RTQ9RjU9RUI9RjQ/PQ0NCgkgPHJjcHQx
QG1lLmV4YW1wbGUuY29tPiwgPT9rb2k4LXI/UT89RUMtPUZFPUU1PUVDPUYx
PUUyPUVFPUU1PUU2PUY0Pz0NDQoJPT9rb2k4LXI/UT89RTU9RjA9RjI9RUY9
RTQ9RjU9RUI9RjQ/PSA8cmNwdDJAbWUuZXhhbXBsZS5jb20+DQ0KU3ViamVj
dDogPT9rb2k4LXI/UT89RjA9RTU9RjI9RUQ9Rjg/PQ0NCkRhdGU6IEZyaSwg
MiBOb3YgMjAwMSAxMDoxNjowMyArMDUwMCANDQpJbXBvcnRhbmNlOiBoaWdo
DQ0KWC1Qcmlvcml0eTogMQ0NClJldHVybi1SZWNlaXB0LVRvOiA9P2tvaTgt
cj9RPz1GMz1ENT1DQj1DRD1DMT1DRT1DRj1ENz1DMV89RjQ9MkU9RTc9MkU/
PQ0NCgkgPHNlbmRlckBzZW5kZXIuZXhhbXBsZS5jb20+DQ0KTUlNRS1WZXJz
aW9uOiAxLjANDQpYLU1haWxlcjogSW50ZXJuZXQgTWFpbCBTZXJ2aWNlICg1
LjUuMjY1My4xOSkNDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsN
DQoJYm91bmRhcnk9Ii0tLS1fPV9OZXh0UGFydF8wMDBfMDFDMTYzNUQuNzdF
MjFDNjAiDQ0KLg0KDQpNQUlMIEZST006IDxzZW5kZXJAc2VuZGVyLmV4YW1w
bGUuY29tPg0KUkNQVCBUTzogPHJjcHQxQG1lLmV4YW1wbGUuY29tPg0KUkNQ
VCBUTzogPHJjcHQyQG1lLmV4YW1wbGUuY29tPg0KREFUQQ0KUmVjZWl2ZWQ6
IGJ5IEV4Y2hhbmdlLnNlbmRlci5leGFtcGxlLmNvbSB3aXRoIEludGVybmV0
IE1haWwgU2VydmljZSAoNS41LjI2NTMuMTkpDQ0KCWlkIDxWUTBaUk5HVz47
IEZyaSwgMiBOb3YgMjAwMSAxMDoxNjowNCArMDUwMA0NCk1lc3NhZ2UtSUQ6
IDxBQUUyMUE0QUNBMTdENTExOTUzODAwRDBCNzQ2QkJERDkwMERDN0BFeGNo
YW5nZT4NDQpGcm9tOiA9P2tvaTgtcj9RPz1GMz1ENT1DQj1DRD1DMT1DRT1D
Rj1ENz1DMV89RjQ9MkU9RTc9MkU/PQ0NCgkgPHNlbmRlckBzZW5kZXIuZXhh
bXBsZS5jb20+DQ0KVG86ID0/a29pOC1yP1E/PUVDLT1GRT1FNT1FQz1GMT1F
Mj1FRT1FNT1FNj1GND1FNT1GMD1GMj1FRj1FND1GNT1FQj1GND89DQ0KCSA8
cmNwdDFAbWUuZXhhbXBsZS5jb20+LCA9P2tvaTgtcj9RPz1FQy09RkU9RTU9
RUM9RjE9RTI9RUU9RTU9RTY9RjQ/PQ0NCgk9P2tvaTgtcj9RPz1FNT1GMD1G
Mj1FRj1FND1GNT1FQj1GND89IDxyY3B0MkBtZS5leGFtcGxlLmNvbT4NDQpT
dWJqZWN0OiA9P2tvaTgtcj9RPz1GMD1FNT1GMj1FRD1GOD89DQ0KRGF0ZTog
RnJpLCAyIE5vdiAyMDAxIDEwOjE2OjAzICswNTAwIA0NCkltcG9ydGFuY2U6
IGhpZ2gNDQpYLVByaW9yaXR5OiAxDQ0KUmV0dXJuLVJlY2VpcHQtVG86ID0/
a29pOC1yP1E/PUYzPUQ1PUNCPUNEPUMxPUNFPUNGPUQ3PUMxXz1GND0yRT1F
Nz0yRT89DQ0KCSA8c2VuZGVyQHNlbmRlci5leGFtcGxlLmNvbT4NDQpNSU1F
LVZlcnNpb246IDEuMA0NClgtTWFpbGVyOiBJbnRlcm5ldCBNYWlsIFNlcnZp
Y2UgKDUuNS4yNjUzLjE5KQ0NCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21p
eGVkOw0NCglib3VuZGFyeT0iLS0tLV89X05leHRQYXJ0XzAwMF8wMUMxNjM1
RC43N0UyMUM2MCINDQoNDQpUaGlzIG1lc3NhZ2UgaXMgaW4gTUlNRSBmb3Jt
YXQuIFNpbmNlIHlvdXIgbWFpbCByZWFkZXIgZG9lcyBub3QgdW5kZXJzdGFu
ZA0NCnRoaXMgZm9ybWF0LCBzb21lIG9yIGFsbCBvZiB0aGlzIG1lc3NhZ2Ug
bWF5IG5vdCBiZSBsZWdpYmxlLg0NCg0KLS0tIDg8IC0tLSA8dGhlIHJlc3Qg
b2YgdGhlIG1lc3NhZ2UgYm9keSBpcyBza2lwcGVkIC0gV2lsbHk+IC0tLSA4
PCAtLS0NCg==
--020=:29859--

------------------------------

Date: Thu, 15 Nov 2001 09:15:52 -0600
From: Jon Vandiveer <[email protected]>
Subject: Re: Firewall limitations

You will be hard pressed to find this type of information.
Also it depends on which FW version you are running.
4.1 The only limit I have seen is 25k connection limit back in the Nokia's
IPSO 3.1~, for some reason had a max connection limit of 25k. This was fixed
in the subsequent release of IPSO, as well as a workaround to modify the max
connections and memory for the state table.
I never ran into connection limits with NT, course it probably cannot handle
that much in the first place, and I have never run a multi cpu Solaris box.

NG: Has been tested and was said to be able to handle over 1 million
connections in it connection table, personally I have never seen this, but
with the new introduction of the ASIC fw's that Nortel and other vendors are
producing using the NG kernel, I would probably classify this as a safe bet.

Answering the rest of your question is very hardware specific and there is
no sliding scale or formula that will tell you how memory. cpu's and such
will affect your throughput.

Jon

Date: Tue, 13 Nov 2001 12:10:49 -0500
From: "Holland, Stephen" <[email protected]>
Subject: Firewall limitations

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C16C66.24973D80
Content-Type: text/plain;
charset="iso-8859-1"

I am trying to find out what FW-1 limitations. Limitations I would be
interested in would be how many socket/flows/connections can the state table
handle before the firewall is slow or dies. What is the amount of "hits"
per second can FW-1 can handle and make stateful decisions about before it
is slow or fails? I know there will be some limitation by bandwidth, OS,
and hardware, but lets say you are running on a SUN 4500 with 4 processors,
4 gigs of ram, Solaris 2.7 with a three legged design thus giving you 100mb
to ISP, DMZ, and internal LAN.

Does anyone have a good link or knowledge of this kind of information?

Jon Vandiveer
[email protected]

"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
rm -rf /bin/laden

------------------------------

Date: Thu, 15 Nov 2001 10:25:16 -0500
From: "Holland, Stephen" <[email protected]>
Subject: Firewall limitations

I am resending because the last message was rejected. Hope I don't post
twice.

So, if I equate 20 connections for 1 mb of bandwidth (I think that is a good
reference) then what I can figure on is 1244mbps * 20 = 24880 possible
connections per second that CP should be able to statefuly inspect and route
in your OC-12 active/active environment. From this link CP says 1,000,000
concurrent connections, but I am trying to lay my finger on new connections
per second that CP 4.1 can handle.

-----Original Message-----
From: Carl E. Mankinen [mailto:[email protected]]
Sent: Tuesday, November 13, 2001 2:29 PM
To: [email protected]
Subject: RE: [FW-1] Firewall limitations

Practical experience tells me that unless you are doing a LOT of
VPN+Encryption, that 4500 is serious overkill for those 100Mb links. I
have installed 420's in HA configuration that handle active/active dual
OC-12 loads. (mostly traffic is non-vpn however.)

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]] On
> Behalf Of Prokopinskiy, Igor
> Sent: Tuesday, November 13, 2001 12:42 PM
> To: [email protected]
> Subject: Re: [FW-1] Firewall limitations
>
>
> Stephen,
>
> Your HW config sounds like a waste of resources for this
> case... Here is a
> good place to start digging for information and specs:
> http://www.checkpoint.com/products/security/vpn-1_firewall-1_p
erformance.htm
l

Igor Prokopinskiy

> -----Original Message-----
> From: Holland, Stephen [SMTP:[email protected]]
> Sent: Tuesday, November 13, 2001 11:11 AM
> To: [email protected]
> Subject: [FW-1] Firewall limitations
>
> I am trying to find out what FW-1 limitations. Limitations I would be
> interested in would be how many socket/flows/connections can the state
> table handle before the firewall is slow or dies. What is the amount
of
> "hits" per second can FW-1 can handle and make stateful decisions
about
> before it is slow or fails? I know there will be some limitation by
> bandwidth, OS, and hardware, but lets say you are running on a SUN
4500
> with 4 processors, 4 gigs of ram, Solaris 2.7 with a three legged
design
> thus giving you 100mb to ISP, DMZ, and internal LAN.
>
> Does anyone have a good link or knowledge of this kind of information?

------------------------------

Date: Thu, 15 Nov 2001 16:29:30 +0100
From: "Christiaans, Erik" <[email protected]>
Subject: NAT-ing an entire subnet

All,

I have an interesting issue with NAT-ing an entire subnet. Setup is as follows:

-----192.168.224.0/24, 172.20.208.0/22----_FW_---------_FW_-----172.20.0.0/16----

A VPN is running between the two firewalls

Now, the problem is that the 172.20 network does not allow external private range IP addresses on their network, so I need to nat 192.168.224.0 to 172.20.232.0, in order ot allow this subnet on the 172 network.

I added the following rule:

192.168.224.0(source) 172.20.0.0 (destinantion) any 172.20.232.0(static) original any

I can reach addresses on the other side now, however the 172 network can not reach my subnet.

tried adding the following rule:

172.20.0.0 (source) 172.20.232.0 (destination) any original 192.168.224.0(static) any

That didn't work.... tried some other rules but still I can not get it to work both ways, only one way.

The idea is to translate the 172.20.232.0 subnet back to 192.168.224.0. I manage both firewalls, so I can make all the necessary changes myself...

Anyone have any ideas??

Kind Regards,

Erik Christiaans

------------------------------

Date: Thu, 15 Nov 2001 09:35:37 -0600
From: Ed Davidson <[email protected]>
Subject: Re: Why not produce the GUIs in Java

I have to disagree -- the METAIP gui is written
in a JAVA version, and a WIN32 version.

The WIN32 version is much more responsive than the
JAVA. The Java one is extremely slow, and does not
always respond to your keystrokes. I'll hit the +
key to expand a branch, and it will close the entire
tree.

I have other software written in both JAVA and WIN32.
In every case, I use the WIN32 version. Although
I have nothing against a JAVA version, please don't
make me use it.

When selecting between software written in JAVA and
software written in WIN32 (C++, VB, etc) I will always
choice the later.

IBM has decided to write all their new code in JAVA.
Client Access Operations Navigator is an example -- and
boy does the GUI suck. It locks up, and is also very
slow. This also holds true for some E-Mail management
software recently I looked at from a nameless company.
We will not go with their software.

Just my opinion;

Edwin Davidson

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of
[email protected]
Sent: Thursday, November 15, 2001 4:08 AM
To: [email protected]
Subject: [FW-1] Why not produce the GUIs in Java

Gandalf.
_______________________________________________________________________
Get your free @pakistanmail.com email address http://pakistanmail.com

http://www.primeinc.com
**********************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email
in error please reply to the sender of the message.

The views expressed in this correspondence may not
reflect the views of Prime, Inc.

This footnote also confirms that this email message has
been scanned for the presence of computer viruses.
**********************************************************************

------------------------------

Date: Thu, 15 Nov 2001 17:25:32 +0100
From: Volker Tanger <[email protected]>
Subject: Re: NAT-ing an entire subnet

Greetings!

Do you remember: routing before NATing?

So you need to add proper routes for those networks. Yepp, that's a bit
braindead IMHO, but that's the way it is.

Bye
Volker

Volker Tanger <[email protected]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/

------------------------------

Date: Thu, 15 Nov 2001 12:13:26 -0500
From: "Toth, David" <[email protected]>
Subject: Re: Problem when using opsec lea server to connect to netf orensics

Does anyone have a problem when changing the /etc/fw/conf/fwopsec.conf file on the management station? Whenever I change this file by uncommenting the line that reads

lea_server port 18184

and stop and start the mgmt station, I totally mess up my connection to the packet filtering modules. Then I cannot save, or install, a rulebase, or receive logging information.

Thanks in advance,

Dave in Cleveland.

------------------------------

Date: Thu, 15 Nov 2001 10:38:53 -0700
From: "Thompson, Jeff" <[email protected]>
Subject: Re: WINS Resolution

Is this the userc.C file on the client or firewall or both? I am having a
problem similar. My remote clients can "browse" each other, but can't see
the encrypted network.

-----Original Message-----
From: Chris H [mailto:[email protected]]
Sent: Tuesday, November 13, 2001 5:05 PM
To: [email protected]
Subject: Re: [FW-1] WINS Resolution

If you have added the WINS server to your
configuration and add the DNS :dns_xlate (true)
:dns_encrypt (true)
it should work.
to the first section of the userc.C file
--- John Tanouye <[email protected]> wrote:
> I have a strange problem trying to get Secure
> Clients to resolve the
> internal names of the computers in our network. I'm
> able to connect and
> authenticate okay, but when I try to go to a
> computer by typing
> \\computername for example, it can't find it. I
> added a WINS server to the
> TCP/IP settings, and that worked at first, but the
> weird thing is that it
> stopped working. So, I then added an LMHOSTS file,
> and that only partially
> works. I would be able to ping the name, but still
> am not able to view the
> contents of the computer.
>
> Maybe this info would help too. There seems to be a
> related problem on the
> firewall server itself. When logging into the
> management station from a
> remote computer I used to go to "gatekeeper", but
> now I have to go directly
> to the IP. I also I had to add my computer's IP
> address to the list of
> allowed GUI clients, wheras before I just put in the
> name of the comptuer.
> For some reason the firewall is not resolving any
> computer names that pass
> through it. However the computers on our internal
> network domain resolve
> just fine...
>
> I have Secure Clients being able to access anything
> on our network as the
> second rule after dropping silent services (bootp, bootp-client,
> nbdatagram, nbname, nbsession). Firewall-1 is version 4.1
> running on NT Server. All
> client machines are Win 2000.
>
> Has anyone experienced this before?
>
> Thanks,
>
> John
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals http://personals.yahoo.com

------------------------------

Date: Thu, 15 Nov 2001 18:31:34 +0100
From: Niels Jespersen <[email protected]>
Subject: Re: AW: [FW-1] fwgui

Checkpoint states that there are no plans for producing a LInux GUI. There
has, however, been some indications from CP that the windows GUI will be
made compatible with Wine.

-- Niels

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of andre'
Sent: 15. november 2001 10:21
To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] fwgui

There is a fwgui for Motif. you do need a Motif lic to actually use it.
currently there is no fwgui for a Linux based box.

(how hard can it be to port the fwgui for motif to work under X on linux?)

rgds
andre'
#include <std-disclaimer.h>

[email protected] wrote:

------------------------------

Date: Thu, 15 Nov 2001 10:53:43 -0800
From: Tim Jones <[email protected]>
Subject: SecureClient encryption domains and NAT'd user networks.

Hello.

I've run into an issue with SecureClient 4.1 that I'm
hoping someone can help me with.

Our encryption domain is 192.168.0.0. I'm wondering
how we can allow a client whose home network uses
addresses in this range to access the encryption
domain. Whenever the client tries to ping something
in the encryption domain, the traffic doesn't go
through the VPN, and I'm not 100% sure why.

Are there issues with using SecureClient from a
network in the same subnet as the encryption domain?

Thanks!

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

------------------------------

Date: Thu, 15 Nov 2001 14:20:23 -0500
From: Chris Arnold <[email protected]>
Subject: Re: SecureClient encryption domains and NAT'd user network s.

Yes, one of you will have to change your address blocks as far as VPN-1 is
concerned.

Chris

-----Original Message-----
From: Tim Jones [mailto:[email protected]]
Sent: Thursday, November 15, 2001 1:54 PM
To: [email protected]
Subject: [FW-1] SecureClient encryption domains and NAT'd user networks.

Hello.

I've run into an issue with SecureClient 4.1 that I'm
hoping someone can help me with.

Are there issues with using SecureClient from a
network in the same subnet as the encryption domain?

Thanks!

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

------------------------------

Date: Sun, 11 Nov 2001 18:57:46 -0600
From: Martin Hoz <[email protected]>
Subject: Re: Checkpoint Sizing... HELP!

Chris Labatt-Simon - D&D Consulting wrote:
>

Hi Chris!

> We currently have a userbase of 15,000 users and are running the following:
>
> - Checkpoint VPN-1 4.1 SP4
> - Stonebeat Fullcluster 2.0
> - Two Sun Enterprise 250's, single 300Mhz processor, 1GB RAM, dual 18GB
> drives with Disksuite Mirroring
> - One Sun Ultra/2 for a management station
> - Five DMZs
> - Websense, running locally on each firewall with the firewall pointing to
> 127.0.0.1 for UFP Access
> - About 150 rules
> - A 6MB upstream/downstream pipe to AT&T
>
> We currently see (within stonebeat) about 75%-100% load on both
> firewalls. If anyone else here has this number of users, how many
> firewalls do you currently have in place and of what type? We are trying

You can get some clues from:
a) User sar to see what's loading your machines
b) Use iostat -xtc to see how's affecting mirroring to your I/O
performance,
        since on the past I see mirroring can cause low performance, specially
        if you have I/O to disk (not sure in your case, since you've the
        management in other machine).
c) See fw ctl pstat to get some clues about firewall's resources
consumption
d) User /usr/ucb/ps aux to see which processes are loading your machines

You can also see which rules are more used and try to put them on
the top. Generally, you can also follow the performance recommendations
for your machines which appear on the Check Point's pages...

> to determine a new architecture which increases performance (substantially)
> while maintaining high availability. A few of the things we can try today are:
>
> - Move Websense off of the firewalls (reduces high availability as 4.1 does
> not support load balancing across multiple servers)

Some kind of load balancing can be achieved for UFP and CVP servers from
4.1 SP2, see "Load Sharing" under the chapter about servers on the
Firewall manual (SecAdmin.pdf).

> - Purchase two more processors (one for each firewall) so the http security
> servers can multi-process (don't know how much performance this will
> actually add)

For Security Servers, more processors can improve performance. See the
same
manual on the Security Servers sections...

Hope this helps. Good luck!

- Martín.

--
Martin H. Hoz-Salvador
EX-A-IEC, EX-A-FIME
http://gama.fime.uanl.mx/~mhoz

"Gimme a firewall sandwich with packet filter bread and
fast ethernet mustard. No pickles, please." - A. A.
""'Firewall sandwich with load balancers' sounds good; I'll
order two with extra mayonaise and a Coca Cola" - C. R. Wilson

------------------------------

Date: Thu, 15 Nov 2001 21:29:38 -0000
From: Tim Holman <[email protected]>
Subject: Re: NOKIA boot critical error

What happens when you 'type any character to enter command mode.' ?
If this error happens when you have done this, then you're a bit stuffed, as
there's no way afaik to get round this.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of
Ekblad, Eric M
Sent: 14 November 2001 23:16
To: [email protected]
Subject: [FW-1] NOKIA boot critical error

Dear all:

Someone on my team (not me, seriously) crapped out a new IP650 by trying to
alter the boot manager (despite warnings that only the factory should do
this).

Is there anyway around an error like this? (I do not think so but I thought
that I would ask). I think that we need to send this to the factory.

Loading boot manager..Bootmgr loaded.Entering autoboot mode.
Type any character to enter command mode.
Booting wd(0,f)/image/IPSO-3.4.1-FCS5-08.18.2001-053000-826/kernel @
0xc0100000
text=0x237000

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0xc0100038
fault code              = supervisor write, page not present
instruction pointer     = 0x8:0xf03aa607
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1 (swapper)
interrupt mask          = net tty bio
panic: page fault

syncing disks... done
Rebooting...

Thanks for your time!

Eric Ekblad
BP Extranet Team
v

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.

www.uk.didata.com
**********************************************************************

------------------------------

Date: Thu, 15 Nov 2001 21:29:30 -0000
From: Tim Holman <[email protected]>
Subject: Re: Adding remote firewall modules

Change in IP address will mean you will need to update the rulebase and
reestablish the putkeys.
As for sending the config (pushing the policy), by default, FW-1 will use
S/Key authentication for all intra firewall traffic, and if you have the
VPN-1 license as well, it will use fwa-1 authentication/encryption to send
the traffic.
In your particular case, I'd advise you install the firewall at your site,
so that it accepts telnet or SSH, ship it to site, remotely update putkeys,
and then push the policy down.

Tim

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Steve
Loughran
Sent: 14 November 2001 11:09
To: [email protected]
Subject: [FW-1] Adding remote firewall modules

Hi all

I`m about to upgrade from a single management/firewall unit by adding
another firewall unit at another site, and I have a few (probably very
simple) questions...

If I configure the second firewall unit here, install software, register it
with the management module and ship to other site, will the change of IP
address cause any problems in the rules base or firewall authentication?

When you send the config to the remote firewalls, which IP address does it
use? If its the external IP, is that traffic encrypted between management
module and firewall module? (We have Internal WAN connection on the inside
between the sites)

Any other gotchas I need to be aware of that I wouldnt have come across
whilst running only a single management/firewall unit?

Any help with these issues would be greatly appreciated. Many thanks in
advance for your help.

Steve

-------------------------------------------------
Steve Loughran, Network Infrastructure Manager
Sony Computer Entertainment Europe (Cambridge)
Home Page -> http://sl.scee.sony.co.uk/
Yamaha YZF1000R Thunderace
ICQ#: 12666311 (Work), 104426046 (Laptop)
Team Waste - Where do you want to go wrong today?

This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.

www.uk.didata.com
**********************************************************************

------------------------------

Date: Thu, 15 Nov 2001 21:29:34 -0000
From: Tim Holman <[email protected]>
Subject: Re: Help configuring FTP PAssive mode

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C16E1C.9ECD2A30
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

What problem are you experiencing ?
Do FTP client and server support pasv mode ? Is it enabled ?

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of RBHATIA
Sent: 29 October 2001 20:15
To: [email protected]
Subject: Re: [FW-1] Help configuring FTP PAssive mode

I already have the FTP PASV connection checkbox checked in policy
properties. Is this all that I need to do to allow Passive mode ftp through
? What is the FTP PASSIVE server there for ?
    -----Original Message-----
    From: Tim Holman (home) [mailto:[email protected]]
    Sent: Saturday, October 27, 2001 6:15 AM
    To: [email protected]
    Subject: Re: [FW-1] Help configuring FTP PAssive mode

    Before trying to do all this 'manually', try selecting the accept FTP
PASV connections tick box in policy properties.
      -----Original Message-----
      From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of RBHATIA
      Sent: 26 October 2001 23:35
      To: [email protected]
      Subject: [FW-1] Help configuring FTP PAssive mode

I have FTP active mode enabled on my firewall. Due to port failure
errors I need to switch over to FTP PASSIVE transfer mode. I need help
configuring FTP Passive mode. I've looked all over the Phoneboy.com site but
came across pages concerning the difference between Active and Passive mode
but nothing about actually enabling Passive mode ftp.

I already have FTP control Port (21) open both coming in and going out
of my FTP server. I'm wondering about the data connection port.

Do I need to remove the FTP data service (20) that was originally
configured for Active FTP transfers ?

      In the list of services, I see a service called FTP-PASV. Do I have to
allow this service both coming into my FTP server and going out of my FTP
server ?
      i.e. should my rulebase look like this ?
      Source        Destination    Service            Action
      FTPserver    Any                FTP-Passive    Allow
      Any            FTPserver        FTP-PAssive    Allow

In Policy - Properties - Services tab - I have the Enable FTP_PORT
DAta Connections and Enable FTP_PASV Data connections options already
checked.

      Please advise.
      Thanks.
      RB

    **********************************************************************
    This email and any files transmitted with it are confidential and
    intended solely for the use of the individual or entity to whom they
    are addressed. If you have received this email in error please notify
    the system manager.

This footnote also confirms that this email message has been swept by
Dimension Data mail system for the presence of computer viruses.

www.uk.didata.com
**********************************************************************

------=_NextPart_000_0000_01C16E1C.9ECD2A30
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff =
size=3D2>What=20
problem are you experiencing ?</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff =
size=3D2>Do FTP=20
client and server support pasv mode ? Is it enabled =
?</FONT></SPAN></DIV>
<DIV><SPAN class=3D2001><FONT =
size=3D2></FONT></SPAN> </DIV>
<DIV>  </DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for ="">
discussion=20
of Firewall-1 =
[mailto:[email protected]]<B>On=20
Behalf Of </B>RBHATIA<BR><B>Sent:</B> 29 October 2001 =
20:15<BR><B>To:</B>=20
[email protected]<BR><B>Subject:</B> Re: =
[FW-1]=20
Help configuring FTP PAssive mode<BR><BR></FONT></DIV>
<DIV><SPAN class=3D2001><FONT face=3DArial =
color=3D#0000ff size=3D2>I=20
already have the FTP PASV connection checkbox checked in policy =
properties. Is=20
this all that I need to do to allow Passive mode ftp through ? What is =
the FTP=20
PASSIVE server there for ?</FONT></SPAN></DIV>
<BLOCKQUOTE>
    <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
    size=3D2>-----Original Message-----<BR><B>From:</B> Tim Holman =
(home)=20
    [mailto:[email protected]]<BR><B>Sent:</B> Saturday, October 27, =
2001=20
    6:15 AM<BR><B>To:</B>=20
    [email protected]<BR><B>Subject:</B> Re: =
[FW-1]=20
    Help configuring FTP PAssive mode<BR><BR></FONT></DIV>
    <DIV><SPAN class=3D2001><FONT face=3DArial =
color=3D#0000ff=20
    size=3D2>Before trying to do all this 'manually', try selecting the =
accept FTP=20
    PASV connections tick box in policy properties.</FONT></SPAN></DIV>
    <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
      <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
      size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list =
for="">
      discussion of Firewall-1=20
      [mailto:[email protected]]<B>On Behalf =
Of=20
      </B>RBHATIA<BR><B>Sent:</B> 26 October 2001 23:35<BR><B>To:</B>=20
      [email protected]<BR><B>Subject:</B> =
[FW-1]=20
      Help configuring FTP PAssive mode<BR><BR></FONT></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>I have FTP=20
      active mode enabled on my firewall. Due to port failure errors I =
need to=20
      switch over to FTP PASSIVE transfer mode. I need help configuring =
FTP=20
      Passive mode. I've looked all over the Phoneboy.com site but came =
across=20
      pages concerning the difference between Active and Passive mode =
but=20
      nothing about actually enabling Passive mode =
ftp.</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2></FONT></SPAN> </DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>I already have=20
      FTP control Port (21) open both coming in and going out of my FTP =
server.=20
      I'm wondering about the data connection port.</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2></FONT></SPAN> </DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>Do I need to=20
      remove the FTP data service (20) that was originally configured =
for Active=20
      FTP transfers ?</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2></FONT></SPAN> </DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>In the list of=20
      services, I see a service called FTP-PASV. Do I have to allow this =
service=20
      both coming into my FTP server and going out of my FTP server=20
      ?</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>i.e. should my=20
      rulebase look like this ?</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2>Source       =20
      Destination   =20
      =
Service           =
=20
      Action</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2>FTPserver   =20
      =
Any           &nbs=
p;   =20
      FTP-Passive    Allow</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      =
size=3D2>Any          &=
nbsp;=20
      FTPserver       =20
      FTP-PAssive    Allow</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2></FONT></SPAN> </DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>In Policy -=20
      Properties - Services tab - I have the Enable FTP_PORT DAta ="">
Connections=20
      and Enable FTP_PASV Data connections options already=20
      checked.</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2></FONT></SPAN> </DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial =
size=3D2>Please=20
      advise.</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2>Thanks.</FONT></SPAN></DIV>
      <DIV><SPAN class=3D2001><FONT face=3DArial=20
      size=3D2>RB</FONT></SPAN></DIV></BLOCKQUOTE><CODE><FONT=20
    =
size=3D3><BR><BR>********************************************************=
**************<BR>This=20
    email and any files transmitted with it are confidential =
and<BR>intended=20
    solely for the use of the individual or entity to whom they<BR>are=20
    addressed. If you have received this email in error please =
notify<BR>the=20
    system manager.<BR><BR>This footnote also confirms that this email =
message=20
    has been swept by<BR>Dimension Data mail system for the presence of =
computer=20
    =
viruses.<BR><BR>www.uk.didata.com<BR>************************************=
**********************************<BR></BLOCKQUOTE></BLOCKQUOTE></FONT></=
CODE></BODY></HTML>

------=_NextPart_000_0000_01C16E1C.9ECD2A30--

------------------------------

Date: Thu, 15 Nov 2001 16:49:44 -0800
From: Tim Jones <[email protected]>
Subject: Striping VBS files.

Hello.

With CheckPoint's SMTP strip feature, is it possible
to strip only VBS files? I couldnt find a MIME type
for just VBS files so I'm not sure.

Thanks!

__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com

------------------------------

Date: Thu, 15 Nov 2001 23:52:27 -0200
From: Daniel Accioly Rosa <[email protected]>
Subject: FTP Security Server giving a lot of trouble!

Hello everybody,

I'm trying to implement CVP Anti Virus Checking on all FTP traffic going trough my firewall-1 4.1.

The problem is that, after i create, the objects, servers, resources and rules (with resources), i'm not able to ftp to the internet anymore.

Without the rule i can connect without problem. With the rule i get the following message:

C:\>ftp microsoft.com
Connected to microsoft.com.
220 aftpd: Check Point FireWall-1 Secure FTP server running on fw-ext
User (microsoft.com:(none)): anonymous
331 aftpd (not authenticated): Enter server password
Password: [email protected]
413 aftpd: Connection to 207.46.230.219 failed
Connection closed by remote host.

C:\>

When I try to specify a domain, i get the following message:

C:\>ftp microsoft.com
Connected to microsoft.com.
220 aftpd: Check Point FireWall-1 Secure FTP server running on fw-ext
User (microsoft.com:(none)): [email protected]
331-aftpd: User xpto not found
421 aftpd: aborted
Connection closed by remote host.

C:\>

regardless the user exists or not.

I've already tryed removing the SYNDefender, and editing the base.def file, in the lib directory.

It seems to me that the FTP Security Server from the firewall is requiring an special authentication, or its not fowarding my authentication to the target FTP site.

And for making this more exciting: I have to finish this until tomorrow 4PM (GMT-3 time), or i will be in trouble... :)

Can anybody save my day (or night?)

Thank you all!

Daniel

PS - If anybody wants to call me (i don't know.. maybe there's some crazy lunatic like me who likes to help other people just for fun) i'll be awake until tomorrow afternoon. My phone number is.

------------------------------

Date: Fri, 16 Nov 2001 10:06:51 +0800
From: Jacky Liu <[email protected]>
Subject: Re: License schema question

Hi,

First of all, thanks for everyone replied my question.

I think I will just order 2 sets of unlimited IP license in order to save me
from alot of unforeseeable trouble.

Thanks again.

Best Regards,
JL

----- Original Message -----
From: "Symon Thurlow" <[email protected]>
To: <[email protected]>
Sent: Thursday, November 15, 2001 8:44 PM
Subject: Re: [FW-1] License schema question

> I am in the same situation, I asked checkpoint, their official reply
> was that both have to have the same licensing.
>
> I can dig out the email if anyone is interested.
>
> Cheers,
>
> Symon
>
> -------------------
> > Hmm.. don't know how they interpret that,
> > I mean, indirectly, the outer firewall is also protecting your
> internal
> > network, no matter how you look at it,
> > though it's far from obivous whether you fall in under this:
> >
> > "It is a violation of this End User License Agreement to create,
> > set up, or design any hardware, software or system which alters
> > the number of readable IP-addresses presented to the Product with
> the
> > intent, or resulting effect, of circumventing the Licensed
> Configuration."
> >
> > The words "or resulting effect" seems to bind you, even if your
> intention
> > in the design is not to circumvent the number of licensed IP's.
> >
> > My guess:
> > If there is never any traffic from the internal network through the
> bastion,
> > then you wouldn't need the licenses.
> > If your internal hosts communicate through the outer firewall,
> though,
> > I would guess you need an according number of licenses.
> >
> > What do you experts out there say?
> >
> > Cheers,
> > Anders :)
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Jacky Liu [mailto:[email protected]]
> > > Sent: 15. november 2001 08:16
> > > To: [email protected]
> > > Subject: [FW-1] License schema question
> > >
> > >
> > > Hi all,
> > >
> > > I would like to ask a question about license calculation for
> > > this design
> > >
> > >
> > >                                         Intrusion Detection
> > >                                         System
> > >                                             |
> > >                                             |
> > > Internet --- FW (Bastion) --- Email&WWW --- FW (Choke) ---
> > > Internal Network
> > >
> > >
> > > For FW (Choke), I will order unlimited license. I am just
> > > wondering which
> > > kind of license schema I should pick for FW (Bastion) in order to
> save
> > > money. Can I just pick 25-user license schema, because the FW
> > > (Bastion) is
> > > only protect the servers between itself and FW (Choke).
> > >
> > > Best Regards,
> > > JL
> > >
> > > ===============================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > ===============================================
> > >
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
> >
> Cheers,
>
> Symon
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

------------------------------

Date: Fri, 16 Nov 2001 10:40:54 +0800
From: "Sim, CT (Chee Tong)" <[email protected]>
Subject: why there is only one way connection?

Hi.. ,

I had a Check Point Firewall-1 4.0 installed in a Sun Box and it is located
in our bangkok branch (the other side of the WAN). I had a problem that I
can't solved. From our workstations in Singapore, I can ping to the the
Firewall in bangkok, but from the bangkok firewall, I can not ping to any
workstations in Singapore, but it can ping to those workstations in Bangkok
Could you please tell me what could be wrong?

Besides a few more question,
1)If I enable a rule in Firewall source:A Destination:B services:(ICMP)
Action:Accept, it make A can ping to B, does it mean that the rule also
enable B to ping to A?

2)I saw the properties of FW implied rule, there are something like 1)Last
2)First 3)Before Last What is the meaning?

Thank you very much
CT

==================================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
==================================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.

==================================================================

------------------------------

Date: Mon, 12 Nov 2001 08:31:43 +0100
From: =?iso-8859-1?Q?J=F6rn?= Kraus <[email protected]>
Subject: Novell File and Print Services

Hello,
this is not a special Checkpoint Question but i hope somebody from this list can help me.
I must get Novell File and Print Services through a CP 4.1. The clients are in one DMZ and the Servers 5.x are internal.

I find following ports
ipx             213
ndsauth         353
netware-ip      396
but i don't know between which adresses i must permit them. Do i need ndsauth between client and all Servers or only to this Server that

have the nds tree. an dwhich source ports do i need. The major Problem is that don't have an novell server but i must create the rules for

a customer.
thanks for your efforts
--
Mit freundlichen Grüßen / Best regards

Jörn Kraus
Managed Security Services

---------------------------
BDG GmbH & Co.KG
Wendelinstr. 1
D-50933 Köln
Germany
Tel: +49+221/954231-0
Fax: +49+221/954231-31
Web: www.bdg.de
Mail: [email protected]
---------------------------

------------------------------

Date: Thu, 15 Nov 2001 19:35:39 -0800
From: David Ho <[email protected]>
Subject: NAT problem

Hello everyone,

I'm currently trying to get my SecurClient to establish a vpn tunnel to our
fw-1, behind a DSL gateway/router running NAT. Our company is using FWZ
instead of IKE for the authentication scheme. I opened up port 259 for FWZ
and was able to get the client to authenticate fine.

Where it breaks is after the authentication, I cannot seem to successfully
pass the data after that.. I sniffed the network and can see that the
payload is encrypted going out and I'm getting responses from the fw-1. I
know that IPSec has some difficulties with NAT, but my company is not using
it.

Any ideas on how to make the vpn tunnel work behind a natting gateway?

Thanks,
David
*******************Internet Email Confidentiality Footer*******************

Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this
message to anyone. In such case, you should destroy this message and kindly
notify the sender by reply email. Please advise immediately if you or your
employer do not consent to Internet email for messages of this kind.
Opinions, conclusions and other information in this message that do not
relate to the official business of my firm shall be understood as neither
given nor endorsed by it.

------------------------------

Date: Mon, 12 Nov 2001 14:35:19 +0500
From: Roman Serbski <[email protected]>
Subject: NG or Provider-1?

Hi list

Sorry for stupid question I think I'm lost with terminology :-)
Is there any difference between Checkpoint NG (Next Generation) and
Provider-1?
NG seems to be next step after FW1 4.1, right? What is Provider-1 in
this case?
Our company uses Checkpoint FW-1 4.1. Since Checkpoint stopped with
providing support for everything prior to 4.1 (BTW what about supporting
4.1? Still valid for some period of time? :-) our top management
suggested to upgrade to NG. So, Provider-1 is the latest version?, or?
... :-)

Second question: Is there any way to upgrade to NG from FW-1 4.1, or
everything should be installed from scratch?

Looking forward to hear from you.

Regards,
Roman

------------------------------

Date: Fri, 16 Nov 2001 08:13:54 +0200
From: andrevs <[email protected]>
Subject: Re: NAT problem

Try IKE with UDP encapsulation. FWZ and nat is a bad idea.

rgds
andre'
#include <std-disclaimer.h>

David Ho wrote:

> Hello everyone,
>
> I'm currently trying to get my SecurClient to establish a vpn tunnel to our
> fw-1, behind a DSL gateway/router running NAT. Our company is using FWZ
> instead of IKE for the authentication scheme. I opened up port 259 for FWZ
> and was able to get the client to authenticate fine.
>
> Where it breaks is after the authentication, I cannot seem to successfully
> pass the data after that.. I sniffed the network and can see that the
> payload is encrypted going out and I'm getting responses from the fw-1. I
> know that IPSec has some difficulties with NAT, but my company is not using
> it.
>
> Any ideas on how to make the vpn tunnel work behind a natting gateway?
>
> Thanks,
> David
> *******************Internet Email Confidentiality Footer*******************
>
>
> Privileged/Confidential Information may be contained in this message. If
> you are not the addressee indicated in this message (or responsible for
> delivery of the message to such person), you may not copy or deliver this
> message to anyone. In such case, you should destroy this message and kindly
> notify the sender by reply email. Please advise immediately if you or your
> employer do not consent to Internet email for messages of this kind.
> Opinions, conclusions and other information in this message that do not
> relate to the official business of my firm shall be understood as neither
> given nor endorsed by it.
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

--
Security Engineer
Dimension Data Security
Email: [email protected]
Tel. +27 21 659 2540
Fax +27 21 659 2195

------------------------------

End of FW-1-MAILINGLIST Digest - 14 Nov 2001 to 15 Nov 2001 (#2001-44)
**********************************************************************

Prev by Date: Re: [FW-1] Ldap with W2K
Next by Date: [FW-1] "/dev/fw0" not found errors
Previous by thread: [FW-1] OT...maybe
Next by thread: [FW-1] Radius problem
Index(es):
- Date
- Thread