NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FW-1-MAILINGLIST Digest - 15 Jan 2002 to 16 Jan 2002 (#2002-1 7)



All,

Getting SecuRemote to work with the Linksys boxes are relatively easy.

There are a couple of different ways to do this. On some of the later
firmware updates for Linksys BEFSR41, 1.40, there is nothing that has to be
done to get this to work as long as you are using UDP encapsulation.  For
this to work, you will need to have Checkpoint 4.1 on at least SP2 and
SecuRemote client needs to also be on 4176 or higher.  If you look at the
release notes for SP2 for the firewall it will explain how to set up UDP
encapsulation on your firewall.  It is fairly easy to set up so read the doc
and you are good to go.


Generally it will automatically do UDP encapsulation for you from the
SecuRemote client after you set up that feature on the firewall.  You can
also force that connection to use the UDP encapsulation method. To do that
add :force_udp_encapsulation (true) in your userc.c file on the clients
machine.  That file is under c:\prog files\checkpoint\securemote\database.
Under build 4185 and 4199 you can open the client and under tools/encryption
scheme there is an advanced options button.  Under that button you can check
a box to force UDP encapsulation if you want.

Another big problem with the Linksys boxes and many other DSL/Cablemodem
routers is that they do not allow fragmented packets back into their dial-up
boxes.  This usually happens if you are using certificates to connect with
SecuRemote.  If you are using shared secret fragmentation never occurs.  To
solve this problem Checkpoint enabled a new feature, Support IKE over TCP
(TCP 500).  This was enabled in Checkpoint v4.1 SP4 for the firewall.  You
can use this feature on the client end only if you are on Build 4185 or
higher.  Under the tools/encryption scheme/advanced options there is a check
box that will allow you to turn that feature on or off on the client end.
Check the release notes for 4.1 SP4 for the firewall for the setup in
objects.C, it is just too much to put into this mail.  Basically, this
feature will make the initial call in phase one go out over TCP 500 instead
of UDP 500.  This helps keep the packet sizes small enough to keep from
being fragmented.  It will continue on after the intial phase one connection
with UDP 500 and then finally to IP protocol 50 or UDP 2746 (UDP
encapsulation) depending on if you are using that feature or not.

All in all UDP encapsulation used UDP port 2746 instead of having to use IP
protocol 50.  You will also use TCP 264 for topology updates as well as UDP
port 500 for the Phase one negotiations.  If you choose to use Support IKE
over TCP, that will, use TCP 500.  You will still need to allow the UDP 500
because it will still send out one UDP 500 packet at the end of the Phase
one negotiation.

Ok. So with all the above stated, I have yet to get a Linksys box not to
work either a regular one or a wireless one when doing the above 2 setups.
You will need to use the UDP encapsulation every time since the Linksys does
Port address translation but the IKE over TCP will only need to be used if
you are doing certificate based authentication.

Good Luck.

Andy Faulkner
Perot Systems


-----Original Message-----
From: Automatic digest processor
[mailto:[email protected]]
Sent: Thursday, January 17, 2002 2:00 AM
To: Recipients of FW-1-MAILINGLIST digests
Subject: FW-1-MAILINGLIST Digest - 15 Jan 2002 to 16 Jan 2002 (#2002-17)

There are 46 messages totalling 3437 lines in this issue.

Topics of the day:

  1. SecuRemote access via GPRS mobile
  2. Internal authentication error / SecureRemote
  3. IP440 Failure - ot
  4. Accept Control Connections disabled (2)
  5. Checkpoint/Netscreen VPN IKE Error Messages
  6. Not able to ping from FW to either way
  7. Unable to open '/dev/fw0': No such device or address
  8. Security Policy  inst. error
  9. PPTP Connections through Hide NAT (2)
 10. Anti-spoofing and sendmail (6)
 11. Domain Controller (7)
 12. Remote connection with CheckPoint (3)
 13. logging to a mgt console
 14. Securemote with Linksys BEFSR41 router settings (?) (3)
 15. Broken FTP Logging in 4.1
 16. SecuRemote through NAT device???
 17. Using Cisco IOS firewall feature set (3)
 18. Opsec Lea events handling
 19. Free S/WAN and VPN-1
 20. AW: [FW-1] Connection lost problem
 21. nokia duplidisk??? (2)
 22. IPSO + Content Filtering
 23. FW-1 NG Rule Install slow????
 24. ISDN-Backup for VPN-Connection
 25. Unable to connect to Citrix via NFuse
 26. Checkpoint FW-1 2000 installation on Windows 2000

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

----------------------------------------------------------------------

Date:    Wed, 16 Jan 2002 09:34:08 +0100
From:    Reinhard Stich <[email protected]>
Subject: Re: SecuRemote access via GPRS mobile

hi,

At 17:07 15.01.2002 +0000, Michael Haller wrote:
>I'm getting "no-ip protocol in use" errors during authentication
>when I try to connect via my mobile using GPRS.  If I uncheck
>"only TCP/IP protocols are used" I no longer get the above error
>but I still can't connect to the protected network.  It is not
>clear why (i.e., nothing in log).
>
>Has anybody had any success connecting via a GPRS network? If
>so can you tell me what I need to do?


does it work with "normal" internet-access?

with GPRS, you normally get private IP-addresses with a NAT-device at your
gsm-provider. ask your gsm-provider to setup a APN for you with official
IP-addresses for the client and no filtering between the client and the
internet.

cheers
-reinhard



--
Reinhard Stich,   ASSIST    [email protected]
Internet Security AG, 1190 Wien, Nussdorfer Laende 29-33
Tel: +43 1 370 94 40  RS784-RIPE Fax: +43 1 370 94 40-10

------------------------------

Date:    Wed, 16 Jan 2002 10:08:36 +0100
From:    Holmes Jeremy <[email protected]>
Subject: Internal authentication error / SecureRemote

Hi,

I have just replaced the server on which our firewall-1 was installed (NG
FP1) for something more powerful. I rebuilt the server offline and swapped
machines.(same IP address and rules)

Everything works correctly except for SecureRemote access using hybrid mode
IKE. Users can authenticate and download the topology but as soon as they
try and access any machine in the encryption domain, the receive the error
"Error: Internal Authentication Error".

I have checked the configuration using the checkpoint document on Hybrid
mode IKE and all appears to be the same as before (which worked correctly)

I have tried to re-install securemote and upgraded to the latest version(
51057) but I still receive the same error.

Can anyone help me to resolve this problem?

Regards




==========================================================================
This message and any attachments are confidential and may also be
privileged.
Its contents do not constitute a commitment by the Channel Tunnel Group Ltda
 nd/or France-Manche S.A. except where provided for in a written agreement
between you and The Channel Tunnel Group Ltd and/or France-Manche S.A.
Any unauthorised disclosure, use or dissemination, either whole or partial
is prohibited. If you are not the intended recipient of the message, please
notify the sender immediately. The views expressed in this message do not
necessarily reflect those of The Channel Tunnel Group Ltd and/or
France-Manche
S.A. or any of their subsidiary companies.

Ce message et ses annexes sont confidentiels et peuvent contenir des
informations protégées par le secret professionnel. Son contenu ne
représente
en aucun cas un engagement de la part de The Channel Tunnel Group Ltd
et/ou France-Manche S.A. sous réserve d'un accord conclu par écrit entre
vous et
The Channel Tunnel Group Ltd et/ou France-Manche S.A. Toute publication,
utilisation ou diffusion, même partielle, est interdite. Si vous n'êtes pas
destinataire de ce message, merci d'en avertir immédiatement l'expéditeur.
Les opinions exprimées dans ce message ne reflètent pas nécessairement
celles de The Channel Tunnel Group Ltd et/ou France-Manche S.A.
ou de leurs sociétés filiales

------------------------------

Date:    Wed, 16 Jan 2002 09:46:30 +0100
From:    richard marshall <[email protected]>
Subject: Re: IP440 Failure - ot

I've tried, both. It's dead-dead. :(

I think I'll leave it to the service guys to fix...

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Jorge
Espinel
Sent: 15 January 2002 20:53
To: [email protected]
Subject: Re: [FW-1] IP440 Failure - ot


Are you using the console port or just the keyboard and a monitor when you
try to get into the IP440???

-----Mensaje original-----
De: richard marshall [mailto:[email protected]]
Enviado el: martes 15 de enero de 2002 13:29
Para: [email protected]
Asunto: [FW-1] IP440 Failure - ot


Hi,

I have an IP440 with a celeron-333 processor that has a hardware failure (it
won't even turn on, never mind boot!)

It appears to be a BIOS or motherboard problem. Is it possible to rebuild it
with 'off the shelf' parts? If so has anyone done this, and with what parts.

thanks

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Wed, 16 Jan 2002 09:42:44 +0000
From:    Martin Horsley <[email protected]>
Subject: Re: Accept Control Connections disabled

I can only give suggestions for the CCSA NG exam, if you are doing the 2000
exams then I'm not sure how relevant this will be.

My advice would be to make sure you know NAT and Authentication inside out,
also learn the default settings for things like TCP and UDP timeouts (Global
Properties).  I was asked a number of detailed questions about the fw
command.

I think part of the reason for my failure was to do with the ambiguous
nature
of some of the questions.  I put this down to lack of experience in sitting
exams (the last exam I took was around 10 years ago), well that's my
excuse!!

Anyway, expect some basic questions (Firewall definition), and a number of
questions on correct use of rules, i.e. You will be given a situation and
five
rules, you have to choose the best one (two of them will be correct, one of
them will be more correct).

The exam is 90 minutes long, and you have to answer 98 questions.

I re take the exam on Friday.

Good luck, and hope this helps.

Martin.

>Hi Martin,
>
>I am going to take the exam next month, I am just curious about the CCSA
>exam and wanted to ask if you had any suggestions in preparing for it.
>Sorry I could not help with your question.
>

------------------------------

Date:    Tue, 15 Jan 2002 13:12:25 -0500
From:    [email protected]
Subject: Checkpoint/Netscreen VPN IKE Error Messages

Hello,

We are having trouble for the past few weeks trying to get a Netscreen 5 to
an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational.  Generally IKE
Phase 1 completes between the firewalls, but only very infrequently does
IKE Phase 2 compete between the firewalls, according to the Checkpoint and
Netscreen logs.  When Phase 2 does complete, outbound traffic is encrypted
but the return decrypts do not come back.  We have encryption schemes
identical for Phase 1 & Phase 2 between the Checkpoint & Netscreen boxes.
When Phase 2 does not complete, messages in the log viewer include
"Received delete SA from Peer" and  "Received Notification from Peer:
payload malformed", with the source address being the Checkpoint firewall
and the destination being the Netscreen.

Just for kicks, we tried creating a VPN connection to two other Checkpoint
4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K using 4.1 SP5)
using the same Netscreen 5 box with identical encryption properties, and
both Phase 1 & Phase 2 became operational, and traffic was being encrypted
and decrypted in both directions.  Thus I eliminated the possibility that
the Netscreen may be the issue.

I then compared a few files on the various firewalls (crypt.def,
objects.C), and could not find anything except cosmetic items that were
different. I also tried the various debugging tools (fw monitor, fw -d d,
FWIKE_DEBUG), and have examined the resultant file output, and was not able
to decipher anything enlightening from these files, although I must admit
that I don't know exactly what kind of packet flow or sequencing I should
be looking for.

Thanks in advance for any assistance.


============================
Dave Parmer
Senior Network Engineer
Distributed Systems Services
[email protected]

------------------------------

Date:    Wed, 16 Jan 2002 11:59:27 -0000
From:    Andrew Doble <[email protected]>
Subject: Re: Not able to ping from FW to either way

Do you have a stealth rule that blocks all unauthorised access to your
firewall?

In the case of pinging, your "echo-request" packet is being generated by the
firewall, but the "echo-reply" packet is being dropped.  Check your firewall
log for ICMP drops.

Andrew

-----Original Message-----
From: Puneet Kumar Bhardwaj [mailto:[email protected]]
Sent: 15 January 2002 16:14
To: [email protected]
Subject: Re: [FW-1] Not able to ping from FW to either way


Thanks for your reply Don,

1)Its local.arp only
2)I enabled the specific rule, Thanks
3)Able to telnet remote computer but need to test my telnet from remote
computer.

Thanks for ur support.
Puneet.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Don
Sent: Monday, January 14, 2002 7:54 PM
To: [email protected]
Subject: Re: [FW-1] Not able to ping from FW to either way


> 1)The arp entry is like this
>   206.234.243.134 <MAC address of FW's external interface>
Well that is correct. And this is in local.arp?

> 3)I am able to ping my router now 206.234.243.1 and host also 172.16.1.134
> but only after checking the option Policy>Properties>
>   Security Policy>Accept ICMP(before last)
You should enable a specific rule in your firewall policy instead of
allowing ICMP through the implied policy.

> 4)I am able to reach my FW's external IP from tracert.com but not able to
> reach my NAT IP 206.234.243.134 from the net(in this case i fail to each
my
> FW's external IP also!!)
Traceroute is a funny protocol and is not the best for troubleshooting.
You may wish to test connectivity with an application such as telnet or
http.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Wed, 16 Jan 2002 19:15:38 +0530
From:    Mohan Sundar <[email protected]>
Subject: Unable to open '/dev/fw0': No such device or address

Hi

     I have also faced this problem and got solved by reinstallaing
CheckPoint License..
Pls. check The file dev/fw0 is having your firewall's External IP
Try this ... .. All the Best

Regards,
MOHi

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

------------------------------

Date:    Wed, 16 Jan 2002 19:30:26 +0530
From:    Mohan Sundar <[email protected]>
Subject: Accept Control Connections disabled

Hi all,

   I hope the  "fw unload localhost" command will help to solve this.
If you execute this the current policy will be unloaded then you can
communicate with your firewall & mannagement module and can install a new
policy. Once I did when the GUI lost communication with management server.
    I have not checked the above for control connection.. But I Hope this
will  Solve the problem.

Regards,
MOHi





_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

------------------------------

Date:    Wed, 16 Jan 2002 19:37:13 +0530
From:    Mohan Sundar <[email protected]>
Subject: Security Policy  inst. error

Hi All,

I also faced the follwing error,

Installing Security Policy Genel on all.all@kybele
Unable to open '\Device\FW1': The system cannot find the file specified.
Failed to get interface list: The system cannot find the file specified.
Has only loopback (lo) interface, aborting...
Failed to Load Security Policy: The system cannot find the file =
specified.
Installing Security Policy on localhost(kybele) failed

Pls. check Interfaces listed in your firewall workstation objects.

Solun: I solved this by installing SNMP service.

Regards,
MOHi




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

------------------------------

Date:    Wed, 16 Jan 2002 09:16:31 -0500
From:    Jeremy Morrill <[email protected]>
Subject: Re: PPTP Connections through Hide NAT

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01C19E6E.81AA5720
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
        charset="us-ascii"



            I have used ISA and Guardian (no longer in business) and
they both do PPTP flawlessly without any type of special configuration.
Checkpoint however is a different story. See the following document for
proper configuration of PPTP with Checkpoint FW-1.



            ftp://ftp.andover.edu/test/pptp.pdf




-JRM



Jeremy Morrill

Network Project Manager

Phillips Academy

E-mail: [email protected]



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of
Antoniani, Alessandro
Sent: Tuesday, January 15, 2002 11:48 AM
To: [email protected]
Subject: [FW-1] PPTP Connections through Hide NAT



Hi all,
we have FW-1 protecting our LAN with Hide NAT. Our users need to connect
to customers' LANs using PPTP VPNs with the standard Windows 2000
client. I've tried to configure the rule base to allow for this, but it
seems that the only way to have a LAN client connect is to setup a
static NAT for the client, while what I really want is to have anybody
on the LAN be able to do it without requesting a particular
configuration to IT.

ISA Server does this easily, our old firewall (Guardian) could do this
without problems as well, anybody have suggestions?

Thanks in advance

alex

_________________________________
Alessandro Antoniani, IT Manager
Bowne Global Solutions, formerly Mendez

Office  Via Ripamonti, 131/133
        20141 Milano, Italy
Phone   +39 02 53570225
Mobile  +39 335 453629
Fax     +39 02 53570222
[email protected]
www.bowneglobal.com




------=_NextPart_000_0004_01C19E6E.81AA5720
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
        charset="us-ascii"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
<title>PPTP Connections through Hide NAT</title>

<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:blue;
        text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
p
        {margin-right:0in;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.EmailStyle18
        {font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I
have used ISA and Guardian (no longer in business) and they both do PPTP
flawlessly without any type of special configuration. Checkpoint however =
is a
different story. See the following document for proper configuration of =
PPTP
with Checkpoint FW-1.</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a
href=3D"ftp://ftp.andover.edu/test/pptp.pdf";>ftp://ftp.andover.edu/test/p=
ptp.pdf</a></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp; -JRM</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<div>

<p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt;color:navy'>Jeremy Morrill</span></font></p>

<p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt;color:navy'>Network Project =
Manager</span></font></p>

<p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt;color:navy'>Phillips Academy</span></font></p>

<p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt;color:navy'>E-mail: =
[email protected]</span></font></p>

</div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Mailing list for =
discussion
of Firewall-1 [mailto:[email protected]] =
<b><span
style=3D'font-weight:bold'>On Behalf Of </span></b>Antoniani, =
Alessandro<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, January =
15, 2002
11:48 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b>
[email protected]<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [FW-1] PPTP =
Connections
through Hide NAT</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>&nbsp;</span></font></p>

<p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Hi all,</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>we
have FW-1 protecting our LAN with Hide NAT. Our users need to connect to
customers' LANs using PPTP VPNs with the standard Windows 2000 client. =
I've
tried to configure the rule base to allow for this, but it seems that =
the only
way to have a LAN client connect is to setup a static NAT for the =
client, while
what I really want is to have anybody on the LAN be able to do it =
without
requesting a particular configuration to IT.</span></font></p>

<p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>ISA Server does this easily, our old firewall
(Guardian) could do this without problems as well, anybody have =
suggestions?</span></font></p>

<p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Thanks in advance</span></font> </p>

<p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>alex</span></font> </p>

<p style=3D'margin-left:.5in'><font size=3D3 color=3Dmaroon =
face=3DArial><span
style=3D'font-size:12.0pt;font-family:Arial;color:maroon'>_______________=
__________________</span></font>
<br>
<b><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
font-weight:bold'>Alessandro Antoniani</span></font></b><font size=3D1
face=3DArial><span style=3D'font-size:7.5pt;font-family:Arial'>, IT =
Manager</span></font>
<br>
<b><font size=3D2 color=3Dmaroon face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;color:maroon;font-weight:bold'>Bowne Global =
Solutions,</span></font></b>
<font size=3D1 color=3Dnavy face=3DArial><span =
style=3D'font-size:7.5pt;font-family:
Arial;color:navy'>formerly Mendez</span></font> </p>

<p style=3D'margin-left:.5in'><i><font size=3D1 color=3Dblack =
face=3DArial><span
style=3D'font-size:7.5pt;font-family:Arial;color:black;font-style:italic'=
>Office&nbsp;</span></font></i>
<font size=3D1 color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;font-family:
Arial;color:black'>Via Ripamonti, 131/133</span></font> <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font size=3D1 color=3Dblack =
face=3DArial><span
style=3D'font-size:7.5pt;font-family:Arial;color:black'>20141 Milano, =
</span></font><font
  size=3D1 color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;font-family:Arial;
  color:black'>Italy</span></font> <br>
<i><font size=3D1 color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;font-family:
Arial;color:black;font-style:italic'>Phone</span></font></i><font =
size=3D1
color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;font-family:Arial;
color:black'> &nbsp; +39 02 53570225</span></font> <br>
 <i><font size=3D1 color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;
 =
font-family:Arial;color:black;font-style:italic'>Mobile</span></font></i>=
<font
size=3D1 color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;font-family:Arial;
color:black'>&nbsp; +39 335 453629</span></font> <br>
<i><font size=3D1 color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;font-family:
Arial;color:black;font-style:italic'>Fax</span></font></i>&nbsp;&nbsp;&nb=
sp;&nbsp;
<font size=3D1 color=3Dblack face=3DArial><span =
style=3D'font-size:7.5pt;font-family:
Arial;color:black'>+39 02 53570222</span></font> <br>
<u><font size=3D1 color=3Dblue face=3DArial><span =
style=3D'font-size:7.5pt;font-family:
Arial;color:blue'>[email protected]</span></font></u> =
<br>
<a href=3D"www.bowneglobal.com"><font size=3D1 face=3DArial><span =
style=3D'font-size:
7.5pt;font-family:Arial'>www.bowneglobal.com</span></font></a> </p>

<p class=3DMsoNormal =
style=3D'margin-right:0in;margin-bottom:12.0pt;margin-left:
.5in'><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;</span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0004_01C19E6E.81AA5720--

------------------------------

Date:    Wed, 16 Jan 2002 11:04:25 -0500
From:    Michael Glenn <[email protected]>
Subject: Anti-spoofing and sendmail

Hello all,

Some quick questions on anti-spoofing and sendmail.

We were using and IDS script to send e-mail alerts from our firewall (4.1).
We recently activated anti-spoofing on the firewall's interfaces and the
mail no
longer arrives.
In the fw log I noticed that sendmail was using the address of the firewalls
external interface as a source address and was therefore dropping the
packets
(rule 0 - spoofing).
Anti-spoofing on the internal interface was configured with "This net", so I
created a group containing the Internal network object and a new workstation
object I created giving it the firewall's external interface IP and set this
as
the "Specific" valid address.

The packets still get dropped on rule 0 - spoofing.

Does the firewall service need to be restarted for spoofing rules to take
effect?

Is there something else I'm not thinking about?

Thanks!

Michael

------------------------------

Date:    Wed, 16 Jan 2002 11:36:12 -0500
From:    Aeon Hale <[email protected]>
Subject: Domain Controller

Please forgive me for sending the list an "off checkpoint subject" but
i'm hoping somebody here has run into this situation:

DMZ:

contains numberous webservers.  Our NT guys want to setup a Domain
Controller on DMZ for centralized authentication.  It will NOT sync with
internal Domain Controller.

Question:

We currently have a radius server used for authentication (checkpoint
uses this for user, client, session and securemote).  I would like to
know if there is a way to have the DMZ domain controller "trust" the
radius server that way we can cut back on the amount of accounts we need
to create?

Without the trust between the DMZ Domain controller and radius, each
user will have to have 3 accounts:  One on Internal DC, one on DMZ DC,
and one on Radius Server.  We're trying to keep it to a minimum, i'm
sure you guys can understand.

Any help would be greatly appreciated.

Thanks,

Aeon Hale

------------------------------

Date:    Wed, 16 Jan 2002 17:36:15 +0100
From:    Guido Fraietta <[email protected]>
Subject: Remote connection with CheckPoint

This is a multi-part message in MIME format.

------=_NextPart_000_001F_01C19EB4.4CA0E800
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi all,

I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect =
to it from a remote host to run the fw policy editor visual tool.

I succeed to start the tool from the remote machine, but when it tries =
to connect to the server, after "Loading Encryption Method" mask, I have =
the message: "No response from server!"

Any suggestion on this!?

Thanks in advance,
Guido Fraietta

------=_NextPart_000_001F_01C19EB4.4CA0E800
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#d8d0c8>
<DIV><FONT face=3D"Times New Roman">Hi all,</FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman">I&nbsp;use Check Point VPN-1 &amp; =
FireWall-1=20
Version 4.1 and I need to connect to it from a remote host to run the fw =
policy=20
editor visual tool.</FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman">I succeed to start the tool from the =
remote=20
machine, but when it tries to connect to the server, after "Loading=20
Encryption&nbsp;Method" mask,&nbsp;I have the message: </FONT><FONT=20
face=3D"Times New Roman">"No response from server!"</FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman">Any suggestion on =
this!?</FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman">Thanks in advance,</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">Guido =
Fraietta</FONT></DIV></BODY></HTML>

------=_NextPart_000_001F_01C19EB4.4CA0E800--

------------------------------

Date:    Wed, 16 Jan 2002 11:59:42 -0500
From:    Stanley Lieberman <[email protected]>
Subject: Re: Anti-spoofing and sendmail

You want to remove the FW object and add object for external mail address to
that
group..

Good Luck

Stanley


> Hello all,
>
> Some quick questions on anti-spoofing and sendmail.
>
> We were using and IDS script to send e-mail alerts from our firewall
(4.1).
> We recently activated anti-spoofing on the firewall's interfaces and the
mail no
> longer arrives.
> In the fw log I noticed that sendmail was using the address of the
firewalls
> external interface as a source address and was therefore dropping the
packets
> (rule 0 - spoofing).
> Anti-spoofing on the internal interface was configured with "This net", so
I
> created a group containing the Internal network object and a new
workstation
> object I created giving it the firewall's external interface IP and set
this as
> the "Specific" valid address.
>
> The packets still get dropped on rule 0 - spoofing.
>
> Does the firewall service need to be restarted for spoofing rules to take
> effect?
>
> Is there something else I'm not thinking about?
>
> Thanks!
>
> Michael
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

------------------------------

Date:    Wed, 16 Jan 2002 17:06:49 -0000
From:    Sam Denton <[email protected]>
Subject: Re: Remote connection with CheckPoint

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C19EB0.2F7F7740
Content-Type: text/plain;
        charset="iso-8859-1"

Is it a GUI Client?

-----Original Message-----
From: Guido Fraietta [mailto:[email protected]]
Sent: 16 January 2002 16:36
To: [email protected]
Subject: [FW-1] Remote connection with CheckPoint


Hi all,

I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect to it
from a remote host to run the fw policy editor visual tool.

I succeed to start the tool from the remote machine, but when it tries to
connect to the server, after "Loading Encryption Method" mask, I have the
message: "No response from server!"

Any suggestion on this!?

Thanks in advance,
Guido Fraietta


------_=_NextPart_001_01C19EB0.2F7F7740
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 6.00.2712.300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#d8d0c8>
<DIV><SPAN class=2002><FONT face=Arial color=#0000ff size=2>Is
it
a GUI Client?</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
  size=2>-----Original Message-----<BR><B>From:</B> Guido Fraietta
  [mailto:[email protected]]<BR><B>Sent:</B> 16 January 2002
  16:36<BR><B>To:</B>
  [email protected]<BR><B>Subject:</B> [FW-1]
Remote
  connection with CheckPoint<BR><BR></FONT></DIV>
  <DIV><FONT face="Times New Roman">Hi all,</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">I&nbsp;use Check Point VPN-1 &amp;
  FireWall-1 Version 4.1 and I need to connect to it from a remote host to
run
  the fw policy editor visual tool.</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">I succeed to start the tool from the
remote
  machine, but when it tries to connect to the server, after "Loading
  Encryption&nbsp;Method" mask,&nbsp;I have the message: </FONT><FONT
  face="Times New Roman">"No response from server!"</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">Any suggestion on this!?</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">Thanks in advance,</FONT></DIV>
  <DIV><FONT face="Times New Roman">Guido
Fraietta</FONT></DIV></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C19EB0.2F7F7740--

------------------------------

Date:    Wed, 16 Jan 2002 12:17:09 -0500
From:    "King, Arron S." <[email protected]>
Subject: Re: Domain Controller

We have a similar situation.  The solution we found was to use Steel-belted
RADIUS by funk software.

It can authenticate against Active Directory, NT4-style domains, it's own
account list, and an account list in sql server.

HTH

Arron

_________________________________________________
Arron King
Network & Systems Administrator
Ohio Dominican College
[email protected]
http:\\www.odc.edu\~kinga


-----Original Message-----
From: Aeon Hale [mailto:[email protected]]
Sent: Wednesday, January 16, 2002 11:36 AM
To: [email protected]
Subject: [FW-1] Domain Controller


Please forgive me for sending the list an "off checkpoint subject" but
i'm hoping somebody here has run into this situation:

DMZ:

contains numberous webservers.  Our NT guys want to setup a Domain
Controller on DMZ for centralized authentication.  It will NOT sync with
internal Domain Controller.

Question:

We currently have a radius server used for authentication (checkpoint
uses this for user, client, session and securemote).  I would like to
know if there is a way to have the DMZ domain controller "trust" the
radius server that way we can cut back on the amount of accounts we need
to create?

Without the trust between the DMZ Domain controller and radius, each
user will have to have 3 accounts:  One on Internal DC, one on DMZ DC,
and one on Radius Server.  We're trying to keep it to a minimum, i'm
sure you guys can understand.

Any help would be greatly appreciated.

Thanks,

Aeon Hale

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Wed, 16 Jan 2002 12:07:57 -0500
From:    Don Guyer <[email protected]>
Subject: Re: Remote connection with CheckPoint

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C19EB0.5879E220
Content-Type: text/plain;
        charset="iso-8859-1"

Guido,

    IIRC, don't you have to add yourself as a user and/or your remote
machine's IP address in the firewall config, to be able to remotely access
the rulebase?


Don Guyer
Information Systems
Citadel Federal Credit Union
Ph:Fax:www.citadelfcu.org

-----Original Message-----
From: Guido Fraietta [mailto:[email protected]]
Sent: Wednesday, January 16, 2002 11:36 AM
To: [email protected]
Subject: [FW-1] Remote connection with CheckPoint


Hi all,

I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect to it
from a remote host to run the fw policy editor visual tool.

I succeed to start the tool from the remote machine, but when it tries to
connect to the server, after "Loading Encryption Method" mask, I have the
message: "No response from server!"

Any suggestion on this!?

Thanks in advance,
Guido Fraietta


------_=_NextPart_001_01C19EB0.5879E220
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 6.00.2600.0" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#d8d0c8>
<DIV><SPAN class=2002><FONT face=Arial color=#0000ff
size=2>Guido,</FONT></SPAN></DIV>
<DIV><SPAN class=2002><FONT face=Arial color=#0000ff
size=2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=2002>&nbsp;&nbsp;&nbsp; <FONT face=Arial
color=#0000ff size=2>IIRC, don't you have to add yourself as a user and/or
your
remote machine's IP address in the firewall config, to be able to remotely
access the rulebase?</FONT></SPAN></DIV>
<DIV>&nbsp;</DIV>
<P><FONT face=Tahoma size=2>Don Guyer</FONT> <BR><FONT face=Tahoma
size=2>Information Systems</FONT> <BR><FONT face=Tahoma size=2>Citadel
Federal
Credit Union</FONT> <BR><FONT face=Tahoma size=2>Ph:x7072</FONT>
<BR><FONT face=Tahoma size=2>Fax:</FONT> <BR><FONT face=Tahoma
size=2>www.citadelfcu.org</FONT> </P>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
  size=2>-----Original Message-----<BR><B>From:</B> Guido Fraietta
  [mailto:[email protected]]<BR><B>Sent:</B> Wednesday, January 16,
2002
  11:36 AM<BR><B>To:</B>
  [email protected]<BR><B>Subject:</B> [FW-1]
Remote
  connection with CheckPoint<BR><BR></FONT></DIV>
  <DIV><FONT face="Times New Roman">Hi all,</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">I&nbsp;use Check Point VPN-1 &amp;
  FireWall-1 Version 4.1 and I need to connect to it from a remote host to
run
  the fw policy editor visual tool.</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">I succeed to start the tool from the
remote
  machine, but when it tries to connect to the server, after "Loading
  Encryption&nbsp;Method" mask,&nbsp;I have the message: </FONT><FONT
  face="Times New Roman">"No response from server!"</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">Any suggestion on this!?</FONT></DIV>
  <DIV><FONT face="Times New Roman"></FONT>&nbsp;</DIV>
  <DIV><FONT face="Times New Roman">Thanks in advance,</FONT></DIV>
  <DIV><FONT face="Times New Roman">Guido
Fraietta</FONT></DIV></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C19EB0.5879E220--

------------------------------

Date:    Wed, 16 Jan 2002 12:12:37 -0500
From:    "Stover, Joseph E" <[email protected]>
Subject: logging to a mgt console

Hello All

I'm new to the Nokia/Checkpoint equipment.  We have several FWs sending logs
to our mgt console.   I'm trying to get a new nokia ip530 to report its log
activity to our management console, and it doesn't seem to be sending any
log info (what I can see from the [log view])
        In the file
                 $FWDIR/conf/masters
                        +10.35.1.1  (address of the mgt console)
        there is a 'plus' sign to allow logging.

        I'm not sure what I am missing.  I'm currently browsing checkpoint's
secureKnowledge dbase for info.



Joe Stover

------------------------------

Date:    Wed, 16 Jan 2002 18:29:50 +0100
From:    "Reed Mohn, Anders" <[email protected]>
Subject: Re: Domain Controller

AFAIK, RSA has software that let's you use their RADIUS
server for NT authentication, but I think that's only when
used with securID tokens.

Cheers,
Anders :)


> -----Original Message-----
> From: Aeon Hale [mailto:[email protected]]
> Sent: 16. januar 2002 17:36
> To: [email protected]
> Subject: [FW-1] Domain Controller
>
>
> Please forgive me for sending the list an "off checkpoint subject" but
> i'm hoping somebody here has run into this situation:
>
> DMZ:
>
> contains numberous webservers.  Our NT guys want to setup a Domain
> Controller on DMZ for centralized authentication.  It will
> NOT sync with
> internal Domain Controller.
>
> Question:
>
> We currently have a radius server used for authentication (checkpoint
> uses this for user, client, session and securemote).  I would like to
> know if there is a way to have the DMZ domain controller "trust" the
> radius server that way we can cut back on the amount of
> accounts we need
> to create?
>
> Without the trust between the DMZ Domain controller and radius, each
> user will have to have 3 accounts:  One on Internal DC, one on DMZ DC,
> and one on Radius Server.  We're trying to keep it to a minimum, i'm
> sure you guys can understand.
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Aeon Hale
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

------------------------------

Date:    Wed, 16 Jan 2002 12:37:29 -0500
From:    Yves Belle-Isle <[email protected]>
Subject: Re: Anti-spoofing and sendmail

Why are you sure it's antispoofing related. Rule 0 is FOR ALL IMPLIED RULES
not just antispoofing. Did you check the Info. field of the log to be sure
it's caused by the antispoofing ?

The most commun cause of rule 0 reject on my FW-1 is
reason: unknown established TCP packet

the second is:
message SYNDefender warning: SYN -> SYN-ACK -> RST or timeout


At 11:04 2002-01-16, Michael Glenn wrote:
>Hello all,
>
>Some quick questions on anti-spoofing and sendmail.
>
>We were using and IDS script to send e-mail alerts from our firewall (4.1).
>We recently activated anti-spoofing on the firewall's interfaces and the
mail no
>longer arrives.
>In the fw log I noticed that sendmail was using the address of the
firewalls
>external interface as a source address and was therefore dropping the
packets
>(rule 0 - spoofing).
>Anti-spoofing on the internal interface was configured with "This net", so
I
>created a group containing the Internal network object and a new
workstation
>object I created giving it the firewall's external interface IP and set
this as
>the "Specific" valid address.
>
>The packets still get dropped on rule 0 - spoofing.
>
>Does the firewall service need to be restarted for spoofing rules to take
>effect?
>
>Is there something else I'm not thinking about?
>
>Thanks!
>
>Michael
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================


------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

------------------------------

Date:    Wed, 16 Jan 2002 09:43:18 -0800
From:    Anthony Mendoza <[email protected]>
Subject: Re: Domain Controller

Can Steel Belted radius authenticate against 2 separate NT4 domains?

King, Arron S. wrote:

> We have a similar situation.  The solution we found was to use
Steel-belted RADIUS by funk software.
>
> It can authenticate against Active Directory, NT4-style domains, it's own
account list, and an account list in sql server.
>
> HTH
>
> Arron
>
> _________________________________________________
> Arron King
> Network & Systems Administrator
> Ohio Dominican College
> voice> fax> [email protected]
> http:\\www.odc.edu\~kinga
>
>
> -----Original Message-----
> From: Aeon Hale [mailto:[email protected]]
> Sent: Wednesday, January 16, 2002 11:36 AM
> To: [email protected]
> Subject: [FW-1] Domain Controller
>
>
> Please forgive me for sending the list an "off checkpoint subject" but
> i'm hoping somebody here has run into this situation:
>
> DMZ:
>
> contains numberous webservers.  Our NT guys want to setup a Domain
> Controller on DMZ for centralized authentication.  It will NOT sync with
> internal Domain Controller.
>
> Question:
>
> We currently have a radius server used for authentication (checkpoint
> uses this for user, client, session and securemote).  I would like to
> know if there is a way to have the DMZ domain controller "trust" the
> radius server that way we can cut back on the amount of accounts we need
> to create?
>
> Without the trust between the DMZ Domain controller and radius, each
> user will have to have 3 accounts:  One on Internal DC, one on DMZ DC,
> and one on Radius Server.  We're trying to keep it to a minimum, i'm
> sure you guys can understand.
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Aeon Hale
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>



--
Anthony Mendoza
IT & Customer Support
[email protected]
t:/ c:p:/ f:------------------------------

Date:    Wed, 16 Jan 2002 12:37:19 -0500
From:    Work <[email protected]>
Subject: Re: Domain Controller

Aeon,

>From my understanding, I think you can make your Radius Server a Win2k box
and have it act as a Domain Controller from the same database/box.  If you
don't want to have everything on one box I think you could have the Radius
box feed off of the Domain Controller.

If I am wrong someone please feel free to straighten me out.

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Aeon
> Hale
> Sent: Wednesday, January 16, 2002 11:36 AM
> To: [email protected]
> Subject: [FW-1] Domain Controller
>
>
> Please forgive me for sending the list an "off checkpoint subject" but
> i'm hoping somebody here has run into this situation:
>
> DMZ:
>
> contains numberous webservers.  Our NT guys want to setup a Domain
> Controller on DMZ for centralized authentication.  It will NOT sync with
> internal Domain Controller.
>
> Question:
>
> We currently have a radius server used for authentication (checkpoint
> uses this for user, client, session and securemote).  I would like to
> know if there is a way to have the DMZ domain controller "trust" the
> radius server that way we can cut back on the amount of accounts we need
> to create?
>
> Without the trust between the DMZ Domain controller and radius, each
> user will have to have 3 accounts:  One on Internal DC, one on DMZ DC,
> and one on Radius Server.  We're trying to keep it to a minimum, i'm
> sure you guys can understand.
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Aeon Hale
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>

------------------------------

Date:    Wed, 16 Jan 2002 09:58:26 -0800
From:    John Tanouye <[email protected]>
Subject: Securemote with Linksys BEFSR41 router settings (?)

There seems to be a lot of discussion about being able to connect the
Linksys router with Checkpoint's VPN. With various methods available
tailored to each setup, it's difficult to know what works for one specific
setup. What I would like to see are the detailed settings from people who
got it working.

I am willing to keep an archive of these for people who need it in the
future. I know six people here at work using DSL/cable with a router, and
all six have the same Linksys one. This should prove useful to the many
other Linksys users out there. So how about it? Let's see your setup.

Some of the settings that would be good to share:

        objects.C modifications
        Checkpoint version and SP
        Securemote version and SP
        Incoming/Outgoing ports opened on Firewall

        Linksys firmware revision
        Linksys port mappings
        Linksys DHCP/NAT settings
        MTU value
        filter settings

        Tips or anything else you found relevant to have a successful
connection


Thanks everyone,

John

------------------------------

Date:    Wed, 16 Jan 2002 12:30:35 -0500
From:    Yves Belle-Isle <[email protected]>
Subject: Re: PPTP Connections through Hide NAT

What Alessandro want to do is to have many PPTP client behing the FW-1
establishing connections to PPTP servers at his customers sites as i
understand it.

You, Jeremy refer it to a paper which speak of supporting a PPTP server
behing a FW-1.

That paper is almost obsolete in FW-1 4.1 because those services are already
defined in the product.

Myself run such a PPTP server behing a FW-1 4.1 but i don't use NAT for that
server and the paper you mention doesn't too.

I use PPTP clients behing the FW-1 4.1 to access clients lan and it work's
but i don't use NAT at all...

So we did not respond to Alessandro question which was: How do i setup my
FW-1 so i can have PPTP clients behing my FW-1 accessing PPTP servers at
customers location and have those PPTP clients behing hide NAT address ?

I don't have the answer as i doesn't have that problem, i hope someone
else can answer his question.

By the way Jeremy did you try to have PPTP clients, with private IP address
behing your ISA or Guardian firewall doing NAT to public address to those
PPTP clients, establishing connections to remote PPTP server. Does it worked
?

At 09:16 2002-01-16, Jeremy Morrill wrote:

>
>
>            I have used ISA and Guardian (no longer in business) and they
both do PPTP flawlessly without any type of special configuration.
Checkpoint however is a different story. See the following document for
proper configuration of PPTP with Checkpoint FW-1.
>
>
>
>            ftp://ftp.andover.edu/test/pptp.pdf
>
>
>
>
-JRM
>
>
>
>Jeremy Morrill
>
>Network Project Manager
>
>Phillips Academy
>
>E-mail: [email protected]
>
>
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of
Antoniani, Alessandro
>Sent: Tuesday, January 15, 2002 11:48 AM
>To: [email protected]
>Subject: [FW-1] PPTP Connections through Hide NAT
>
>
>
>Hi all,
>we have FW-1 protecting our LAN with Hide NAT. Our users need to connect to
customers' LANs using PPTP VPNs with the standard Windows 2000 client. I've
tried to configure the rule base to allow for this, but it seems that the
only way to have a LAN client connect is to setup a static NAT for the
client, while what I really want is to have anybody on the LAN be able to do
it without requesting a particular configuration to IT.
>
>ISA Server does this easily, our old firewall (Guardian) could do this
without problems as well, anybody have suggestions?
>
>Thanks in advance
>
>alex
>
>_________________________________
>Alessandro Antoniani, IT Manager
>Bowne Global Solutions, formerly Mendez
>
>Office  Via Ripamonti, 131/133
>        20141 Milano, Italy
>Phone   +39 02 53570225
>Mobile  +39 335 453629
>Fax     +39 02 53570222
>[email protected]
>www.bowneglobal.com
>
>


------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

------------------------------

Date:    Wed, 16 Jan 2002 13:15:23 -0500
From:    "Howell, Paul" <[email protected]>
Subject: Broken FTP Logging in 4.1

Hi,

Let me begin by saying that we're using Nokia 650's, IPSO 3.3, Fwall-1 4.1
SP3.

We've noticed that the FTP COMMAND connection is logged, but that the FTP
DATA
connection is not logged.  We're using "long" logging.

This difference can result in the mistaken conclusion that an ftp session
was
succsessful when in fact, the COMMAND connection was accepted but the DATA
command
was rejected.  We've been bitten by this a couple of times.

Does anyone know of a way to get the FTP DATA connection logged?

Thanks,

< paul

------------------------------

Date:    Wed, 16 Jan 2002 13:33:03 -0500
From:    "King, Arron S." <[email protected]>
Subject: Re: Domain Controller

Not sure about 2 NT 4 domains.

We are using it to authenticate via a sql server table and Active Directory,
and it is working okay.

They have a 30 day free eval on their site

-----Original Message-----
From: Anthony Mendoza [mailto:[email protected]]
Sent: Wednesday, January 16, 2002 12:43 PM
To: [email protected]
Subject: Re: [FW-1] Domain Controller


Can Steel Belted radius authenticate against 2 separate NT4 domains?

King, Arron S. wrote:

> We have a similar situation.  The solution we found was to use
Steel-belted RADIUS by funk software.
>
> It can authenticate against Active Directory, NT4-style domains, it's own
account list, and an account list in sql server.
>
> HTH
>
> Arron
>
> _________________________________________________
> Arron King
> Network & Systems Administrator
> Ohio Dominican College
> voice> fax> [email protected]
> http:\\www.odc.edu\~kinga
>
>
> -----Original Message-----
> From: Aeon Hale [mailto:[email protected]]
> Sent: Wednesday, January 16, 2002 11:36 AM
> To: [email protected]
> Subject: [FW-1] Domain Controller
>
>
> Please forgive me for sending the list an "off checkpoint subject" but
> i'm hoping somebody here has run into this situation:
>
> DMZ:
>
> contains numberous webservers.  Our NT guys want to setup a Domain
> Controller on DMZ for centralized authentication.  It will NOT sync with
> internal Domain Controller.
>
> Question:
>
> We currently have a radius server used for authentication (checkpoint
> uses this for user, client, session and securemote).  I would like to
> know if there is a way to have the DMZ domain controller "trust" the
> radius server that way we can cut back on the amount of accounts we need
> to create?
>
> Without the trust between the DMZ Domain controller and radius, each
> user will have to have 3 accounts:  One on Internal DC, one on DMZ DC,
> and one on Radius Server.  We're trying to keep it to a minimum, i'm
> sure you guys can understand.
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Aeon Hale
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>



--
Anthony Mendoza
IT & Customer Support
[email protected]
t:/ c:p:/ f:=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Wed, 16 Jan 2002 13:39:36 -0500
From:    Michael Glenn <[email protected]>
Subject: Re: Anti-spoofing and sendmail

What type do I use to create an "external mail address"?  I had simply used
a
workstation type object and assigned it the ip address of the external
firewall
interface...

[...]


[...]

You want to remove the FW object and add object for external mail address to
that
group..

Good Luck

Stanley


> Hello all,
>
> Some quick questions on anti-spoofing and sendmail.
>
> We were using and IDS script to send e-mail alerts from our firewall
(4.1).
> We recently activated anti-spoofing on the firewall's interfaces and the
mail
no
> longer arrives.
> In the fw log I noticed that sendmail was using the address of the
firewalls
> external interface as a source address and was therefore dropping the
packets
> (rule 0 - spoofing).
> Anti-spoofing on the internal interface was configured with "This net", so
I
> created a group containing the Internal network object and a new
workstation
> object I created giving it the firewall's external interface IP and set
this
as
> the "Specific" valid address.
>
> The packets still get dropped on rule 0 - spoofing.
>
> Does the firewall service need to be restarted for spoofing rules to take
> effect?
>
> Is there something else I'm not thinking about?
>
> Thanks!
>
> Michael
>

------------------------------

Date:    Wed, 16 Jan 2002 13:40:30 -0500
From:    Michael Glenn <[email protected]>
Subject: Re: Anti-spoofing and sendmail

I'm sure because the info field says "reason: local interface address
spoofing"


[...]

Why are you sure it's antispoofing related. Rule 0 is FOR ALL IMPLIED RULES
not just antispoofing. Did you check the Info. field of the log to be sure
it's caused by the antispoofing ?

The most commun cause of rule 0 reject on my FW-1 is
reason: unknown established TCP packet

the second is:
message SYNDefender warning: SYN -> SYN-ACK -> RST or timeout


At 11:04 2002-01-16, Michael Glenn wrote:
>Hello all,
>
>Some quick questions on anti-spoofing and sendmail.
>
>We were using and IDS script to send e-mail alerts from our firewall (4.1).
>We recently activated anti-spoofing on the firewall's interfaces and the
mail
no
>longer arrives.
>In the fw log I noticed that sendmail was using the address of the
firewalls
>external interface as a source address and was therefore dropping the
packets
>(rule 0 - spoofing).
>Anti-spoofing on the internal interface was configured with "This net", so
I
>created a group containing the Internal network object and a new
workstation
>object I created giving it the firewall's external interface IP and set
this as
>the "Specific" valid address.
>
>The packets still get dropped on rule 0 - spoofing.
>
>Does the firewall service need to be restarted for spoofing rules to take
>effect?
>
>Is there something else I'm not thinking about?
>
>Thanks!
>
>Michael
>
[...]

------------------------------

Date:    Wed, 16 Jan 2002 13:35:39 -0500
From:    Aeon Hale <[email protected]>
Subject: Re: Domain Controller

Both the DMZ DC and Radius Server are on Win2k.  I am also willing to
have all my webservers authenticate to the radius server and not setup
the new DC anyway.  Does anybody know if this is possible and maybe some
general pointers on setup?

Thanks to all for the responses.

-----Original Message-----
From: Work [mailto:[email protected]]
Sent: Wednesday, January 16, 2002 12:37 PM
To: [email protected]
Subject: Re: [FW-1] Domain Controller


Aeon,

>From my understanding, I think you can make your Radius Server a Win2k
box
and have it act as a Domain Controller from the same database/box.  If
you
don't want to have everything on one box I think you could have the
Radius
box feed off of the Domain Controller.

If I am wrong someone please feel free to straighten me out.

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Aeon
> Hale
> Sent: Wednesday, January 16, 2002 11:36 AM
> To: [email protected]
> Subject: [FW-1] Domain Controller
>
>
> Please forgive me for sending the list an "off checkpoint subject" but
> i'm hoping somebody here has run into this situation:
>
> DMZ:
>
> contains numberous webservers.  Our NT guys want to setup a Domain
> Controller on DMZ for centralized authentication.  It will NOT sync
with
> internal Domain Controller.
>
> Question:
>
> We currently have a radius server used for authentication (checkpoint
> uses this for user, client, session and securemote).  I would like to
> know if there is a way to have the DMZ domain controller "trust" the
> radius server that way we can cut back on the amount of accounts we
need
> to create?
>
> Without the trust between the DMZ Domain controller and radius, each
> user will have to have 3 accounts:  One on Internal DC, one on DMZ DC,
> and one on Radius Server.  We're trying to keep it to a minimum, i'm
> sure you guys can understand.
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Aeon Hale
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Wed, 16 Jan 2002 10:56:05 -0800
From:    "Hanke, Christian (DC)" <[email protected]>
Subject: Re: SecuRemote through NAT device???

It was, I am embarrassed to admit, the "lost" network I had lurking behind
the scenes which caused the Securemote to fail when behind the Linksys
device. Couldn't have solved it without you guy so hats off to you all. I
can finally put this miserable experience behind me.

I do have one more problem though. Now, I have a user using Linksys NAT
device with multiple machines behind it. He is able to use Securemote with
no problem from his XP desktop machine. On his W2K laptop, which has a
docking station in the office and is part of our domain, he can't use
SecuRemote from home to access our network. I vaguely remember reading
something about this somewhere but can't for the life of me remember where.
Does this ring a bell with anyone? Any thoughts? Thanks all,

Christian

-----Original Message-----
From: Fowler, Gary [mailto:[email protected]]
Sent: Monday, January 14, 2002 3:15 PM
To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???

My money is on routing as the issue.

Assuming
(192.168.1.0)--Linksys--Internet--Firewall1--InternalNet(192.168.1.0)--BackE
ndRouters.
If the NAT'd network is addressed the same/similar as your Internal network,
then your will run into problems.
The servers 'see' the client's real IP(not the Linksys' External IP).

What path does a traceroute, from an internal server, show for the NAT'd
network?

Linksys IPSec pass-through is not relevant; since the IPSec packet is
encapsulated is a UDP packet.
The NAT'd Network, for all intents and purposes, becomes a part of your
internal network.   I recommend the client should have your internal WINS
servers configured.

As a rule, you have to assign each of these linksys(or netgear, or whatever
home/small) routers a Class C, from your internal address space, all it's
own.  This rule also help in tracking misbehaving users.



IP Pool NAT is an evil thing, avoid it if you can.
Make sure NetBIOS_NAT is false in objects.C
And be sure to have a dnsinfo.C configured; everyone should have a
dnsinfo.C.


Gary

-----Original Message-----
From: Stanley Lieberman [mailto:[email protected]]
Sent: Monday, January 07, 2002 1:30 PM
To: [email protected]
Subject: Re: [FW-1] SecuRemote through NAT device???


Russell and list,

Fwz is an in-place encryption, which means the packet never changes, when
you
have an internal router most likely you doing nat, pqacket leaves firewall
it
has non-routable address..
I am only guessing but you probably just connect to dial-up for
secureremote,
which means you always have routable  address..
When you use IKE it will wrap the packet in the firewall and send it out
with
a routable address,
this is why you must use ike when dealing with nating on client side..

Stanley



"Etts, Russell" wrote:

> Hi there
>
> I was curious - why is IKE better?  For some reason we can only use
FWZ....
> on the client machines, we get an error stating that we cannot use IKE...
>
> Thanks
>
> Russell
>
> PS - Yes, I am new to this...
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Wed, 16 Jan 2002 21:15:26 +0200
From:    Eric Appelboom <[email protected]>
Subject: Using Cisco IOS firewall feature set

This is a multi-part message in MIME format.

------_=_NextPart_001_01C19EC2.2769D4B5
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I am looking at complimenting our FW-1's with switches installed with
the Cisco IOS firewall feature set.
=20
I would like to implement this on 6500 switches also using layer 3
switching so inspection can be done on switches and not on fw nic.
We primarily would like to reduce unessesary internal to internal
traffic.
=20
We will use the Cisco Policy Manager version 3 which appears to be
similar to the FW-1 GUI and not commandline.
=20
There doesn't appear to be many people using the IOS firewall feature
set and it appears quite apt and manageable.
I am aware of the TCP\UDP only inspection limitation of CBAC.
=20
Does anyone used the IOS firewall in production and can give advice?
Are there any peformance comparisons?
=20
Regards
Eric
=20

=20
=20
*** Disclaimer: The information in this email is confidential and is
intended solely for the addressee(s). Access to this email by anyone
else is unauthorised. If you are not an intended recipient, you must not
read, forward, print, use or disseminate the information contained in
the email. Any representations (contractual or otherwise), views or
opinions presented are solely those of the author and do not necessarily
represent those of the employer or any of its affiliates.
=20

------_=_NextPart_001_01C19EC2.2769D4B5
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I =
am&nbsp;looking at=20
complimenting our&nbsp;FW-1's with&nbsp;switches installed with =
the&nbsp;Cisco=20
IOS firewall feature set.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D2002>I&nbsp;would like to=20
implement this on 6500 switches also using layer 3 switching&nbsp;so =
inspection=20
can be done on switches and not on fw nic.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We =
primarily would=20
like to reduce unessesary internal to internal =
traffic.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We =
will use the=20
Cisco Policy Manager version 3 which appears to be similar to the FW-1 =
GUI and=20
not commandline.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>There =
doesn't appear=20
to be many people using the IOS firewall feature set and it appears =
quite apt=20
and manageable.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I am =
aware of the=20
TCP\UDP only inspection limitation of CBAC.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><SPAN=20
class=3D2002>Does anyone used the IOS firewall in =
production and can=20
give advice</SPAN><FONT face=3DArial size=3D2><SPAN=20
class=3D2002>?</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN class=3D2002>Are there any peformance=20
comparisons?</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN =
class=3D2002></SPAN></FONT></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN =
class=3D2002>Regards</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN =
class=3D2002>Eric</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<P style=3D"MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px" align=3Dleft><FONT=20
face=3D"Times New Roman" size=3D2></FONT></P><FONT face=3DArial =
size=3D2></FONT>
<DIV><FONT face=3D"Times New Roman" size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman" size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman" size=3D2>*** Disclaimer: The =
information in this=20
email is confidential and is intended solely for the addressee(s). =
Access to=20
this email by anyone else is unauthorised. If you are not an intended =
recipient,=20
you must not read, forward, print, use or disseminate the information =
contained=20
in the email. Any representations (contractual or otherwise), views or =
opinions=20
presented are solely those of the author and do not necessarily =
represent those=20
of&nbsp;the employer&nbsp;or any of its affiliates.</FONT></DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C19EC2.2769D4B5--

------------------------------

Date:    Thu, 17 Jan 2002 07:08:07 +1100
From:    "Chan, Jack" <[email protected]>
Subject: Opsec Lea events handling

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C19EC9.83A83AA0
Content-Type: text/plain

Hello List,

I am new to Opsec and Lea stuff, with a rusty C++ background.
I am implementing a opsec lea starting with the downloaded example. (ver
4.1.2).
I compiled the LEA example client, compiled and works, but...

Coming from a functional C++ background, I do not know HOW and WHEN does an
event happens, hence I cannot control the flow of the program. Can anyone
kindly explain to me what determines the events being generated and where
does the handler get the parameters?

The sample program flows as follows:

Lea_start_handler
Opsec_mainloop()
Lea_dictionary_handler for 7 times
Lea_record_handler once
Lea_dictionary_handler for 9 times
Lea_record_handler for 3 times
Lea_end_handler.....

Thanks!
Jack

P.s. this is my first time on the list, take it easy if I asked a dumb
question.

------_=_NextPart_001_01C19EC9.83A83AA0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>[FW-1] Opsec Lea events handling</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2 FACE=3D"Arial">Hello List,</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I am new to Opsec and Lea stuff, with =
a rusty C++ background.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">I am implementing a opsec lea =
starting with the downloaded example. (ver 4.1.2).</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">I compiled the LEA example client, =
compiled and works, but...</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Coming from a functional C++ =
background, I do not know HOW and WHEN does an event happens, hence I =
cannot control the flow of the program. Can anyone kindly explain to me =
what determines the events being generated and where does the handler =
get the parameters?</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">The sample program flows as =
follows:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Lea_start_handler</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Opsec_mainloop()</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_dictionary_handler for 7 =
times</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_record_handler once</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_dictionary_handler for 9 =
times</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_record_handler for 3 times</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_end_handler.....</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks!</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Jack</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">P.s. this is my first time on the =
list, take it easy if I asked a dumb =
question.<B><I></I></B></FONT><B><I></I></B><B><I></I></B>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C19EC9.83A83AA0--

------------------------------

Date:    Wed, 16 Jan 2002 13:41:50 -0700
From:    "Michael S. Hobbs" <[email protected]>
Subject: Free S/WAN and VPN-1

Anyone,

        There is a document out on checkpoint's website that supposedly
tells you how to set up Free S/WAN (an open-source ike/vpn client) to
connect to FW-1(VPN-1). Has anyone gotten this to work or knows someone
who has? I get an error in the 1st phase of IKE negotiation.

Michael S. Hobbs
Unicon, Inc.
PhoneCellFax------------------------------

Date:    Wed, 16 Jan 2002 16:17:28 -0500
From:    Joe Pampel <[email protected]>
Subject: Re: Using Cisco IOS firewall feature set

we run it on our routers as an extra layer of protection, to control traffic
on the LAN and to cut
down on traffic that gets logged to IDS, FW, etc. (make the logs count..)
I think it's just newish and folks are worried about CPU too much? I think
it works well although our loads are not that heavy in general. I've only
run it on 3600 series routers, dunno about switches, sorry!

- Joe

btw - i think it's a great idea. you should do it IMHO (for whatever that's
worth!)

ps: you can use kiwi syslog server to catch the log entries and stuff them
into MSSQL and then run coldfusion queries (or whatever) against that for a
central monitoring website.. just an idea a buddy of mine is using.

>>> Eric Appelboom <[email protected]> 01/16/02 02:15PM >>>
I am looking at complimenting our FW-1's with switches installed with
the Cisco IOS firewall feature set.

I would like to implement this on 6500 switches also using layer 3
switching so inspection can be done on switches and not on fw nic.
We primarily would like to reduce unessesary internal to internal
traffic.

We will use the Cisco Policy Manager version 3 which appears to be
similar to the FW-1 GUI and not commandline.

There doesn't appear to be many people using the IOS firewall feature
set and it appears quite apt and manageable.
I am aware of the TCP\UDP only inspection limitation of CBAC.

Does anyone used the IOS firewall in production and can give advice?
Are there any peformance comparisons?

Regards
Eric




*** Disclaimer: The information in this email is confidential and is
intended solely for the addressee(s). Access to this email by anyone
else is unauthorised. If you are not an intended recipient, you must not
read, forward, print, use or disseminate the information contained in
the email. Any representations (contractual or otherwise), views or
opinions presented are solely those of the author and do not necessarily
represent those of the employer or any of its affiliates.

------------------------------

Date:    Wed, 16 Jan 2002 22:52:47 +0100
From:    Andras DORN <[email protected]>
Subject: Re: AW: [FW-1] Connection lost problem

Many thanks.



Udvozlettel:
_____________________________________________________________________
Dorn Andras [email protected], [email protected] Andrew Dorn
Budapesti Muszaki Egyetem Technical University of Budapest
Karman Todor Kollegium Karman Todor Student Hostel
---------------------------------------------------------------------



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of Joerg
Fritsch
Sent: Tuesday, January 15, 2002 3:39 PM
To: [email protected]
Subject: [FW-1] AW: [FW-1] Connection lost problem


Hi,

you can increase it in the submenue Policy-->>Properties
TcpSessionTimeOut

--Joerg


-----Ursprüngliche Nachricht-----
Von: Andras DORN [mailto:[email protected]]
Gesendet: Dienstag, 15. Januar 2002 08:51
An: [email protected]
Betreff: [FW-1] Connection lost problem


Hi!

I have problem with tcp connection interrupting time.
When I make a tcp connetcion across my FW1 and the connetcion
 so quite more than half an hour, the firewall interrupt it,
 and I loose the connection. So where can I increase this
 default time? Is it possible? My system is FW1 4.1 running
f on WinNt 4.0.


Best regards,
_____________________________________________________________________
Dorn Andras [email protected], [email protected] Andrew Dorn
Budapesti Muszaki Egyetem Technical University of Budapest
Karman Todor Kollegium Karman Todor Student Hostel
---------------------------------------------------------------------

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Wed, 16 Jan 2002 16:55:06 -0500
From:    "Einar Petana A." <[email protected]>
Subject: Re: Anti-spoofing and sendmail

Hi:

I have a big problem. I have Checkpoint Firewall-1 on Linux RedHat 7.0 and
the server is going down everytime my buffer size memory reaches its
maximum. I rebooted my server and the problem was solved.
The problem is that the buffer size is increasing at an alarming rate and
we don´t why this happening. Any idea about this ?.

Server Specifications:
Processor: Pentium III 733 MHz
Memory RAM: 512 MB


Thanks,
Einar

------------------------------

Date:    Wed, 16 Jan 2002 16:34:42 -0600
From:    Richard Collins <[email protected]>
Subject: Re: Securemote with Linksys BEFSR41 router settings (?)

John Tanouye wrote:

> There seems to be a lot of discussion about being able to connect the
> Linksys router with Checkpoint's VPN. With various methods available
> tailored to each setup, it's difficult to know what works for one specific
> setup. What I would like to see are the detailed settings from people who
> got it working.
>
> I am willing to keep an archive of these for people who need it in the
> future. I know six people here at work using DSL/cable with a router, and
> all six have the same Linksys one. This should prove useful to the many
> other Linksys users out there. So how about it? Let's see your setup.
>
> Some of the settings that would be good to share:
>
>         objects.C modifications
>         Checkpoint version and SP
>         Securemote version and SP
>         Incoming/Outgoing ports opened on Firewall
>
>         Linksys firmware revision
>         Linksys port mappings
>         Linksys DHCP/NAT settings
>         MTU value
>         filter settings
>
>         Tips or anything else you found relevant to have a successful
> connection
>
> Thanks everyone,
>
> John
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

John,

I would be very interested in anything you find out.  Its exactly what I'd
like to set up.

Thanks for posting the question, lets hope that someone responds.

Richard Collins
Oak Park Ill.

------------------------------

Date:    Wed, 16 Jan 2002 16:34:37 -0600
From:    "Mehta, Phoram" <[email protected]>
Subject: nokia duplidisk???

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C19EDD.FAB32510
Content-Type: text/plain;
        charset="iso-8859-1"

this might be a sales question but still, is duplidisk the only an the best
way for disk mirroring on nokia IP440/fw. what other alternatives do we
have?
any pointers on buying duplidisk or other devices(s/w) might also be
helpful.

Phoram Mehta
Trabon Solutions
Network Engineer
 <mailto:Email:[email protected]> Email:[email protected]
Tel:ext: 519


------_=_NextPart_001_01C19EDD.FAB32510
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.00.2920.0" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=2002>this might be a
sales question but still, is duplidisk the only an the best way for disk
mirroring on nokia IP440/fw. what other alternatives do we
have?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=2002>any pointers on
buying duplidisk or other devices(s/w) might also be
helpful.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Phoram Mehta</FONT></DIV>
<DIV><FONT face=Arial size=2>Trabon Solutions</FONT></DIV>
<DIV><FONT face=Arial size=2>Network Engineer</FONT></DIV>
<DIV><A href="mailto:Email:[email protected]";><FONT face=Arial
size=2>Email:[email protected]</FONT></A></DIV><FONT face=Arial>
<DIV><FONT size=2>Tel:ext: 519</FONT></FONT></DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C19EDD.FAB32510--

------------------------------

Date:    Wed, 16 Jan 2002 15:41:32 -0800
From:    Anthony Mendoza <[email protected]>
Subject: Re: Securemote with Linksys BEFSR41 router settings (?)

I have this working at home and will post up info tonight.

Richard Collins wrote:

> John Tanouye wrote:
>
>
>
> John,
>
> I would be very interested in anything you find out.  Its exactly what I'd
> like to set up.
>
> Thanks for posting the question, lets hope that someone responds.
>
> Richard Collins
> Oak Park Ill.



--
Anthony Mendoza
IT & Customer Support
[email protected]
t:/ c:p:/ f:------------------------------

Date:    Wed, 16 Jan 2002 20:43:39 -0500
From:    Frank Darden <[email protected]>
Subject: Re: nokia duplidisk???

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C19EF8.636CE630
Content-Type: text/plain;
 charset=us-ascii
Content-Transfer-Encoding: 7bit

That's the only supported config. Duplidisk controllers are easy to find.
However, if you put a non-Nokia supplied duplidisk card in your Nokia, you
will void the warranty, and the box will not be supported by Nokia.

Frank


-----Original Message-----
From: Mehta, Phoram [mailto:[email protected]]
Sent: Wednesday, January 16, 2002 5:35 PM
To: [email protected]
Subject: [FW-1] nokia duplidisk???

this might be a sales question but still, is duplidisk the only an the best
way for disk mirroring on nokia IP440/fw. what other alternatives do we
have?
any pointers on buying duplidisk or other devices(s/w) might also be
helpful.

Phoram Mehta
Trabon Solutions
Network Engineer
 <mailto:Email:[email protected]> Email:[email protected]
Tel:ext: 519


------_=_NextPart_001_01C19EF8.636CE630
Content-Type: text/html;
 charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:[email protected]";>
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;
        mso-font-charset:0;
        mso-generic-font-family:swiss;
        mso-font-pitch:variable;
        mso-font-signature:483648 8 0 66047 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>That's the only supported config.
Duplidisk controllers are easy to find. However, if you put a non-Nokia
supplied duplidisk card in your Nokia, you will void the warranty, and =
the box will
not be supported by Nokia.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Frank<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Mehta, Phoram
[mailto:[email protected]] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, January =
16, 2002
5:35 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b>
[email protected]<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [FW-1] nokia =
duplidisk???</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>this might be a sales =
question but
still, is duplidisk the only an the best way for disk mirroring on =
nokia
IP440/fw. what other alternatives do we =
have?</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>any pointers on buying =
duplidisk or
other devices(s/w) might also be helpful.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Phoram =
Mehta</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Trabon =
Solutions</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Network =
Engineer</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><a =
href=3D"mailto:Email:[email protected]";><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Email:pmehta@trabonsolution=
s.com</span></font></a><o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Tel:ext: =
519</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

</div>

</body>

</html>

------_=_NextPart_001_01C19EF8.636CE630--

------------------------------

Date:    Thu, 17 Jan 2002 13:11:02 +1100
From:    Brendan Laws <[email protected]>
Subject: IPSO + Content Filtering

This is a multi-part message in MIME format.

------=_NextPart_000_0048_01C19F58.6DA801B0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi people,

        simple question, can anyone recommend any content filtering
software have/had running on IPSO/FW-1

Thanks

Brendan



------=_NextPart_000_0048_01C19F58.6DA801B0
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.4630.0">
<TITLE>IPSO + Content Filtering</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">Hi people,</FONT>
</P>

<P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2 =
FACE=3D"Arial">simple question, can anyone recommend any content =
filtering software have/had running on IPSO/FW-1</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Brendan</FONT>
</P>
<BR>

</BODY>
</HTML>
------=_NextPart_000_0048_01C19F58.6DA801B0--

------------------------------

Date:    Wed, 16 Jan 2002 23:19:50 -0400
From:    Bill McSephney <[email protected]>
Subject: FW-1 NG Rule Install slow????

--=====================_872700093==_.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed



Hi all,

I'm new to the to this list, I have been though most of the archive, I have
not been able to fine an answer to my problem.


My problem:

I have a Sun Ultra5 running Solaris7 with FW-1 NG HF2 on it.
It is a replacement system for an aging SS2 with FW-1 30b-SP9.

I have built the system up as close to the same rules and IPaddresses that
I have on the old SS2 getting it ready to swap the two systems.    As of
this evening the rule base (about 20 rules) is taking about 20-30 minutes,
yes that minutes not seconds to install.      I have built up 3 other
systems just like this one for other costumers both new and replacement
systems in the last 2 months with out problems.   I can't figure this out,
any one with some Ideas?

----------
Bill McSephney,Senior Systems Analyst
Sbi (Systems Business Integration)
Suite 237, 48 Par-La-Ville Rd. Hamilton, Bermuda  HM 11
) Cellular:( Office:( Home:1 Office Fax:+ Email: [email protected] + other Email: [email protected]/[email protected]/[email protected]
& Personal Web: http://www.bigbill.ca & Office Web: http://www.sbi.bm
--=====================_872700093==_.ALT
Content-Type: text/html; charset="us-ascii"

<html><br>
<br>
<div>Hi all,</div>
<br>
<div>I'm new to the to this list, I have been though most of the archive,
I have not been able to fine an answer to my problem.</div>
<br>
<br>
<div>My problem:</div>
<br>
<div>I have a Sun Ultra5 running Solaris7 with FW-1 NG HF2 on
it.&nbsp;&nbsp;&nbsp;&nbsp; </div>
<div>It is a replacement system for an aging SS2 with FW-1
30b-SP9.&nbsp;&nbsp;&nbsp; </div>
<br>
I have built the system up as close to the same rules and IPaddresses
that I have on the old SS2 getting it ready to swap the two
systems.&nbsp;&nbsp;&nbsp; As of this evening the rule base (about 20
rules) is taking about 20-30 minutes, yes that minutes not seconds to
install.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I have built up 3 other systems
just like this one for other costumers both new and replacement systems
in the last 2 months with out problems.&nbsp;&nbsp; I can't figure this
out, any one with some Ideas?
<br>

<hr>
<font face="Times New Roman, Times" size=5 color="#000080"><b>Bill
McSephney</b></font><font face="Courier New, Courier" size=1
color="#000080">,</font><font face="Courier New, Courier" size=2
color="#000080"><b>Senior
Systems Analyst<br>
</font><font face="Times New Roman CE, Times" size=4 color="#000080">Sbi
(Systems Business Integration)<br>
</font><font face="Times New Roman CE, Times" size=2
color="#808080"><i>Suite
237, 48 Par-La-Ville Rd. Hamilton, Bermuda&nbsp; HM 11<br>
</i></font><font face="Wingdings" size=2>)</font><font face="Courier New,
Courier" size=2>
</font><font face="Times New Roman CE, Times" size=2>Cellular:</b></font><font face="Courier New, Courier" size=1>
</font><font face="Wingdings" color="#808080">(</font><font face="Courier
New, Courier" size=1 color="#808080">
</font><font face="Times New Roman CE, Times" size=1 color="#808080">Office:<br>
</font><font face="Wingdings" color="#C0C0C0">(</font><font face="Courier
New, Courier" size=1 color="#C0C0C0">
Home:</font><font face="Courier New, Courier" size=1>
</font><font face="Wingdings" color="#808080">1</font><font face="Courier
New, Courier" size=1 color="#808080">
</font><font face="Times New Roman CE, Times" size=1 color="#808080">Office
Fax:<br>
</font><font face="Wingdings" size=2><b>+</font><font face="Courier New,
Courier" size=2>
Email: [email protected]</b></font><font face="Courier New, Courier" size=1>
</font><font face="Wingdings" color="#808080">+</font><font face="Courier
New, Courier" size=1 color="#808080">
</font><font face="Times New Roman CYR, Times" size=1 color="#808080">other
Email: [email protected]/[email protected]/[email protected]<br>
</font><font face="Wingdings">&amp;</font><font face="Courier New, Courier">
</font><font face="Times New Roman CE, Times" size=1>Personal
Web:</font><font face="Times New Roman CE, Times" size=1 color="#808080">
<a href="http://www.bigbill.ca/"; eudora="autourl"><u>http</a></font><font
face="Times New Roman CE, Times" size=1 color="#0000FF">://</u><a
href="http://www.bigbill.ca/";
eudora="autourl">www.bigbill.ca</a></font><font face="Courier New, Courier"
size=1>
</font><font face="Wingdings" color="#808080">&amp;</font><font
face="Courier New, Courier" size=1 color="#808080"> </font><font face="Times
New Roman CE, Times" size=1 color="#808080">Office Web: <a
href="http://www.sbi.bm/";
eudora="autourl"><u>http://www.sbi.bm</a></font></u></html>

--=====================_872700093==_.ALT--

------------------------------

Date:    Thu, 17 Jan 2002 06:36:41 +0100
From:    [email protected]
Subject: ISDN-Backup for VPN-Connection

Hi

He have a central FW4.1(SUN-System) and some Nokia-Boxen (IP440- FW4.1) on
the branch office. They are connected about a VPN-Tunnel.
Is it possible to make a ISDN-Backup for this VPN-Connection?
Can I do this with a Routing-Protokoll ?

Have anyone an idea where I can found any information about this issue.

many thanks
manfred

------------------------------

Date:    Thu, 17 Jan 2002 01:36:23 -0500
From:    Don <[email protected]>
Subject: Re: Using Cisco IOS firewall feature set

> I am looking at complimenting our FW-1's with switches installed with
> the Cisco IOS firewall feature set.
>
> I would like to implement this on 6500 switches also using layer 3
> switching so inspection can be done on switches and not on fw nic.
> We primarily would like to reduce unessesary internal to internal
> traffic.
>
> Does anyone used the IOS firewall in production and can give advice?
I have used both standard access lists and IOS Firewall in production. IOS
Firewall is a lot like PIX-lite. If you need a smaller firewall for a
limited set of reasons, then it may be perfect.

When I have CheckPoint in an environment, I tend to let the firewall act
like a firewall and I reserve access lists and IOS firewall for things
like anti-spoofing, blocking attacks on the router or switch directly, and
limited other uses.

It makes troubleshooting problems a lot easier when you do not need to
figure out what system is a causing a problem, your router, your switch or
your firewall.

> Are there any peformance comparisons?
It would not be fair to compare performance because the capabilities of
IOS Firewall and PIX or CheckPoint are very different.

-Don

------------------------------

Date:    Thu, 17 Jan 2002 08:57:23 +0200
From:    Mike Glassman - Admin <[email protected]>
Subject: Unable to connect to Citrix via NFuse

Morning all,

We are having a very odd issue here regarding NFuse via a FW.

We set up our Citrix farm (4 servers) and created the NFuse on our IIS
server as per the documentation.

I then set up a WS object for the IIS server with a valid IP address NAT.

We can connect to the NFuse system and run applications fine from inside the
network, and when we access the NAT'd address or the internal address of the
IIS server (Via VPN) via the Internet, all is fine as far as the logon
screen and the application screen.

The moment we try to run an application we get an error stating that "There
is no Citrix Server configured on the specified address".

We have set up the /altaddr parameter and changed the corresponding files to
show this address (the NAT'd address of the IIS server) with no luck at all.

I know this should work, but for the life of me I do not know what else to
do. As far as I can tell, the FW setup is ok, with a rule allowing
pre-defined users to access the Citrix server (IIS NFuse setup) using http.

I also tried allowing any protocol with no luck.

Any ideas at all ? Is it something on the FW side ?

I'd really appreciate some help on this one.

Thanks,

Mike Glassman
System & Security Admin
Computer & Information Systems
Israeli Airports Authority
Ben-Gurion Airport
http://www.ben-gurion-airport.co.il

Tel : 972-3-9710785
Fax : 972-3-9710939
Email : [email protected]

Usage of this email address or any email address at iaa.gov.il for the
purpose of sales pitches, SPAM or any other such unwanted garbage, is
illegal, and any person, whether corporate or alone doing so, will be
prosecuted to the fullest possible extent.

------------------------------

Date:    Thu, 17 Jan 2002 07:46:08 +0000
From:    =?iso-8859-1?q?jethra=20shah?= <[email protected]>
Subject: Checkpoint FW-1 2000 installation on Windows 2000

Hello gurus's

I have been trying to installation  Checkpoint 2000
(Fw-1/VPN,Meta-IP) on a Windows 2000 server to no
success.

I have encountered the following issues:

- The autorun terminates with suggestion of manual
installation.
- Manual Installation works fine but the problem
comes when installing the FW rulebase. I am getting
the following error:



Standard.W: Security Policy Script generated into
Standard.pf
Standard:
Compiled OK.

Downloading Security Policy
C:\WINNT\FW1\4.1\conf\Standard.pf to localhost(mtz5fw)
Downloading on localhost(mtz5fw) succeeded

Installing Security Policy Standard on all.all@mtz5fw
Using external interface ''
Unable to open '\Device\FW1': The system cannot find
the file specified.
Failed to get interface list: The system cannot find
the file specified.
Has only loopback (lo) interface, aborting...
Failed to Load Security Policy: The system cannot find
the file specified.
Installing Security Policy on localhost(mtz5fw) failed
.
Is there a specific build of Checkpoint 2000 for
Windows 2000 server .



Any help will be appreciated


shah


__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

------------------------------

End of FW-1-MAILINGLIST Digest - 15 Jan 2002 to 16 Jan 2002 (#2002-17)
**********************************************************************

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.