[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1-MAILINGLIST Digest - 17 Jan 2002 to 18 Jan 2002 (#2002-19)
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Automatic digest processor Sent: January 19, 2002 3:00 AM To: Recipients of FW-1-MAILINGLIST digests Subject: FW-1-MAILINGLIST Digest - 17 Jan 2002 to 18 Jan 2002 (#2002-19) There are 31 messages totalling 1949 lines in this issue. Topics of the day: 1. Using Cisco IOS firewall feature set (2) 2. fw logexport and AT command 3. Serial Interface on Nokia-440 (2) 4. Fw-1 and Charlie Appliance (2) 5. Anyone running Next Generation with Stonebeat full cluster on solaris 8 ? (2) 6. Error FW-1 at firewall: Failed to connect to the WWW s erver & Error FW-1 at firewall: Unknown WWW Server 7. Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1 (2) 8. Hardening Windows 2000 ( Not windows NT4.0 ) for Firew all1 9. Error: can not find df type 10. 4.0 -> 4.1 upgrade (2) 11. Anyone running Next Generation with Stonebeat full cluster on solaris 8 ? 12. Firewall IP address internal??? 13. ftp problem 14. Autoreply - Olli Lahteenmaa is out of the office. 15. How to setup VPN (3) 16. secure connection via VPN 17. nokia IP440/fw-backup 18. <No subject given> (2) 19. NG FP1 on RedHat 7.2 (4) ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ---------------------------------------------------------------------- Date: Wed, 16 Jan 2002 21:15:26 +0200 From: Eric Appelboom <[email protected]> Subject: Using Cisco IOS firewall feature set This is a multi-part message in MIME format. ------_=_NextPart_001_01C19EC2.2769D4B5 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am looking at complimenting our FW-1's with switches installed with the Cisco IOS firewall feature set. =20 I would like to implement this on 6500 switches also using layer 3 switching so inspection can be done on switches and not on fw nic. We primarily would like to reduce unessesary internal to internal traffic. =20 We will use the Cisco Policy Manager version 3 which appears to be similar to the FW-1 GUI and not commandline. =20 There doesn't appear to be many people using the IOS firewall feature set and it appears quite apt and manageable. I am aware of the TCP\UDP only inspection limitation of CBAC. =20 Does anyone used the IOS firewall in production and can give advice? Are there any peformance comparisons? =20 Regards Eric =20 =20 =20 *** Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, forward, print, use or disseminate the information contained in the email. Any representations (contractual or otherwise), views or opinions presented are solely those of the author and do not necessarily represent those of the employer or any of its affiliates. =20 ------_=_NextPart_001_01C19EC2.2769D4B5 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <TITLE>Message</TITLE> <META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I = am looking at=20 complimenting our FW-1's with switches installed with = the Cisco=20 IOS firewall feature set.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN = class=3D2002>I would like to=20 implement this on 6500 switches also using layer 3 switching so = inspection=20 can be done on switches and not on fw nic.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We = primarily would=20 like to reduce unessesary internal to internal = traffic.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We = will use the=20 Cisco Policy Manager version 3 which appears to be similar to the FW-1 = GUI and=20 not commandline.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>There = doesn't appear=20 to be many people using the IOS firewall feature set and it appears = quite apt=20 and manageable.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I am = aware of the=20 TCP\UDP only inspection limitation of CBAC.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><SPAN=20 class=3D2002>Does anyone used the IOS firewall in = production and can=20 give advice</SPAN><FONT face=3DArial size=3D2><SPAN=20 class=3D2002>?</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN class=3D2002>Are there any peformance=20 comparisons?</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN = class=3D2002></SPAN></FONT></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN = class=3D2002>Regards</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN = class=3D2002>Eric</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <P style=3D"MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px" align=3Dleft><FONT=20 face=3D"Times New Roman" size=3D2></FONT></P><FONT face=3DArial = size=3D2></FONT> <DIV><FONT face=3D"Times New Roman" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Times New Roman" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Times New Roman" size=3D2>*** Disclaimer: The = information in this=20 email is confidential and is intended solely for the addressee(s). = Access to=20 this email by anyone else is unauthorised. If you are not an intended = recipient,=20 you must not read, forward, print, use or disseminate the information = contained=20 in the email. Any representations (contractual or otherwise), views or = opinions=20 presented are solely those of the author and do not necessarily = represent those=20 of the employer or any of its affiliates.</FONT></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C19EC2.2769D4B5-- _______________________________________________ Firewalls mailing list [email protected] http://lists.gnac.net/mailman/listinfo/firewalls ------------------------------ Date: Fri, 18 Jan 2002 10:31:16 +0100 From: Fini Marco <[email protected]> Subject: fw logexport and AT command Hi All, On a NT 4.0 FW-1 4.1 SP4 I'm using 2 batch to move and export my Log with the AT command. The first batch do every day at 19:30pm a fw logswitch and move log file from C:\ to D:\. The second one (should) do every day at 9:00pm a fw logexport from D:\ to D:\TXTLOG and a renaming of filelog.log in filelog.txt. The first batch is working fine, not the same for the second. Infact if I'm running it manualy no problem, but with the at command this second batch doesn't work and in my D:\TXTLOG I can only find an empty file named CeService.log. Any input is appreciated.. Thank's Marco Fini Banca del Sempione, Via Peri 5, CH-6900 Lugano Tel +41 91 910 74 42, Fax +41 91 910 74 35 MailTo:[email protected] **************************************************************************** ********************** Questo messaggio e gli eventuali allegati (di seguito messaggio) sono confidenziali e riservati al destinatario. Se ricevete questo messaggio per errore, vi preghiamo di distruggerlo e d'avvertire immediatamente il mittente. Ogni utilizzo del messaggio non conforme al suo scopo, ogni diffusione o pubblicazione, totale o parziale, è proibita. I messaggi elettronici non possono offrire tutte le garanzie di sicurezza. La Banca del Sempione non si assume pertanto nessuna responsabilità al riguardo ed in particolare, ma non esclusivamente, per le intercettazioni, alterazioni o propagazioni di virus. **************************************************************************** ********************** This message and any attachments (hereafter the message) is intended solely for the addressees and is confidential. If you receive this message by mistake, please delete it and immediately notify the sender. Any use of the message not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited. The electronical messages cannot offer all safety guarantees. Banca del Sempione shall not assume any liability in this regard and in particular, but not exclusively, for any interception, alteration or for virus propagation. **************************************************************************** ********************** ** eSafe scanned this email for viruses, vandals and malicious content ** **************************************************************************** ********************** ------------------------------ Date: Fri, 18 Jan 2002 10:49:48 -0000 From: Ramesh G Gaikwad <[email protected]> Subject: Serial Interface on Nokia-440 Dear All, I am facing problem in installing v.35 serial interface in Nokia-440. I have configured the serial interface on NOkia as per given in the Voyager Reference Guide for the option of Internal clock Off as I am taking clock from CISCO router.After configuring It is not able to communicate with the CISCO router at other end.My connectivity is as follows. I have Nokia-440 having serial interface with v.35 cable. The v.35 end of the cable is connected to a DCE cable which is connected to the cisco router. The Serial interface of the router is configured for clock rate of 64k. I am also matching the keepalive rate on the Both devices i.e Nokia and router. One point I would like to tell you is that after installing serial interface I have upgraded IPSO from 3.4 to 3.4.2 because I want to install the Checkpoint NG on it. Can somebody help me to sort out this problem. Thanks and Regards, Ramesh ------------------------------ Date: Fri, 18 Jan 2002 12:33:40 +0100 From: "Steck, Steffen M." <[email protected]> Subject: Fw-1 and Charlie Appliance Hi, there is a (German?) OPSEC partner Pyramid www.pryramid.de offering an appliance for FW-1 called Charlie. It seems to be similar like Nokia or Intrusion. Has anybody some good information on it and maybe even experiences? I am doing currently on Sun and Nokia's, but some other site needs a *cheep* solution, so I thought of the charlie box with Fw-1. Fw-1 module is already here, I only look for the base... Maybe somebody has any other idea... Thx in advance and a nice weekend Steffen ------------------------------ Date: Fri, 18 Jan 2002 13:53:54 +0200 From: andrevs <[email protected]> Subject: Anyone running Next Generation with Stonebeat full cluster on solaris 8 ? ------------------------------ Date: Fri, 18 Jan 2002 13:57:03 +0100 From: Volker Tanger <[email protected]> Subject: Re: Fw-1 and Charlie Appliance Greetings! Steck, Steffen M. wrote: > there is a (German?) OPSEC partner Pyramid www.pryramid.de offering an > appliance for FW-1 called Charlie. It seems to be similar like Nokia or > Intrusion. Yes, German company (located in Freiburg). Excellent service - you can directly talk to knowledgeable techies/developers. Charlies basically are industrial PCs with a custom RedHat Linux install and FW1 with current patches and hotfixes installed. Choose the XL model as the "normal" box seemed to be a bit instable (mechanically that is - NIC cards not fixated) to me. Pyramid's rack appliances usually are rock-solid: very clean build, sometimes even kinda overdone. Software installation was heavily stripped down as it should be for a firewall and very clean - maybe even a bit too clean as some non-essential but useful tools are missing. But better this way than the other way round as installing is easier than removing. > Has anybody some good information on it and maybe even experiences? Just contact Pyramid (+49-761-4514-721, Alexander Dahn), ask for a test drive (usually no problem and fast) and see yourself. Bye Volker -- Volker Tanger <[email protected]> Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ ------------------------------ Date: Fri, 18 Jan 2002 08:11:13 -0500 From: Layne Meier <[email protected]> Subject: Re: Anyone running Next Generation with Stonebeat full cluster on solaris 8 ? I'm in the process of installing it. A lot more difficult to install and understand the manual over the StoneBeat HA product. Also running Solaris 8 in 64 Bit mode. Be sure to install FW-1/VPN-1 FP1 and download the StoneBeat HotFix for FullCluster. Best regards, Layne Meier Atlanta Newspapers, Inc. On Friday, January 18, 2002, at 06:53 AM, andrevs wrote: > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ------------------------------ Date: Fri, 18 Jan 2002 15:13:23 +0200 From: "Chontzopoulos, Dimitris" <[email protected]> Subject: Re: Error FW-1 at firewall: Failed to connect to the WWW s erver & Error FW-1 at firewall: Unknown WWW Server This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1A021.E8952D20 Content-Type: text/plain; charset="iso-8859-1" Thank you very much for your response but i think that this is not my case. The URL type(d) is always correct, the FW doesn't have M$ DNS server installed or other DNS Server program or caching, the FW is configured to use DNS Name Resolution (and it works like a charm), the web site(s) we are trying to visit do not time out. Further more there is no BIND timeout in Policy -> Properties, Resolving Tab (to be exact there is no such thing as Resolving TAB inside Policy, Properties). Is there any other way around this problem? The FW is FW-1 4.1 CP2000 SP3 on M$ NT 4.0 SRV SP6a. Thank you. Thare is also a number of HTTP, FTP Resources (These are used for Nimda in-out, forbiden downloads, ftp access for specific PC's to specific IP Addresses). -----Original Message----- From: Cantwell, Steve [mailto:[email protected]] Sent: Thursday, January 17, 2002 8:32 PM To: '[email protected]' Subject: I am using the HTTP Security Server to filter and track web content. When I try to access a particular web site, I get a web page with the following error message: fw-1 at (firewallname): unknown www server What does this error message mean and how can I fix it? A: This could mean a couple of different things: * The URL typed was not correct. * The firewall is not configured to use DNS for name resolution. When using the HTTP Security Server, using DNS for name resolution is required. * When FireWall-1 attempted to look up the site in question, it timed out. There are a couple of ways to address this problem: * Turn off any Name Service Caching software. nscd is a known problem on Solaris 2.5.1 installations. If this process is running, kill it, remove /etc/rc2.d/S76nscd (where it is usually started from) and reboot. * Increase the BIND timeout in Policy->Properties, Resolving tab. Re-install the security policy ------_=_NextPart_001_01C1A021.E8952D20 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE></TITLE> <META content="MSHTML 6.00.2712.300" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=2002>Thank you very much for your response but i think that this is not my case. The URL type(d) is always correct, the FW doesn't have M$ DNS server installed or other DNS Server program or caching, the FW is configured to use DNS Name Resolution (and it works like a charm), the web site(s) we are trying to visit do not time out. Further more there is no BIND timeout in Policy -> Properties, Resolving Tab (to be exact there is no such thing as Resolving TAB inside Policy, Properties). Is there any other way around this problem? The FW is FW-1 4.1 CP2000 SP3 on M$ NT 4.0 SRV SP6a. Thank you. Thare is also a number of HTTP, FTP Resources (These are used for Nimda in-out, forbiden downloads, ftp access for specific PC's to specific IP Addresses).</SPAN></FONT></DIV> <BLOCKQUOTE> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Cantwell, Steve [mailto:[email protected]]<BR><B>Sent:</B> Thursday, January 17, 2002 8:32 PM<BR><B>To:</B> '[email protected]'<BR><B>Subject:</B> <BR><BR></FONT></DIV><BR> <P><FONT face="Times New Roman" size=4>I am using the HTTP Security Server to filter and track web content. When I try to access a particular web site, I get a web page with the following error message: </FONT></P> <P><FONT face="Courier New" size=2>fw-1 at (firewallname): unknown www server</FONT><FONT face="Times New Roman" size=4> </FONT><BR><FONT face="Times New Roman" size=4>What does this error message mean and how can I fix it? </FONT><BR><B><FONT face="Times New Roman" size=5>A:</FONT></B> <BR><FONT face="Times New Roman" size=4>This could mean a couple of different things: </FONT> <UL> <UL> <LI><FONT face="Times New Roman" size=4>The URL typed was not correct. </FONT> <LI><FONT face="Times New Roman" size=4>The firewall is not configured to use DNS for name resolution. When using the HTTP Security Server, using DNS for name resolution is required. </FONT> <LI><FONT face="Times New Roman" size=4>When FireWall-1 attempted to look up the site in question, it timed out. </FONT></LI></UL></UL> <P><FONT face="Times New Roman" size=4>There are a couple of ways to address this problem: </FONT> <UL> <UL> <LI><FONT face="Times New Roman" size=4>Turn off any Name Service Caching software. nscd is a known problem on Solaris 2.5.1 installations. If this process is running, kill it, remove /etc/rc2.d/S76nscd (where it is usually started from) and reboot. </FONT> <LI><FONT face="Times New Roman" size=4>Increase the BIND timeout in Policy->Properties, Resolving tab. Re-install the security policy</FONT> <BR><BR></LI></UL></UL></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C1A021.E8952D20-- ------------------------------ Date: Fri, 18 Jan 2002 08:44:57 -0500 From: Joe Matusiewicz <[email protected]> Subject: Re: Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1 The NSA has been working on this ever since Win2K came out and has released a boatload of guides on how to harden Win2K. You can find them at: http://nsa1.www.conxion.com/win2k/download.htm I eagerly await the out of office replies ;) -- Joe At 05:50 PM 1/17/02, [email protected] wrote: >I am looking for some detailed documents on hardening "windows 2000" for >checkpoint Firewall. I know there are some available for Windows NT 4.0. >but not for 2000.. Can anyone help me findout. > >Thanks, >-dev > ><><><><><><><><><><><><><><><> > K.R.Devarajan > CrossAccess Corporation > 2900, Gordon Avenue, Suite 100 > Santa Clara, CA 95051 > http://www.crossaccess.com > Ph:><><><><><><><><><><><><><><><> > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= ------------------------------ Date: Fri, 18 Jan 2002 09:00:55 -0500 From: "Zeltser, Roman" <[email protected]> Subject: Re: Hardening Windows 2000 ( Not windows NT4.0 ) for Firew all1 Dev, look in this index http://www.rtek2000.com/Tech/InternetSecureLinks.html#hard ********************************** Roman Zeltser, @National Computer Center, RSIS & DNE -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, January 17, 2002 5:50 PM To: [email protected] Subject: [FW-1] Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1 I am looking for some detailed documents on hardening "windows 2000" for checkpoint Firewall. I know there are some available for Windows NT 4.0. but not for 2000.. Can anyone help me findout. Thanks, -dev <><><><><><><><><><><><><><><> K.R.Devarajan CrossAccess Corporation 2900, Gordon Avenue, Suite 100 Santa Clara, CA 95051 http://www.crossaccess.com Ph:<><><><><><><><><><><><><><><> ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Fri, 18 Jan 2002 09:29:44 -0500 From: Edmundo Farinas <[email protected]> Subject: Re: Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1 Check out the SANS store http://www.sansstore.org/ for general recommendations Edmundo -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of [email protected] Sent: Thursday, January 17, 2002 5:50 PM To: [email protected] Subject: [FW-1] Hardening Windows 2000 ( Not windows NT4.0 ) for Firewall1 I am looking for some detailed documents on hardening "windows 2000" for checkpoint Firewall. I know there are some available for Windows NT 4.0. but not for 2000.. Can anyone help me findout. Thanks, -dev <><><><><><><><><><><><><><><> K.R.Devarajan CrossAccess Corporation 2900, Gordon Avenue, Suite 100 Santa Clara, CA 95051 http://www.crossaccess.com Ph:<><><><><><><><><><><><><><><> ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Fri, 18 Jan 2002 09:57:17 -0500 From: Alexey Vitashkevich <[email protected]> Subject: Error: can not find df type This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1A030.6BDC5240 Content-Type: text/plain Hi. I have two NG firewalls on Solaris 8 with Rainwall installed in HA/LB mode. Each time I install policies I get this message> Error: can not get df type. Everything seems to be working fine , but it keeps bothering me ... Any ideas? Alexey Vitashkevich <mailto:[email protected]> Security Consultant. MSCE, CNE, CCSE Nextgen Internet tel :ext. 107 cell :<http://www.nextgeninter.net> www.nextgeninter.net ------_=_NextPart_001_01C1A030.6BDC5240 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:[email protected]"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:483648 8 0 66047 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-compose; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:windowtext;} span.GramE {mso-style-name:""; mso-gram-e:yes;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Hi. I have two NG firewalls on Solaris 8 with = Rainwall installed in HA/LB mode.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Each time I install policies I get this = message><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Error: can not get <span class=3DGramE>df</span> = type.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Everything seems to be working <span = class=3DGramE>fine ,</span> but it keeps bothering me ...<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Any ideas?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;mso-no-proof:yes'><a href=3D"mailto:[email protected]">Alexey = Vitashkevich</a></span></font></b></strong><font size=3D2><span = style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p= > <div> <p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;mso-no-proof:yes'>Security Consultant. MSCE, = CNE, CCSE</span></font></b></strong><font size=3D2><span = style=3D'font-size:10.0pt; mso-no-proof:yes'><o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;mso-no-proof:yes'>Nextgen = Internet</span></font></b></strong><font size=3D2><span = style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p= > </div> <div> <p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;mso-no-proof:yes'>tel : = (609) 419-0531 ext. 107</span></font></b></strong><font size=3D2><span style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p= > </div> <div> <p class=3DMsoNormal><strong><b><font size=3D2 face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;mso-no-proof:yes'>cell : (609) = 548-1252</span></font></b></strong><font size=3D2><span = style=3D'font-size:10.0pt;mso-no-proof:yes'><o:p></o:p></span></font></p= > </div> <div> <p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span = style=3D'font-size: 10.0pt;mso-no-proof:yes'><a = href=3D"http://www.nextgeninter.net"><strong><b><font color=3Dblack face=3DTahoma><span = style=3D'font-family:Tahoma;color:windowtext; text-decoration:none;text-underline:none'>www.nextgeninter.net</span></f= ont></b></strong></a><o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span = style=3D'font-size: 10.0pt;mso-no-proof:yes'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span = style=3D'font-size: 10.0pt;mso-no-proof:yes'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span = style=3D'font-size: 10.0pt;mso-no-proof:yes'> </span></font><font size=3D2><span style=3D'font-size:10.0pt'><o:p></o:p></span></font></p> </div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </div> </body> </html> ------_=_NextPart_001_01C1A030.6BDC5240-- ------------------------------ Date: Fri, 18 Jan 2002 16:08:57 +0100 From: Petra Klein <[email protected]> Subject: 4.0 -> 4.1 upgrade Hi everone! Can I go from FW-1 4.0 SP-5 to FW-1 4.1 SP-3? I have a Nokia VPN210 IPSO 3.2.1 Best Regards Petra ------------------------------ Date: Fri, 18 Jan 2002 16:44:13 +0100 From: Matthias Grund <[email protected]> Subject: Re: Anyone running Next Generation with Stonebeat full cluster on solaris 8 ? Hi, at the moment Stonebeat Fullcluster isn't certified for NG FP1. I've got two clusters in the installation phase and as far as I can tell: - It seems to work in 32 bit mode - In 64 bit mode the system crashes as soon as the first IKE packet appears on my E220Rs - Gigaswift cards with VLAN tagging don't support VPN, Stonebeat heartbeat or Checkpoint State Sync Regards, Matthias -- nor|dac Rechenzentrumsgesellschaft mbH, D-23542 Lübeck Phone: +49 (4 51) 8 82 - 15 00 / Fax: - 7 15 00 [email protected] ------------------------------ Date: Fri, 18 Jan 2002 11:25:09 -0500 From: Don <[email protected]> Subject: Re: Serial Interface on Nokia-440 > I am facing problem in installing v.35 serial interface in Nokia-440. I > have configured the serial interface on NOkia as per given in the > Voyager Reference Guide for the option of Internal clock Off as I am > taking clock from CISCO router.After configuring It is not able to > communicate with the CISCO router at other end.My connectivity is as > follows. > > I have Nokia-440 having serial interface with v.35 cable. The v.35 end > ? of the cable is connected to a DCE cable which is connected to the > cisco router. The Serial interface of the router is configured for clock > rate of 64k. I am also matching the keepalive rate on the Both devices > i.e Nokia and router. One point I would like to tell you is that after > installing serial interface I have upgraded IPSO from 3.4 to 3.4.2 > because I want to install the Checkpoint NG on it. Don't you need a serial crossover cable for this? -Don ------------------------------ Date: Fri, 18 Jan 2002 11:08:10 -0500 From: "Hawkins, Michael" <[email protected]> Subject: Firewall IP address internal??? Hi friends, We are running two Nokia's IPSO 3.2.1-fcs1. FW-1 4.1 SP2. Yes, we will be upgrading IPSO and FW-1 to the latest SP's soon. My question is with regard to the way our firewalls were set up. Our management workstation has an internal IP address. And both of our firewalls are defined in the rulebase as objects with INTERNAL IP addresses. If I am using IPSec only for VPN's and never use SKIP or FWZ, is there any reason why I should change the objects to use external IP's??? If I do change the IP's to external, will I have any problems in using the internal management workstation when pushing policies to the firewalls? I once worked with a company that had two Sun boxes with 4.0 and they had external addresses. Every time we pushed a policy, the connection broke. The firewalls were defined as objects with external addresses. I have Dameon's Essential Check Point book and he states early on that you should use an Internet routable address for the firewall objects. The book doesn't explain why this is his suggestion. And I am wondering whether I should go through the reconfiguration or not. Thanks for your help in advance, Mike Hawkins <<Disclaimer>> This electronic mail is intended only for the use of the addressee(s) named herein. Unless otherwise specifically stated, the views contained and expressed in this electronic mail are strictly those of the individual sender and are not the views of the Company or any of its Directors or other employees. If you are not the intended recipient of this electronic mail, you are hereby notified that any dissemination, distribution or coping of this electronic mail is strictly prohibited. If you received this electronic mail in error please immediately notify us by return electronic mail and delete this electronic mail from your system. ------------------------------ Date: Fri, 18 Jan 2002 10:00:09 -0600 From: Randy Allen <[email protected]> Subject: Re: ftp problem This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1A039.344742F0 Content-Type: text/plain I tried it with both DOS-FTP and WS-FTP and got a login request. You may have to allow some high tcp ports outbound to get this to work. I had to do this recently to enable connection to a secure ftp server. I am running FW-1 4.1 SP3 on NT 4, SP6a. -----Original Message----- From: Yim Lee [mailto:[email protected]] Sent: Thursday, January 17, 2002 5:06 PM To: [email protected] Subject: [FW-1] ftp problem Trying to ftp to 63.150.174.37. My fw is on Solaris 2.6 running CheckPoint 4.1 SP5. I have a rule that allows the ftp traffic and the log indicates that it is accepted. I snoop the traffic. ..xxx.xxx -> 63.150.174.37 FTP C port=48813 63.150.174.37 -> xxx.xxx.xxx.xxx FTP R port=48813 xxx.xxx.xxx.xxx -> 63.150.174.37 FTP C port=48813 63.150.174.37 -> xxx.xxx.xxx.xxx FTP R port=48813 220 xxx.xxx.xxx.xxx -> 63.150.174.37 FTP C port=48813 I tried this site from NetZero and it works. It is some kind of WS_FTP Server 1.0.5. Any thoughts. Can some of you try to access this site running CheckPoint fw and get back to me? If you get the login prompt, you have connected. Thanks, Yim __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------_=_NextPart_001_01C1A039.344742F0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: [FW-1] ftp problem</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I tried it with both DOS-FTP and WS-FTP and got a = login request. You may have to allow some high tcp ports outbound = to get this to work. I had to do this recently to enable = connection to a secure ftp server. I am running FW-1 4.1 SP3 on = NT 4, SP6a.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Yim Lee [<A = HREF=3D"mailto:[email protected]">mailto:[email protected]</A>] </FONT> <BR><FONT SIZE=3D2>Sent: Thursday, January 17, 2002 5:06 PM</FONT> <BR><FONT SIZE=3D2>To: = [email protected]</FONT> <BR><FONT SIZE=3D2>Subject: [FW-1] ftp problem</FONT> </P> <P><FONT SIZE=3D2>Trying to ftp to 63.150.174.37. My fw is on = Solaris</FONT> <BR><FONT SIZE=3D2>2.6 running CheckPoint 4.1 SP5. I have a rule = that</FONT> <BR><FONT SIZE=3D2>allows the ftp traffic and the log indicates that = it</FONT> <BR><FONT SIZE=3D2>is accepted. I snoop the traffic.</FONT> </P> <P><FONT SIZE=3D2>xxx.xxx.xxx.xxx -> 63.150.174.37 FTP C = port=3D48813</FONT> <BR><FONT SIZE=3D2>63.150.174.37 -> xxx.xxx.xxx.xxx FTP R = port=3D48813</FONT> <BR><FONT SIZE=3D2>xxx.xxx.xxx.xxx -> 63.150.174.37 FTP C = port=3D48813</FONT> <BR><FONT SIZE=3D2>63.150.174.37 -> xxx.xxx.xxx.xxx FTP R = port=3D48813 220</FONT> <BR><FONT SIZE=3D2>xxx.xxx.xxx.xxx -> 63.150.174.37 FTP C = port=3D48813</FONT> </P> <P><FONT SIZE=3D2>I tried this site from NetZero and it works. It = is</FONT> <BR><FONT SIZE=3D2>some kind of WS_FTP Server 1.0.5. Any = thoughts. Can</FONT> <BR><FONT SIZE=3D2>some of you try to access this site running = CheckPoint</FONT> <BR><FONT SIZE=3D2>fw and get back to me? If you get the login = prompt,</FONT> <BR><FONT SIZE=3D2>you have connected.</FONT> </P> <P><FONT SIZE=3D2>Thanks,</FONT> </P> <P><FONT SIZE=3D2>Yim</FONT> </P> <BR> <P><FONT = SIZE=3D2>__________________________________________________</FONT> <BR><FONT SIZE=3D2>Do You Yahoo!?</FONT> <BR><FONT SIZE=3D2>Send FREE video emails in Yahoo! Mail!</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://promo.yahoo.com/videomail/" = TARGET=3D"_blank">http://promo.yahoo.com/videomail/</A></FONT> </P> <P><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D</FONT> <BR><FONT SIZE=3D2>To set vacation, Out Of Office, or away = messages,</FONT> <BR><FONT SIZE=3D2>send an email to = [email protected]</FONT> <BR><FONT SIZE=3D2>in the BODY of the email add:</FONT> <BR><FONT SIZE=3D2>set fw-1-mailinglist nomail</FONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D</FONT> <BR><FONT SIZE=3D2>To unsubscribe from this mailing list,</FONT> <BR><FONT SIZE=3D2>please see the instructions at</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.checkpoint.com/services/mailing.html" = TARGET=3D"_blank">http://www.checkpoint.com/services/mailing.html</A></F= ONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D</FONT> <BR><FONT SIZE=3D2>If you have any questions on how to change = your</FONT> <BR><FONT SIZE=3D2>subscription options, email</FONT> <BR><FONT SIZE=3D2>[email protected]</FONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C1A039.344742F0-- ------------------------------ Date: Fri, 18 Jan 2002 18:11:48 +0200 From: Olli Lahteenmaa <[email protected]> Subject: Autoreply - Olli Lahteenmaa is out of the office. I will be out of the office starting 2002-01-18 and will not return until 2002-01-24. I have a limited access to my email, so I will respond to your message when I return. I'm not available by phone either. In urgent matters, please contact Mr. Klas Anfält <[email protected]> GSM +46-709-394822 or Mr. James Whelan <[email protected]> GSM +358-40-5831262 at our Helsinki office (switchboard number +358-9-476711). Cheers, =Olli= ------------------------------ Date: Fri, 18 Jan 2002 08:55:33 -0800 From: Kennie Miller <[email protected]> Subject: How to setup VPN Hello All, We have a FW-1VPN Gateway and currently we are just using it as firewall for our webserver and internal network. The webserver is on DMZ and we are using NATing. Now we want to setup a VPN for mobile users to access the internal Windowst NT 4 network from home or while traveling. Can someone guide me here what are the basic steps to setup the VPN. Particularly what we need to do to pass the VPN traffic to internal domain controller without compromising security etc. Do we need any other software? I think we can use secure-client on workstations for connecting but do we need anything else? Are there any good books that someone can recommend for VPN, specially anything specificaly for VPN using checkpoint? your help will be greatly appreciated. Kennie _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ------------------------------ Date: Fri, 18 Jan 2002 18:07:06 +0100 From: Jonas Thambert <[email protected]> Subject: Re: 4.0 -> 4.1 upgrade Hi Petra! Yes, you can upgrade from 4.0 SP3 and later to 4.1 SP3. /Jonas -----Original Message----- From: Petra Klein [mailto:[email protected]] Sent: den 18 januari 2002 16:09 To: [email protected] Subject: [FW-1] 4.0 -> 4.1 upgrade Hi everone! Can I go from FW-1 4.0 SP-5 to FW-1 4.1 SP-3? I have a Nokia VPN210 IPSO 3.2.1 Best Regards Petra ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Fri, 18 Jan 2002 12:24:33 -0500 From: "Hawkins, Michael" <[email protected]> Subject: Re: Using Cisco IOS firewall feature set I have used Cisco Firewall IOS on many platforms but to my knowledge you can't implement it on the 6500 platform without disabling fast switching which REALLY hoses the speed of the 6500. You are better off using a NAM and IDS to monitor your traffic OR use a 7200 or 3600 to run edge routing services. If you're looking for chinese walls inside your network use VLANs on the 6500. But IOS FW feature set is more for edge router situations. Mike Hawkins -----Original Message----- From: Eric Appelboom [mailto:[email protected]] Sent: Wednesday, January 16, 2002 2:15 PM To: [email protected] Subject: [FW-1] Using Cisco IOS firewall feature set I am looking at complimenting our FW-1's with switches installed with the Cisco IOS firewall feature set. I would like to implement this on 6500 switches also using layer 3 switching so inspection can be done on switches and not on fw nic. We primarily would like to reduce unessesary internal to internal traffic. We will use the Cisco Policy Manager version 3 which appears to be similar to the FW-1 GUI and not commandline. There doesn't appear to be many people using the IOS firewall feature set and it appears quite apt and manageable. I am aware of the TCP\UDP only inspection limitation of CBAC. Does anyone used the IOS firewall in production and can give advice? Are there any peformance comparisons? Regards Eric *** Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, forward, print, use or disseminate the information contained in the email. Any representations (contractual or otherwise), views or opinions presented are solely those of the author and do not necessarily represent those of the employer or any of its affiliates. <<Disclaimer>> This electronic mail is intended only for the use of the addressee(s) named herein. Unless otherwise specifically stated, the views contained and expressed in this electronic mail are strictly those of the individual sender and are not the views of the Company or any of its Directors or other employees. If you are not the intended recipient of this electronic mail, you are hereby notified that any dissemination, distribution or coping of this electronic mail is strictly prohibited. If you received this electronic mail in error please immediately notify us by return electronic mail and delete this electronic mail from your system. ------------------------------ Date: Fri, 18 Jan 2002 09:59:47 -0800 From: Resit Aksen <[email protected]> Subject: secure connection via VPN Hi, first of all sorry for newbie question. but i was confused a little bit about secure remote conn. 1- i want to set up secure communication between my home PC and my office net. So what do i need to get it? do i need to install secureclient program on my home PC or what? 2- How can i set up VPN between my CP and ISP's CP? Thank you for your help.. Resit Ax. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ------------------------------ Date: Fri, 18 Jan 2002 12:10:42 -0600 From: "Mehta, Phoram" <[email protected]> Subject: nokia IP440/fw-backup This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1A04B.7160B880 Content-Type: text/plain; charset="iso-8859-1" I am exploring my options for disk backup/mirroring for IP440/fw and would like to know some of your guru's personal experiences with the following options i have at my disposal in case the hard disk crashes. 1. Duplidisk: expensive and not recommended? 2. VRRP: expensive again but sounds promising? 3. backup everything regularly and wait for nokia to ship a new drive(24hrs i guess). don't know how difficult is this? 4. install a new hard drive on nokia IP440/fw and backup regularly. sounds doable but at the cost of loosing the warranty? all kinds of suggestions and ideas are welcome! Phoram Mehta Trabon Solutions Network Engineer <mailto:Email:[email protected]> Email:[email protected] Tel:ext: 519 ------_=_NextPart_001_01C1A04B.7160B880 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.2920.0" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial size=2><SPAN class=2002>I am exploring my options for disk backup/mirroring for IP440/fw and would like to know some of your guru's personal experiences with the following options i have at my disposal in case the hard disk crashes.</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2002>1. Duplidisk: expensive and not recommended?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002>2. VRRP: expensive again but sounds promising?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002>3. backup everything regularly and wait for nokia to ship a new drive(24hrs i guess). don't know how difficult is this?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002>4. install a new hard drive on nokia IP440/fw and backup regularly. sounds doable but at the cost of loosing the warranty?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=2002>all kinds of suggestions and ideas are welcome!</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2>Phoram Mehta</FONT></DIV> <DIV><FONT face=Arial size=2>Trabon Solutions</FONT></DIV> <DIV><FONT face=Arial size=2>Network Engineer</FONT></DIV> <DIV><A href="mailto:Email:[email protected]"><FONT face=Arial size=2>Email:[email protected]</FONT></A></DIV><FONT face=Arial> <DIV><FONT size=2>Tel:ext: 519</FONT></FONT></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C1A04B.7160B880-- ------------------------------ Date: Fri, 18 Jan 2002 11:29:28 -0800 From: [email protected] Subject: <No subject given> Hi all, I recently downgraded NG to 4.1 SP5 running on NT4 SP6a. I am now getting this error message "Chunked Transfer-Encoding is not allowed, resource http:....." Any help will greatly be appreciated. Thanks ------------------------------ Date: Fri, 18 Jan 2002 15:20:27 -0500 From: Simon Desmeules <[email protected]> Subject: <No subject given> You may want to try this fix: To allow chunked data through the FireWall: 1. Close the GUI and stop the FireWall (fwstop) 2. Modify the $FWDIR/conf/objects.C file as follows: 3. Under the :props section add the lines: :http_cvp_allow_chunked (true) :http_ing_allow_chunked (true) :http_block_java_allow_chunked (true) :http_allow_ranges (true) 4. Save the objects.C and start the firewall. 5. Test and let me know. Simon. [email protected] ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Friday, January 18, 2002 2:29 PM Subject: [FW-1] > Hi all, > I recently downgraded NG to 4.1 SP5 running on NT4 SP6a. I am now > getting this error message "Chunked Transfer-Encoding is not allowed, > resource http:....." > Any help will greatly be appreciated. Thanks > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ------------------------------ Date: Thu, 17 Jan 2002 18:18:40 +0700 From: Yusri Amsal <[email protected]> Subject: NG FP1 on RedHat 7.2 Dear Lists, I install Firewall and FloodGate NG FP1 on RH 7.2 with stand-alone machine. External Interface IP was 202.152.5.201 Internal Interface IP was 10.250.1.1 Gui-client assigned was 10.250.1.23 All installation steps already done, after reboot I try first time connection to 202.152.5.201 from my laptop (win2k pro) but always get response "Authentication to 202.152.5.201 failed". I check my RH 7.2 and then run manually # cpstop the response was : ================================================= Stop fg-1 etmstop: ETM kernel module is not loaded FloodGate-1 stopped Stop fw-1 FW: stopping VPN-1 module -- OK FireWall-1: disabling IP forwarding FireWall-1: FW-1 kernel module is not loaded Stop cpshared SVN Foundation: cpd stopped SVN Foundation: cpWatchDog stopped SVN Foundation stopped ================================================= And then # cpstart the respones was : ================================================= Start cpshared SVN Foundation: Starting cpWatchDog SVN Foundation: Starting cpd SVN Foundation started Start fw-1 FireWall-1: fw1 module not loaded! please reboot or run with -driver Start fg-1 FloodGate-1: fwd is not running - run cpstart FloodGate-1: Did not start successfully ================================================= I try to connect again but there is no response too. Please, could you give me clue to solve this problem ? regards, Yusri Amsal Schlumberger Network Solutions Sentra Mulia Building Fl. 15 Suite 1501 Jl. H.R. Rasuna Said Kav X-6 No. 8 Jakarta 12940 Phone: +62 21 522 7282 Fax.: +62 21 522 7292 Email: [email protected] http://www.slb.com/sns/ ------------------------------ Date: Fri, 18 Jan 2002 13:15:05 -0800 From: Chris H <[email protected]> Subject: Re: How to setup VPN Call your FW1 vendor and ask for SecuRemote licenses. Then apply the license. Then read the docs for setting up SecuRemote. Chris --- Kennie Miller <[email protected]> wrote: > Hello All, > > We have a FW-1VPN Gateway and currently we are just > using it as firewall for > our webserver and internal network. The webserver is > on DMZ and we are using > NATing. Now we want to setup a VPN for mobile users > to access the internal > Windowst NT 4 network from home or while traveling. > Can someone guide me > here what are the basic steps to setup the VPN. > Particularly what we need to > do to pass the VPN traffic to internal domain > controller without > compromising security etc. > Do we need any other software? I think we can use > secure-client on > workstations for connecting but do we need anything > else? > Are there any good books that someone can recommend > for VPN, specially > anything specificaly for VPN using checkpoint? > your help will be greatly appreciated. > > Kennie > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: > http://mobile.msn.com > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ------------------------------ Date: Fri, 18 Jan 2002 17:02:05 -0500 From: Alexey Vitashkevich <[email protected]> Subject: Re: NG FP1 on RedHat 7.2 See if you have in the /etc/hosts file lines for your external ip versus hostname ..... It might help Alexey Vitashkevich Security Consultant. MSCE, CNE, CCSE Nextgen Internet tel :ext. 107 cell :www.nextgeninter.net -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Yusri Amsal Sent: Thursday, January 17, 2002 6:19 AM To: [email protected] Subject: [FW-1] NG FP1 on RedHat 7.2 Dear Lists, I install Firewall and FloodGate NG FP1 on RH 7.2 with stand-alone machine. External Interface IP was 202.152.5.201 Internal Interface IP was 10.250.1.1 Gui-client assigned was 10.250.1.23 All installation steps already done, after reboot I try first time connection to 202.152.5.201 from my laptop (win2k pro) but always get response "Authentication to 202.152.5.201 failed". I check my RH 7.2 and then run manually # cpstop the response was : ================================================= Stop fg-1 etmstop: ETM kernel module is not loaded FloodGate-1 stopped Stop fw-1 FW: stopping VPN-1 module -- OK FireWall-1: disabling IP forwarding FireWall-1: FW-1 kernel module is not loaded Stop cpshared SVN Foundation: cpd stopped SVN Foundation: cpWatchDog stopped SVN Foundation stopped ================================================= And then # cpstart the respones was : ================================================= Start cpshared SVN Foundation: Starting cpWatchDog SVN Foundation: Starting cpd SVN Foundation started Start fw-1 FireWall-1: fw1 module not loaded! please reboot or run with -driver Start fg-1 FloodGate-1: fwd is not running - run cpstart FloodGate-1: Did not start successfully ================================================= I try to connect again but there is no response too. Please, could you give me clue to solve this problem ? regards, Yusri Amsal Schlumberger Network Solutions Sentra Mulia Building Fl. 15 Suite 1501 Jl. H.R. Rasuna Said Kav X-6 No. 8 Jakarta 12940 Phone: +62 21 522 7282 Fax.: +62 21 522 7292 Email: [email protected] http://www.slb.com/sns/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= **************************************************************************** ********************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. ** eSafe scanned this email for viruses, vandals and malicious content ** This service is provided by Nextgen Internet http://www.nextgeninter.net **************************************************************************** ********************** ------------------------------ Date: Fri, 18 Jan 2002 17:15:45 -0500 From: Joe Pampel <[email protected]> Subject: Re: How to setup VPN my 2 cents: 1. buy phoneboy's book "essential firewall-1" read it a couple times. lots of stuff in there! 2. talk to your reseller to get remote VPN license ( I think it's seperate from basic VPN?) 3. If budget will allow, use secure-client ($99/user or so) allows you to push policy out to user PC. Secure remote is free but does not push policy to remote host. bad. do you really want them surfing 'naked' while logged into your VPN? I didn't think so. :-p 4. see phoneboy.com FAQ on NT networking over a VPN and the list archives for this list and the fw1wizards list. Lots of mat'l on domain/browsing network etc. Actual the basic setup is pretty easy. Try to get FWZ working first, then move to IKE once you've got it going. - Joe >>> Chris H <[email protected]> 01/18/02 04:15PM >>> Call your FW1 vendor and ask for SecuRemote licenses. Then apply the license. Then read the docs for setting up SecuRemote. Chris --- Kennie Miller <[email protected]> wrote: > Hello All, > > We have a FW-1VPN Gateway and currently we are just > using it as firewall for > our webserver and internal network. The webserver is > on DMZ and we are using > NATing. Now we want to setup a VPN for mobile users > to access the internal > Windowst NT 4 network from home or while traveling. > Can someone guide me > here what are the basic steps to setup the VPN. > Particularly what we need to > do to pass the VPN traffic to internal domain > controller without > compromising security etc. > Do we need any other software? I think we can use > secure-client on > workstations for connecting but do we need anything > else? > Are there any good books that someone can recommend > for VPN, specially > anything specificaly for VPN using checkpoint? > your help will be greatly appreciated. > > Kennie > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: > http://mobile.msn.com > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Fri, 18 Jan 2002 14:10:23 -0800 From: Frank <[email protected]> Subject: Re: NG FP1 on RedHat 7.2 As far as I know, NG does not run on RedHat 7.2. You'll need to use RedHat 6.2 or 7.0, these have worked for me. Frank Keeney On Thu, 17 Jan 2002, Yusri Amsal wrote: > I install Firewall and FloodGate NG FP1 on RH 7.2 with stand-alone machine. ------------------------------ Date: Sat, 19 Jan 2002 00:12:55 +0000 From: Steve <[email protected]> Subject: Re: NG FP1 on RedHat 7.2 Frank wrote: > > As far as I know, NG does not run on RedHat 7.2. Yes, it does according to :- http://www.checkpoint.com/products/security/firewall-1_sysreq.html Certainly I'm having no problems running NG FP1 under RedHat 7.2 (stonebeat 3.0 Fullcluster even seems to work with the limited testing I've given it). Yusri - Have a look in /var/log/messages to see if there is any relevant error messages? Also type the command "dmesg" and see if any relevant info is in there. I presume you have upgraded the Kernel to 2.4.13-9 ? Steve. ------------------------------ End of FW-1-MAILINGLIST Digest - 17 Jan 2002 to 18 Jan 2002 (#2002-19) ********************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|