NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FW-1-MAILINGLIST Digest - 17 Jan 2002 to 18 Jan 2002 (#2002-19)



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of
Automatic digest processor
Sent: January 19, 2002 3:00 AM
To: Recipients of FW-1-MAILINGLIST digests
Subject: FW-1-MAILINGLIST Digest - 17 Jan 2002 to 18 Jan 2002 (#2002-19)


There are 31 messages totalling 1949 lines in this issue.

Topics of the day:

  1. Using Cisco IOS firewall feature set (2)
  2. fw logexport and AT command
  3. Serial Interface on Nokia-440 (2)
  4. Fw-1 and Charlie Appliance (2)
  5. Anyone running Next Generation with Stonebeat full cluster on solaris 8
?
     (2)
  6. Error FW-1 at firewall: Failed to connect to the WWW s erver & Error
FW-1
     at firewall: Unknown WWW Server
  7. Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1 (2)
  8. Hardening Windows 2000 ( Not windows NT4.0 ) for Firew all1
  9. Error: can not find df type
 10. 4.0 -> 4.1 upgrade (2)
 11. Anyone running Next Generation with Stonebeat full cluster on
     solaris 8 ?
 12. Firewall IP address internal???
 13. ftp problem
 14. Autoreply - Olli Lahteenmaa is out of the office.
 15. How to setup VPN (3)
 16. secure connection via VPN
 17. nokia IP440/fw-backup
 18. <No subject given> (2)
 19. NG FP1 on RedHat 7.2 (4)

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

----------------------------------------------------------------------

Date:    Wed, 16 Jan 2002 21:15:26 +0200
From:    Eric Appelboom <[email protected]>
Subject: Using Cisco IOS firewall feature set

This is a multi-part message in MIME format.

------_=_NextPart_001_01C19EC2.2769D4B5
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I am looking at complimenting our FW-1's with switches installed with
the Cisco IOS firewall feature set.
=20
I would like to implement this on 6500 switches also using layer 3
switching so inspection can be done on switches and not on fw nic.
We primarily would like to reduce unessesary internal to internal
traffic.
=20
We will use the Cisco Policy Manager version 3 which appears to be
similar to the FW-1 GUI and not commandline.
=20
There doesn't appear to be many people using the IOS firewall feature
set and it appears quite apt and manageable.
I am aware of the TCP\UDP only inspection limitation of CBAC.
=20
Does anyone used the IOS firewall in production and can give advice?
Are there any peformance comparisons?
=20
Regards
Eric
=20

=20
=20
*** Disclaimer: The information in this email is confidential and is
intended solely for the addressee(s). Access to this email by anyone
else is unauthorised. If you are not an intended recipient, you must not
read, forward, print, use or disseminate the information contained in
the email. Any representations (contractual or otherwise), views or
opinions presented are solely those of the author and do not necessarily
represent those of the employer or any of its affiliates.
=20

------_=_NextPart_001_01C19EC2.2769D4B5
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I =
am&nbsp;looking at=20
complimenting our&nbsp;FW-1's with&nbsp;switches installed with =
the&nbsp;Cisco=20
IOS firewall feature set.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D2002>I&nbsp;would like to=20
implement this on 6500 switches also using layer 3 switching&nbsp;so =
inspection=20
can be done on switches and not on fw nic.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We =
primarily would=20
like to reduce unessesary internal to internal =
traffic.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We =
will use the=20
Cisco Policy Manager version 3 which appears to be similar to the FW-1 =
GUI and=20
not commandline.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>There =
doesn't appear=20
to be many people using the IOS firewall feature set and it appears =
quite apt=20
and manageable.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I am =
aware of the=20
TCP\UDP only inspection limitation of CBAC.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><SPAN=20
class=3D2002>Does anyone used the IOS firewall in =
production and can=20
give advice</SPAN><FONT face=3DArial size=3D2><SPAN=20
class=3D2002>?</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN class=3D2002>Are there any peformance=20
comparisons?</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN =
class=3D2002></SPAN></FONT></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN =
class=3D2002>Regards</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT =
face=3DArial=20
size=3D2><SPAN =
class=3D2002>Eric</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D2002></SPAN></FONT>&nbsp;</DIV>
<P style=3D"MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px" align=3Dleft><FONT=20
face=3D"Times New Roman" size=3D2></FONT></P><FONT face=3DArial =
size=3D2></FONT>
<DIV><FONT face=3D"Times New Roman" size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman" size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Times New Roman" size=3D2>*** Disclaimer: The =
information in this=20
email is confidential and is intended solely for the addressee(s). =
Access to=20
this email by anyone else is unauthorised. If you are not an intended =
recipient,=20
you must not read, forward, print, use or disseminate the information =
contained=20
in the email. Any representations (contractual or otherwise), views or =
opinions=20
presented are solely those of the author and do not necessarily =
represent those=20
of&nbsp;the employer&nbsp;or any of its affiliates.</FONT></DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C19EC2.2769D4B5--
_______________________________________________
Firewalls mailing list
[email protected]
http://lists.gnac.net/mailman/listinfo/firewalls

------------------------------

Date:    Fri, 18 Jan 2002 10:31:16 +0100
From:    Fini Marco <[email protected]>
Subject: fw logexport and AT command

Hi All,

On a NT 4.0 FW-1 4.1 SP4 I'm using 2 batch to move and export my Log with
the AT command.
The first batch do every day at 19:30pm a fw logswitch and move log file
from C:\ to D:\.
The second one (should) do every day at 9:00pm a fw logexport from D:\ to
D:\TXTLOG and a renaming of filelog.log in filelog.txt.

The first batch is working fine, not the same for the second. Infact if I'm
running it manualy no problem, but with the at command this second
batch doesn't work and in my D:\TXTLOG I can only find an empty file named
CeService.log.

Any input is appreciated..
Thank's

Marco Fini
Banca del Sempione, Via Peri 5, CH-6900 Lugano
Tel +41 91 910 74 42, Fax +41 91 910 74 35
MailTo:[email protected]

****************************************************************************
**********************
Questo messaggio e gli eventuali allegati (di seguito messaggio) sono
confidenziali e
riservati al destinatario. Se ricevete questo messaggio per errore, vi
preghiamo di
distruggerlo e d'avvertire immediatamente il mittente. Ogni utilizzo del
messaggio non
conforme al suo scopo, ogni diffusione o pubblicazione, totale o parziale, è
proibita.
I messaggi elettronici non possono offrire tutte le garanzie di sicurezza.
La Banca del
Sempione non si assume pertanto nessuna responsabilità al riguardo ed in
particolare,
ma non esclusivamente, per le intercettazioni, alterazioni o propagazioni di
virus.
****************************************************************************
**********************
This message and any attachments (hereafter the message) is intended solely
for the
addressees and is confidential. If you receive this message by mistake,
please delete
it and immediately notify the sender. Any use of the message not in accord
with its
purpose, any dissemination or disclosure, either whole or partial, is
prohibited.
The electronical messages cannot offer all safety guarantees. Banca del
Sempione
shall not assume any liability in this regard and in particular, but not
exclusively, for any
interception, alteration or for virus propagation.

****************************************************************************
**********************
** eSafe scanned this email for viruses, vandals and malicious content **
****************************************************************************
**********************

------------------------------

Date:    Fri, 18 Jan 2002 10:49:48 -0000
From:    Ramesh G Gaikwad <[email protected]>
Subject: Serial Interface on Nokia-440

Dear All,

I am facing problem in installing v.35 serial interface in Nokia-440. I have
configured the serial interface on NOkia as per given in the Voyager
Reference Guide for the option of Internal clock Off as I am taking clock
from CISCO router.After configuring It is not able to communicate with the
CISCO router at other end.My connectivity is as follows.

I have Nokia-440 having serial interface with v.35 cable. The v.35 end of
the cable is connected to a DCE cable which is connected to the cisco
router. The Serial interface of the router is configured for clock rate of
64k. I am also matching the keepalive rate on the Both devices i.e Nokia and
router. One point I would like to tell you is that after installing serial
interface I have upgraded IPSO from 3.4 to 3.4.2 because I want to install
the Checkpoint NG on it.

Can somebody help me to sort out this problem.

Thanks and Regards,

Ramesh

------------------------------

Date:    Fri, 18 Jan 2002 12:33:40 +0100
From:    "Steck, Steffen M." <[email protected]>
Subject: Fw-1 and Charlie Appliance

Hi,
there is a (German?) OPSEC partner Pyramid www.pryramid.de offering an
appliance for FW-1 called Charlie. It seems to be similar like Nokia or
Intrusion.
Has anybody some good information on it and maybe even experiences?
I am doing currently on Sun and Nokia's, but some other site needs a *cheep*
solution, so I thought of the charlie box with Fw-1.
Fw-1 module is already here, I only look for the base... Maybe somebody has
any other idea...
Thx in advance and a nice weekend
Steffen

------------------------------

Date:    Fri, 18 Jan 2002 13:53:54 +0200
From:    andrevs <[email protected]>
Subject: Anyone running Next Generation with Stonebeat full cluster on
solaris
         8 ?


------------------------------

Date:    Fri, 18 Jan 2002 13:57:03 +0100
From:    Volker Tanger <[email protected]>
Subject: Re: Fw-1 and Charlie Appliance

Greetings!

Steck, Steffen M. wrote:

> there is a (German?) OPSEC partner Pyramid www.pryramid.de offering an
> appliance for FW-1 called Charlie. It seems to be similar like Nokia or
> Intrusion.


Yes, German company (located in Freiburg). Excellent service - you can
directly talk to knowledgeable techies/developers.

Charlies basically are industrial PCs with a custom RedHat Linux install
and FW1 with current patches and hotfixes installed.

Choose the XL model as the "normal" box seemed to be a bit instable
(mechanically that is - NIC cards not fixated) to me. Pyramid's rack
appliances usually are rock-solid: very clean build, sometimes even
kinda overdone. Software installation was heavily stripped down as it
should be for a firewall and very clean - maybe even a bit too clean as
some non-essential but useful tools are missing. But better this way
than the other way round as installing is easier than removing.


> Has anybody some good information on it and maybe even experiences?


Just contact Pyramid (+49-761-4514-721, Alexander Dahn), ask for a test
drive (usually no problem and fast) and see yourself.

Bye

        Volker

--

Volker Tanger  <[email protected]>
  Wrangelstr. 100, 10997 Berlin, Germany
     DiSCON GmbH - Internet Solutions
          http://www.discon.de/

------------------------------

Date:    Fri, 18 Jan 2002 08:11:13 -0500
From:    Layne Meier <[email protected]>
Subject: Re: Anyone running Next Generation with Stonebeat full cluster on
         solaris 8 ?

I'm in the process of installing it.  A lot more difficult to install
and understand the manual over the StoneBeat HA product.

Also running Solaris 8 in 64 Bit mode.  Be sure to install FW-1/VPN-1
FP1 and download the StoneBeat HotFix for FullCluster.

Best regards,
Layne Meier
Atlanta Newspapers, Inc.


On Friday, January 18, 2002, at 06:53 AM, andrevs wrote:

>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

------------------------------

Date:    Fri, 18 Jan 2002 15:13:23 +0200
From:    "Chontzopoulos, Dimitris" <[email protected]>
Subject: Re: Error FW-1 at firewall: Failed to connect to the WWW s erver &
         Error FW-1 at firewall: Unknown WWW Server

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1A021.E8952D20
Content-Type: text/plain;
        charset="iso-8859-1"

Thank you very much for your response but i think that this is not my case.
The URL type(d) is always correct, the FW doesn't have M$ DNS server
installed or other DNS Server program or caching, the FW is configured to
use DNS Name Resolution (and it works like a charm), the web site(s) we are
trying to visit do not time out. Further more there is no BIND timeout in
Policy -> Properties, Resolving Tab (to be exact there is no such thing as
Resolving TAB inside Policy, Properties). Is there any other way around this
problem? The FW is FW-1 4.1 CP2000 SP3 on M$ NT 4.0 SRV SP6a. Thank you.
Thare is also a number of HTTP, FTP Resources (These are used for Nimda
in-out, forbiden downloads, ftp access for specific PC's to specific IP
Addresses).

-----Original Message-----
From: Cantwell, Steve [mailto:[email protected]]
Sent: Thursday, January 17, 2002 8:32 PM
To: '[email protected]'
Subject:




I am using the HTTP Security Server to filter and track web content. When I
try to access a particular web site, I get a web page with the following
error message:

fw-1 at (firewallname): unknown www server
What does this error message mean and how can I fix it?
A:
This could mean a couple of different things:


*       The URL typed was not correct.

*       The firewall is not configured to use DNS for name resolution. When
using the HTTP Security Server, using DNS for name resolution is required.

*       When FireWall-1 attempted to look up the site in question, it timed
out.

There are a couple of ways to address this problem:


*       Turn off any Name Service Caching software. nscd is a known problem
on Solaris 2.5.1 installations. If this process is running, kill it, remove
/etc/rc2.d/S76nscd (where it is usually started from) and reboot.

*       Increase the BIND timeout in Policy->Properties, Resolving tab.
Re-install the security policy




------_=_NextPart_001_01C1A021.E8952D20
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE></TITLE>

<META content="MSHTML 6.00.2712.300" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=2002>Thank
you very much for your response but i think that this is not my case. The
URL
type(d) is always correct, the FW doesn't have M$ DNS server installed or
other
DNS Server program or caching, the FW is configured to use DNS Name
Resolution
(and it works like a charm), the web site(s) we are trying to visit do not
time
out. Further more there is no BIND timeout in Policy -&gt; Properties,
Resolving
Tab (to be exact there is no such thing as Resolving TAB inside Policy,
Properties). Is there any other way around this problem? The FW is FW-1 4.1
CP2000 SP3 on M$ NT 4.0 SRV SP6a. Thank you. Thare is also a number of HTTP,
FTP
Resources (These are used for Nimda in-out, forbiden downloads, ftp access
for
specific PC's to specific IP Addresses).</SPAN></FONT></DIV>
<BLOCKQUOTE>
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
  size=2>-----Original Message-----<BR><B>From:</B> Cantwell, Steve
  [mailto:[email protected]]<BR><B>Sent:</B> Thursday, January 17, 2002
  8:32 PM<BR><B>To:</B>
'[email protected]'<BR><B>Subject:</B>
  <BR><BR></FONT></DIV><BR>
  <P><FONT face="Times New Roman" size=4>I am using the HTTP Security Server
to
  filter and track web content. When I try to access a particular web site,
I
  get a web page with the following error message: </FONT></P>
  <P><FONT face="Courier New" size=2>fw-1 at (firewallname): unknown www
  server</FONT><FONT face="Times New Roman" size=4> </FONT><BR><FONT
  face="Times New Roman" size=4>What does this error message mean and how
can I
  fix it? </FONT><BR><B><FONT face="Times New Roman" size=5>A:</FONT></B>
  <BR><FONT face="Times New Roman" size=4>This could mean a couple of
different
  things: </FONT>
  <UL>
    <UL>
      <LI><FONT face="Times New Roman" size=4>The URL typed was not correct.
      </FONT>
      <LI><FONT face="Times New Roman" size=4>The firewall is not configured
to
      use DNS for name resolution. When using the HTTP Security Server,
using
      DNS for name resolution is required. </FONT>
      <LI><FONT face="Times New Roman" size=4>When FireWall-1 attempted to
look
      up the site in question, it timed out. </FONT></LI></UL></UL>
  <P><FONT face="Times New Roman" size=4>There are a couple of ways to
address
  this problem: </FONT>
  <UL>
    <UL>
      <LI><FONT face="Times New Roman" size=4>Turn off any Name Service
Caching
      software. nscd is a known problem on Solaris 2.5.1 installations. If
this
      process is running, kill it, remove /etc/rc2.d/S76nscd (where it is
      usually started from) and reboot. </FONT>
      <LI><FONT face="Times New Roman" size=4>Increase the BIND timeout in
      Policy-&gt;Properties, Resolving tab. Re-install the security
      policy</FONT> <BR><BR></LI></UL></UL></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C1A021.E8952D20--

------------------------------

Date:    Fri, 18 Jan 2002 08:44:57 -0500
From:    Joe Matusiewicz <[email protected]>
Subject: Re: Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1

The NSA has been working on this ever since Win2K came out and has released
a boatload of guides on how to harden Win2K.  You can find them at:

http://nsa1.www.conxion.com/win2k/download.htm

I eagerly await the out of office replies ;)


-- Joe

At 05:50 PM 1/17/02, [email protected] wrote:
>I am looking for some detailed documents on hardening "windows 2000"  for
>checkpoint Firewall. I know there are some available for Windows NT 4.0.
>but not for 2000.. Can anyone help me findout.
>
>Thanks,
>-dev
>
><><><><><><><><><><><><><><><>
>   K.R.Devarajan
>   CrossAccess Corporation
>   2900, Gordon Avenue, Suite 100
>   Santa Clara, CA 95051
>   http://www.crossaccess.com
>   Ph:><><><><><><><><><><><><><><><>
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================

------------------------------

Date:    Fri, 18 Jan 2002 09:00:55 -0500
From:    "Zeltser, Roman" <[email protected]>
Subject: Re: Hardening Windows 2000 ( Not windows NT4.0 ) for Firew all1

Dev, look in this index

http://www.rtek2000.com/Tech/InternetSecureLinks.html#hard

**********************************
Roman Zeltser,
@National Computer Center,
RSIS & DNE



-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Thursday, January 17, 2002 5:50 PM
To: [email protected]
Subject: [FW-1] Hardening Windows 2000 ( Not windows NT4.0 ) for
Firewall1


I am looking for some detailed documents on hardening "windows 2000"  for
checkpoint Firewall. I know there are some available for Windows NT 4.0.
but not for 2000.. Can anyone help me findout.

Thanks,
-dev

<><><><><><><><><><><><><><><>
  K.R.Devarajan
  CrossAccess Corporation
  2900, Gordon Avenue, Suite 100
  Santa Clara, CA 95051
  http://www.crossaccess.com
  Ph:<><><><><><><><><><><><><><><>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Fri, 18 Jan 2002 09:29:44 -0500
From:    Edmundo Farinas <[email protected]>
Subject: Re: Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1

        Check out the SANS store http://www.sansstore.org/ for general
recommendations


        Edmundo

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of
[email protected]
Sent: Thursday, January 17, 2002 5:50 PM
To: [email protected]
Subject: [FW-1] Hardening Windows 2000 ( Not windows NT4.0 ) for
Firewall1


I am looking for some detailed documents on hardening "windows 2000"  for
checkpoint Firewall. I know there are some available for Windows NT 4.0.
but not for 2000.. Can anyone help me findout.

Thanks,
-dev

<><><><><><><><><><><><><><><>
  K.R.Devarajan
  CrossAccess Corporation
  2900, Gordon Avenue, Suite 100
  Santa Clara, CA 95051
  http://www.crossaccess.com
  Ph:<><><><><><><><><><><><><><><>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Fri, 18 Jan 2002 09:57:17 -0500
From:    Alexey Vitashkevich <[email protected]>
Subject: Error: can not find df type

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1A030.6BDC5240
Content-Type: text/plain

Hi. I have two NG firewalls on Solaris 8 with Rainwall installed in HA/LB
mode.
Each time I install policies I get this message>
Error: can not get df type.
Everything seems to be working fine , but it keeps bothering me ...
Any ideas?

Alexey Vitashkevich <mailto:[email protected]>
Security Consultant. MSCE, CNE, CCSE
Nextgen Internet
tel  :ext. 107
cell :<http://www.nextgeninter.net> www.nextgeninter.net





------_=_NextPart_001_01C1A030.6BDC5240
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:[email protected]";>
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;
        mso-font-charset:0;
        mso-generic-font-family:swiss;
        mso-font-pitch:variable;
        mso-font-signature:483648 8 0 66047 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;
        text-underline:single;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:windowtext;}
span.GramE
        {mso-style-name:"";
        mso-gram-e:yes;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hi. I have two NG firewalls on Solaris 8 with =
Rainwall
installed in HA/LB mode.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Each time I install policies I get this =
message&gt;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Error: can not get <span class=3DGramE>df</span> =
type.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Everything seems to be working <span =
class=3DGramE>fine ,</span>
but it keeps bothering me ...<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Any ideas?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;mso-no-proof:yes'><a
href=3D"mailto:[email protected]";>Alexey =
Vitashkevich</a></span></font></b></strong><font
size=3D2><span =
style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p=
>

<div>

<p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;mso-no-proof:yes'>Security Consultant. MSCE, =
CNE,
CCSE</span></font></b></strong><font size=3D2><span =
style=3D'font-size:10.0pt;
mso-no-proof:yes'><o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;mso-no-proof:yes'>Nextgen =
Internet</span></font></b></strong><font
size=3D2><span =
style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p=
>

</div>

<div>

<p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;mso-no-proof:yes'>tel&nbsp;&nbsp;:&nbsp;&nbsp;=
 (609)
419-0531 ext. 107</span></font></b></strong><font size=3D2><span
style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p=
>

</div>

<div>

<p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;mso-no-proof:yes'>cell :&nbsp;&nbsp;(609) =
548-1252</span></font></b></strong><font
size=3D2><span =
style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p=
>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span =
style=3D'font-size:
10.0pt;mso-no-proof:yes'><a =
href=3D"http://www.nextgeninter.net";><strong><b><font
color=3Dblack face=3DTahoma><span =
style=3D'font-family:Tahoma;color:windowtext;
text-decoration:none;text-underline:none'>www.nextgeninter.net</span></f=
ont></b></strong></a><o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span =
style=3D'font-size:
10.0pt;mso-no-proof:yes'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span =
style=3D'font-size:
10.0pt;mso-no-proof:yes'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span =
style=3D'font-size:
10.0pt;mso-no-proof:yes'>&nbsp;</span></font><font size=3D2><span
style=3D'font-size:10.0pt'><o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C1A030.6BDC5240--

------------------------------

Date:    Fri, 18 Jan 2002 16:08:57 +0100
From:    Petra Klein <[email protected]>
Subject: 4.0 -> 4.1 upgrade

Hi everone!

Can I go from FW-1 4.0 SP-5 to FW-1 4.1 SP-3?
I have a Nokia VPN210 IPSO 3.2.1

Best Regards
Petra

------------------------------

Date:    Fri, 18 Jan 2002 16:44:13 +0100
From:    Matthias Grund <[email protected]>
Subject: Re: Anyone running Next Generation with Stonebeat full cluster on
         solaris 8 ?

Hi,

at the moment Stonebeat Fullcluster isn't certified for NG FP1.

I've got two clusters in the installation phase and
as far as I can tell:

      - It seems to work in 32 bit mode

      - In 64 bit mode the system crashes as soon as the first
        IKE packet appears on my E220Rs

      - Gigaswift cards with VLAN tagging don't support VPN,
        Stonebeat heartbeat or Checkpoint State Sync

Regards,
      Matthias


--
nor|dac Rechenzentrumsgesellschaft mbH, D-23542 Lübeck
Phone: +49 (4 51) 8 82 - 15 00 / Fax: - 7 15 00
[email protected]

------------------------------

Date:    Fri, 18 Jan 2002 11:25:09 -0500
From:    Don <[email protected]>
Subject: Re: Serial Interface on Nokia-440

> I am facing problem in installing v.35 serial interface in Nokia-440. I
> have configured the serial interface on NOkia as per given in the
> Voyager Reference Guide for the option of Internal clock Off as I am
> taking clock from CISCO router.After configuring It is not able to
> communicate with the CISCO router at other end.My connectivity is as
> follows.
>
> I have Nokia-440 having serial interface with v.35 cable. The v.35 end
> ? of the cable is connected to a DCE cable which is connected to the
> cisco router. The Serial interface of the router is configured for clock
> rate of 64k. I am also matching the keepalive rate on the Both devices
> i.e Nokia and router. One point I would like to tell you is that after
> installing serial interface I have upgraded IPSO from 3.4 to 3.4.2
> because I want to install the Checkpoint NG on it.
Don't you need a serial crossover cable for this?

-Don

------------------------------

Date:    Fri, 18 Jan 2002 11:08:10 -0500
From:    "Hawkins, Michael" <[email protected]>
Subject: Firewall IP address internal???

Hi friends,

We are running two Nokia's IPSO 3.2.1-fcs1. FW-1 4.1 SP2.

Yes, we will be upgrading IPSO and FW-1 to the latest SP's soon.

My question is with regard to the way our firewalls were set up.

Our management workstation has an internal IP address. And both of our
firewalls are defined in the rulebase as objects with INTERNAL IP addresses.

If I am using IPSec only for VPN's and never use SKIP or FWZ, is there any
reason why I should change the objects to use external IP's???

If I do change the IP's to external, will I have any problems in using the
internal management workstation when pushing policies to the firewalls? I
once worked with a company that had two Sun boxes with 4.0 and they had
external addresses. Every time we pushed a policy, the connection broke. The
firewalls were defined as objects with external addresses.

I have Dameon's Essential Check Point book and he states early on that you
should use an Internet routable address for the firewall objects. The book
doesn't explain why this is his suggestion. And I am wondering whether I
should go through the reconfiguration or not.

Thanks for your help in advance,

Mike Hawkins


<<Disclaimer>>

This electronic mail is intended only for the use of the addressee(s) named
herein. Unless otherwise specifically stated, the views contained and
expressed in this electronic mail are strictly those of the individual
sender and are not the views of the Company or any of its Directors or other
employees. If you are not the intended recipient of this electronic mail,
you are hereby notified that any dissemination, distribution or coping of
this electronic mail is strictly prohibited. If you received this electronic
mail in error please immediately notify us by return electronic mail and
delete this electronic mail from your system.

------------------------------

Date:    Fri, 18 Jan 2002 10:00:09 -0600
From:    Randy Allen <[email protected]>
Subject: Re: ftp problem

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1A039.344742F0
Content-Type: text/plain

I tried it with both DOS-FTP and WS-FTP and got a login request.  You may
have to allow some high tcp ports outbound to get this to work.  I had to do
this recently to enable connection to a secure ftp server.  I am running
FW-1 4.1 SP3 on NT 4, SP6a.

-----Original Message-----
From: Yim Lee [mailto:[email protected]]
Sent: Thursday, January 17, 2002 5:06 PM
To: [email protected]
Subject: [FW-1] ftp problem

Trying to ftp to 63.150.174.37.  My fw is on Solaris
2.6 running CheckPoint 4.1 SP5.  I have a rule that
allows the ftp traffic and the log indicates that it
is accepted.  I snoop the traffic.

..xxx.xxx -> 63.150.174.37 FTP C port=48813
63.150.174.37 -> xxx.xxx.xxx.xxx FTP R port=48813
xxx.xxx.xxx.xxx -> 63.150.174.37 FTP C port=48813
63.150.174.37 -> xxx.xxx.xxx.xxx FTP R port=48813 220
xxx.xxx.xxx.xxx -> 63.150.174.37 FTP C port=48813

I tried this site from NetZero and it works.  It is
some kind of WS_FTP Server 1.0.5.  Any thoughts.  Can
some of you try to access this site running CheckPoint
fw and get back to me?  If you get the login prompt,
you have connected.

Thanks,

Yim


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------_=_NextPart_001_01C1A039.344742F0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: [FW-1] ftp problem</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>I tried it with both DOS-FTP and WS-FTP and got a =
login request.&nbsp; You may have to allow some high tcp ports outbound =
to get this to work.&nbsp; I had to do this recently to enable =
connection to a secure ftp server.&nbsp; I am running FW-1 4.1 SP3 on =
NT 4, SP6a.</FONT></P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Yim Lee [<A =
HREF=3D"mailto:[email protected]";>mailto:[email protected]</A>] </FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, January 17, 2002 5:06 PM</FONT>
<BR><FONT SIZE=3D2>To: =
[email protected]</FONT>
<BR><FONT SIZE=3D2>Subject: [FW-1] ftp problem</FONT>
</P>

<P><FONT SIZE=3D2>Trying to ftp to 63.150.174.37.&nbsp; My fw is on =
Solaris</FONT>
<BR><FONT SIZE=3D2>2.6 running CheckPoint 4.1 SP5.&nbsp; I have a rule =
that</FONT>
<BR><FONT SIZE=3D2>allows the ftp traffic and the log indicates that =
it</FONT>
<BR><FONT SIZE=3D2>is accepted.&nbsp; I snoop the traffic.</FONT>
</P>

<P><FONT SIZE=3D2>xxx.xxx.xxx.xxx -&gt; 63.150.174.37 FTP C =
port=3D48813</FONT>
<BR><FONT SIZE=3D2>63.150.174.37 -&gt; xxx.xxx.xxx.xxx FTP R =
port=3D48813</FONT>
<BR><FONT SIZE=3D2>xxx.xxx.xxx.xxx -&gt; 63.150.174.37 FTP C =
port=3D48813</FONT>
<BR><FONT SIZE=3D2>63.150.174.37 -&gt; xxx.xxx.xxx.xxx FTP R =
port=3D48813 220</FONT>
<BR><FONT SIZE=3D2>xxx.xxx.xxx.xxx -&gt; 63.150.174.37 FTP C =
port=3D48813</FONT>
</P>

<P><FONT SIZE=3D2>I tried this site from NetZero and it works.&nbsp; It =
is</FONT>
<BR><FONT SIZE=3D2>some kind of WS_FTP Server 1.0.5.&nbsp; Any =
thoughts.&nbsp; Can</FONT>
<BR><FONT SIZE=3D2>some of you try to access this site running =
CheckPoint</FONT>
<BR><FONT SIZE=3D2>fw and get back to me?&nbsp; If you get the login =
prompt,</FONT>
<BR><FONT SIZE=3D2>you have connected.</FONT>
</P>

<P><FONT SIZE=3D2>Thanks,</FONT>
</P>

<P><FONT SIZE=3D2>Yim</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>__________________________________________________</FONT>
<BR><FONT SIZE=3D2>Do You Yahoo!?</FONT>
<BR><FONT SIZE=3D2>Send FREE video emails in Yahoo! Mail!</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://promo.yahoo.com/videomail/"; =
TARGET=3D"_blank">http://promo.yahoo.com/videomail/</A></FONT>
</P>

<P><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D</FONT>
<BR><FONT SIZE=3D2>To set vacation, Out Of Office, or away =
messages,</FONT>
<BR><FONT SIZE=3D2>send an email to =
[email protected]</FONT>
<BR><FONT SIZE=3D2>in the BODY of the email add:</FONT>
<BR><FONT SIZE=3D2>set fw-1-mailinglist nomail</FONT>
<BR><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D</FONT>
<BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT>
<BR><FONT SIZE=3D2>please see the instructions at</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.checkpoint.com/services/mailing.html"; =
TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.html</A></F=
ONT>
<BR><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D</FONT>
<BR><FONT SIZE=3D2>If you have any questions on how to change =
your</FONT>
<BR><FONT SIZE=3D2>subscription options, email</FONT>
<BR><FONT SIZE=3D2>[email protected]</FONT>
<BR><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C1A039.344742F0--

------------------------------

Date:    Fri, 18 Jan 2002 18:11:48 +0200
From:    Olli Lahteenmaa <[email protected]>
Subject: Autoreply - Olli Lahteenmaa is out of the office.

I will be out of the office starting  2002-01-18 and will not return until
2002-01-24.


I have a limited access to my email, so I will respond to your message when
I return. I'm not available by phone either.

In urgent matters, please contact Mr. Klas Anfält
<[email protected]> GSM +46-709-394822 or Mr. James Whelan
<[email protected]> GSM +358-40-5831262 at our Helsinki office
(switchboard number +358-9-476711).

Cheers, =Olli=

------------------------------

Date:    Fri, 18 Jan 2002 08:55:33 -0800
From:    Kennie Miller <[email protected]>
Subject: How to setup VPN

Hello All,

We have a FW-1VPN Gateway and currently we are just using it as firewall for
our webserver and internal network. The webserver is on DMZ and we are using
NATing. Now we want to setup a  VPN for mobile users to access the internal
Windowst NT 4 network from home or while traveling. Can someone guide me
here what are the basic steps to setup the VPN. Particularly what we need to
do to pass the VPN traffic to internal domain controller without
compromising security etc.
Do we need any other software? I think we can use secure-client on
workstations for connecting but do we need anything else?
Are there any good books that someone can recommend for VPN, specially
anything specificaly for VPN using checkpoint?
your help will be greatly appreciated.

Kennie

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

------------------------------

Date:    Fri, 18 Jan 2002 18:07:06 +0100
From:    Jonas Thambert <[email protected]>
Subject: Re: 4.0 -> 4.1 upgrade

Hi Petra!

Yes, you can upgrade from 4.0 SP3 and later to 4.1 SP3.

/Jonas

-----Original Message-----
From: Petra Klein [mailto:[email protected]]
Sent: den 18 januari 2002 16:09
To: [email protected]
Subject: [FW-1] 4.0 -> 4.1 upgrade


Hi everone!

Can I go from FW-1 4.0 SP-5 to FW-1 4.1 SP-3?
I have a Nokia VPN210 IPSO 3.2.1

Best Regards
Petra

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Fri, 18 Jan 2002 12:24:33 -0500
From:    "Hawkins, Michael" <[email protected]>
Subject: Re: Using Cisco IOS firewall feature set

I have used Cisco Firewall IOS on many platforms but to my knowledge you
can't implement it on the 6500 platform without disabling fast switching
which REALLY hoses the speed of the 6500.

You are better off using a NAM and IDS to monitor your traffic OR use a 7200
or 3600 to run edge routing services. If you're looking for chinese walls
inside your network use VLANs on the 6500.

But IOS FW feature set is more for edge router situations.

Mike Hawkins

-----Original Message-----
From: Eric Appelboom [mailto:[email protected]]
Sent: Wednesday, January 16, 2002 2:15 PM
To: [email protected]
Subject: [FW-1] Using Cisco IOS firewall feature set


I am looking at complimenting our FW-1's with switches installed with the
Cisco IOS firewall feature set.

I would like to implement this on 6500 switches also using layer 3 switching
so inspection can be done on switches and not on fw nic.
We primarily would like to reduce unessesary internal to internal traffic.

We will use the Cisco Policy Manager version 3 which appears to be similar
to the FW-1 GUI and not commandline.

There doesn't appear to be many people using the IOS firewall feature set
and it appears quite apt and manageable.
I am aware of the TCP\UDP only inspection limitation of CBAC.

Does anyone used the IOS firewall in production and can give advice?
Are there any peformance comparisons?

Regards
Eric







*** Disclaimer: The information in this email is confidential and is
intended solely for the addressee(s). Access to this email by anyone else is
unauthorised. If you are not an intended recipient, you must not read,
forward, print, use or disseminate the information contained in the email.
Any representations (contractual or otherwise), views or opinions presented
are solely those of the author and do not necessarily represent those of the
employer or any of its affiliates.




<<Disclaimer>>

This electronic mail is intended only for the use of the addressee(s) named
herein. Unless otherwise specifically stated, the views contained and
expressed in this electronic mail are strictly those of the individual
sender and are not the views of the Company or any of its Directors or other
employees. If you are not the intended recipient of this electronic mail,
you are hereby notified that any dissemination, distribution or coping of
this electronic mail is strictly prohibited. If you received this electronic
mail in error please immediately notify us by return electronic mail and
delete this electronic mail from your system.

------------------------------

Date:    Fri, 18 Jan 2002 09:59:47 -0800
From:    Resit Aksen <[email protected]>
Subject: secure connection via VPN

Hi,

first of all sorry for newbie question. but i was
confused a little bit about secure remote conn.

1- i want to set up secure communication between my
home PC and my office net. So what do i need to get
it?  do i need to install secureclient program on my
home PC or what?

2- How can i set up VPN between my CP and ISP's CP?

Thank you for your help..

Resit Ax.

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

------------------------------

Date:    Fri, 18 Jan 2002 12:10:42 -0600
From:    "Mehta, Phoram" <[email protected]>
Subject: nokia IP440/fw-backup

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1A04B.7160B880
Content-Type: text/plain;
        charset="iso-8859-1"

I am exploring my options for disk backup/mirroring for IP440/fw and would
like to know some of your guru's personal experiences with the following
options i have at my disposal in case the hard disk crashes.

1. Duplidisk: expensive and not recommended?
2. VRRP: expensive again but sounds promising?
3. backup everything regularly and wait for nokia to ship a new drive(24hrs
i guess). don't know how difficult is this?
4. install a new hard drive on nokia IP440/fw and backup regularly. sounds
doable but at the cost of loosing the warranty?

all kinds of suggestions and ideas are welcome!

Phoram Mehta
Trabon Solutions
Network Engineer
 <mailto:Email:[email protected]> Email:[email protected]
Tel:ext: 519


------_=_NextPart_001_01C1A04B.7160B880
Content-Type: text/html;
        charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.00.2920.0" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=2002>I am exploring
my
options for disk backup/mirroring for IP440/fw and would like to know some
of
your guru's personal experiences with the following options i have at my
disposal in case the hard disk crashes.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=2002>1. Duplidisk:
expensive and not recommended?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=2002>2. VRRP:
expensive
again but sounds promising?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=2002>3. backup
everything
regularly and wait for nokia to ship a new drive(24hrs i guess). don't know
how
difficult is this?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=2002>4. install a new
hard drive on nokia IP440/fw and backup regularly. sounds doable but at the
cost
of loosing the warranty?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=2002>all kinds of
suggestions and ideas are welcome!</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=2002></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Phoram Mehta</FONT></DIV>
<DIV><FONT face=Arial size=2>Trabon Solutions</FONT></DIV>
<DIV><FONT face=Arial size=2>Network Engineer</FONT></DIV>
<DIV><A href="mailto:Email:[email protected]";><FONT face=Arial
size=2>Email:[email protected]</FONT></A></DIV><FONT face=Arial>
<DIV><FONT size=2>Tel:ext: 519</FONT></FONT></DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C1A04B.7160B880--

------------------------------

Date:    Fri, 18 Jan 2002 11:29:28 -0800
From:    [email protected]
Subject: <No subject given>

Hi all,
        I recently downgraded NG to 4.1 SP5 running on NT4 SP6a.  I am now
getting this error message "Chunked Transfer-Encoding is not allowed,
resource http:....."
Any help will greatly be appreciated. Thanks

------------------------------

Date:    Fri, 18 Jan 2002 15:20:27 -0500
From:    Simon Desmeules <[email protected]>
Subject: <No subject given>

You may want to try this fix:
To allow chunked data through the FireWall:
1. Close the GUI and stop the FireWall (fwstop)
2. Modify the $FWDIR/conf/objects.C file as follows:
3. Under the :props section add the lines:

:http_cvp_allow_chunked (true)
:http_ing_allow_chunked (true)
:http_block_java_allow_chunked (true)
:http_allow_ranges (true)

4. Save the objects.C and start the firewall.
5. Test and let me know.


Simon.
[email protected]


----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Friday, January 18, 2002 2:29 PM
Subject: [FW-1]


> Hi all,
>         I recently downgraded NG to 4.1 SP5 running on NT4 SP6a.  I am now
> getting this error message "Chunked Transfer-Encoding is not allowed,
> resource http:....."
> Any help will greatly be appreciated. Thanks
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

------------------------------

Date:    Thu, 17 Jan 2002 18:18:40 +0700
From:    Yusri Amsal <[email protected]>
Subject: NG FP1 on RedHat 7.2

Dear Lists,

I install Firewall and FloodGate NG FP1 on RH 7.2 with stand-alone machine.
External Interface IP  was 202.152.5.201
Internal Interface IP was 10.250.1.1
Gui-client assigned was 10.250.1.23
All installation steps already done, after reboot I try first time
connection to 202.152.5.201 from my laptop (win2k pro) but always get
response "Authentication to 202.152.5.201 failed".

I check my RH 7.2 and then run manually # cpstop
the response was :
=================================================
Stop  fg-1
etmstop: ETM kernel module is not loaded
FloodGate-1 stopped
Stop  fw-1
FW: stopping VPN-1 module -- OK
FireWall-1: disabling IP forwarding
FireWall-1: FW-1 kernel module is not loaded
Stop  cpshared
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
=================================================
And then # cpstart
the respones was :
=================================================
Start  cpshared
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
Start  fw-1
FireWall-1: fw1 module not loaded! please reboot or run with -driver
Start  fg-1
FloodGate-1: fwd is not running - run cpstart
FloodGate-1: Did not start successfully
=================================================

I try to connect again but there is no response too.
Please, could you give me clue to solve this problem ?

regards,

Yusri Amsal

Schlumberger Network Solutions
Sentra Mulia Building Fl. 15 Suite 1501
Jl. H.R. Rasuna Said Kav X-6 No. 8
Jakarta 12940
Phone: +62 21 522 7282
Fax.: +62 21 522 7292
Email: [email protected]
http://www.slb.com/sns/

------------------------------

Date:    Fri, 18 Jan 2002 13:15:05 -0800
From:    Chris H <[email protected]>
Subject: Re: How to setup VPN

Call your FW1 vendor and ask for SecuRemote licenses.
Then apply the license.  Then read the docs for
setting up SecuRemote.

Chris
--- Kennie Miller <[email protected]> wrote:
> Hello All,
>
> We have a FW-1VPN Gateway and currently we are just
> using it as firewall for
> our webserver and internal network. The webserver is
> on DMZ and we are using
> NATing. Now we want to setup a  VPN for mobile users
> to access the internal
> Windowst NT 4 network from home or while traveling.
> Can someone guide me
> here what are the basic steps to setup the VPN.
> Particularly what we need to
> do to pass the VPN traffic to internal domain
> controller without
> compromising security etc.
> Do we need any other software? I think we can use
> secure-client on
> workstations for connecting but do we need anything
> else?
> Are there any good books that someone can recommend
> for VPN, specially
> anything specificaly for VPN using checkpoint?
> your help will be greatly appreciated.
>
> Kennie
>
>
_________________________________________________________________
> Send and receive Hotmail on your mobile device:
> http://mobile.msn.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

------------------------------

Date:    Fri, 18 Jan 2002 17:02:05 -0500
From:    Alexey Vitashkevich <[email protected]>
Subject: Re: NG FP1 on RedHat 7.2

See if you have in the /etc/hosts file lines for your external ip versus
hostname .....
It might help

Alexey Vitashkevich
Security Consultant. MSCE, CNE, CCSE
Nextgen Internet
tel  :ext. 107
cell :www.nextgeninter.net




-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of Yusri
Amsal
Sent: Thursday, January 17, 2002 6:19 AM
To: [email protected]
Subject: [FW-1] NG FP1 on RedHat 7.2

Dear Lists,

I install Firewall and FloodGate NG FP1 on RH 7.2 with stand-alone
machine.
External Interface IP  was 202.152.5.201
Internal Interface IP was 10.250.1.1
Gui-client assigned was 10.250.1.23
All installation steps already done, after reboot I try first time
connection to 202.152.5.201 from my laptop (win2k pro) but always get
response "Authentication to 202.152.5.201 failed".

I check my RH 7.2 and then run manually # cpstop
the response was :
=================================================
Stop  fg-1
etmstop: ETM kernel module is not loaded
FloodGate-1 stopped
Stop  fw-1
FW: stopping VPN-1 module -- OK
FireWall-1: disabling IP forwarding
FireWall-1: FW-1 kernel module is not loaded
Stop  cpshared
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
=================================================
And then # cpstart
the respones was :
=================================================
Start  cpshared
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
Start  fw-1
FireWall-1: fw1 module not loaded! please reboot or run with -driver
Start  fg-1
FloodGate-1: fwd is not running - run cpstart
FloodGate-1: Did not start successfully
=================================================

I try to connect again but there is no response too.
Please, could you give me clue to solve this problem ?

regards,

Yusri Amsal

Schlumberger Network Solutions
Sentra Mulia Building Fl. 15 Suite 1501
Jl. H.R. Rasuna Said Kav X-6 No. 8
Jakarta 12940
Phone: +62 21 522 7282
Fax.: +62 21 522 7292
Email: [email protected]
http://www.slb.com/sns/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

****************************************************************************
**********************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or
the
sender immediately and do not disclose the contents to any one or make
copies.

** eSafe scanned this email for viruses, vandals and malicious content **
                         This service is provided by Nextgen Internet
                                      http://www.nextgeninter.net
****************************************************************************
**********************

------------------------------

Date:    Fri, 18 Jan 2002 17:15:45 -0500
From:    Joe Pampel <[email protected]>
Subject: Re: How to setup VPN

my 2 cents:

1. buy phoneboy's book "essential firewall-1" read it a couple times. lots
of stuff in there!
2. talk to your reseller to get remote VPN license ( I think it's seperate
from basic VPN?)
3. If budget will allow, use secure-client ($99/user or so) allows you to
push policy out to user PC. Secure remote is free but does not push policy
to remote host. bad. do you really want them surfing 'naked' while logged
into your VPN? I didn't think so. :-p
4. see phoneboy.com FAQ on NT networking over a VPN and the list archives
for this list and the fw1wizards list. Lots of mat'l on domain/browsing
network etc.

Actual the basic setup is pretty easy. Try to get FWZ working first, then
move to IKE once you've got it going.

- Joe

>>> Chris H <[email protected]> 01/18/02 04:15PM >>>
Call your FW1 vendor and ask for SecuRemote licenses.
Then apply the license.  Then read the docs for
setting up SecuRemote.

Chris
--- Kennie Miller <[email protected]> wrote:
> Hello All,
>
> We have a FW-1VPN Gateway and currently we are just
> using it as firewall for
> our webserver and internal network. The webserver is
> on DMZ and we are using
> NATing. Now we want to setup a  VPN for mobile users
> to access the internal
> Windowst NT 4 network from home or while traveling.
> Can someone guide me
> here what are the basic steps to setup the VPN.
> Particularly what we need to
> do to pass the VPN traffic to internal domain
> controller without
> compromising security etc.
> Do we need any other software? I think we can use
> secure-client on
> workstations for connecting but do we need anything
> else?
> Are there any good books that someone can recommend
> for VPN, specially
> anything specificaly for VPN using checkpoint?
> your help will be greatly appreciated.
>
> Kennie
>
>
_________________________________________________________________
> Send and receive Hotmail on your mobile device:
> http://mobile.msn.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

------------------------------

Date:    Fri, 18 Jan 2002 14:10:23 -0800
From:    Frank <[email protected]>
Subject: Re: NG FP1 on RedHat 7.2

As far as I know, NG does not run on RedHat 7.2.

You'll need to use RedHat 6.2 or 7.0, these have worked for me.

Frank Keeney



On Thu, 17 Jan 2002, Yusri Amsal wrote:

> I install Firewall and FloodGate NG FP1 on RH 7.2 with stand-alone
machine.

------------------------------

Date:    Sat, 19 Jan 2002 00:12:55 +0000
From:    Steve <[email protected]>
Subject: Re: NG FP1 on RedHat 7.2

Frank wrote:
>
> As far as I know, NG does not run on RedHat 7.2.

Yes, it does according to :-
http://www.checkpoint.com/products/security/firewall-1_sysreq.html

Certainly I'm having no problems running NG FP1 under RedHat 7.2
(stonebeat 3.0 Fullcluster even seems to work with the limited testing
I've given it).

Yusri - Have a look in /var/log/messages to see if there is any relevant
error messages? Also type the command "dmesg" and see if any relevant
info is in there.

I presume you have upgraded the Kernel to 2.4.13-9 ?

Steve.

------------------------------

End of FW-1-MAILINGLIST Digest - 17 Jan 2002 to 18 Jan 2002 (#2002-19)
**********************************************************************

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.