Yes well it is not so much a problem as it
is a security feature (Well part of it at least).
As the one and only Dameon D. Welch points
out:
There can be two reasons for this
behaviour:
1)
The HTTP Security Server
of FW-1 performs DNS reverse lookup to ascertain whether the IP address is
registered and registered correctly. Many domain names have several IP
addresses mapped to them but not all of those addresses were assigned a PTR
record. Others simply never took the time to create the PTR record. This is a
security feature of FW-1 that prevents impersonation. In any case to solve this
do one of the following:
A)
Ask the destination site
to add a PTR record for the site in question in his DNS records.
B)
Use the name returned by
the reverse lookup instead of the FQDN you usually use.
C)
Add a PTR record to the
DNS Server against which the FW makes it's name resolutions.
D)
Welch's solution –
"Add an entry in your Firewall's local host file and have the system
resolve against the hosts file first (note: This is untested)"
E)
"Exclude the sites
in question from going through the security server by adding a rule above your
security server rule that permits normal HTTP to the site"
2)
Connection to the desired
site timed out. Some users indicated that allocating greater timeout for Bind
in Policy properties -à resolving Tab, solved that problem for them, but I am sceptical.
The Reverse Lookup
behaviour was first made public by Arjan van der Valk on March 2nd 1999.
David Knoll
UpBIT Solutions Ltd
Tel:+ 972-3-6476387
Fax:+ 972-3-6476396
Cellular:+ 972-54-496357
E-mail: [email protected]
Upbit Solutions Ltd
9 Nissan Street
Tel-Aviv 69715, Israel
--------------------------------------------
This message may contain confidential and/or proprietary information, and is
intended only for the person / entity to whom it was originally addressed. The
content of this message may contain private views and opinions which do not
constitute a formal disclosure or commitment unless specifically stated.
-----Original
Message-----
From: Mailing list for discussion
of Firewall-1 [mailto:[email protected]] On Behalf Of Chontzopoulos, Dimitris
Sent: Thursday, February 21, 2002
1:26 AM
To:
[email protected]
Subject: Re: [FW-1] Strange
problem with Web access to an Access Point def ined in a DMZ lan
Does configuring a HTTP
resource has to do something with that? I am merely asking because i have the
same problem with MANY Web sites. I have also configured 4 HTTP resources and
before doing that (the HTTP resources that is) i had no problems. Now you will
say, "Geeeeeeee, nice going dude... What do you do for a living?
Nuclear scientist ?"... Ok. I have to admit that. But how come i
haven't seen just one time so far a question like this? That is, except once i
posted a question like this myself... Can someone give us the light in here?
How about Checkpoint? Isn't that a little dooooooooohhhhh? Just asking boys and
girls...
-----Original
Message-----
From: David Knoll
[mailto:[email protected]]
Sent: Thursday, February 21, 2002
12:23 AM
To:
[email protected]
Subject: Re: [FW-1] Strange
problem with Web access to an Access Point defined in a DMZ lan
Do
you use a security sever (add with resource) for HTTP?
David
Knoll
UpBIT Solutions Ltd
Tel:+ 972-3-6476387
Fax:+
972-3-6476396
Cellular:+
972-54-496357
E-mail:
[email protected]
Upbit
Solutions Ltd
9
Nissan Street
Tel-Aviv
69715, Israel
--------------------------------------------
This message may contain confidential and/or proprietary information, and is
intended only for the person / entity to whom it was originally addressed. The
content of this message may contain private views and opinions which do not
constitute a formal disclosure or commitment unless specifically stated.
-----Original
Message-----
From: Mailing list for discussion
of Firewall-1 [mailto:[email protected]] On Behalf Of [email protected]
Sent: Wednesday, February 20, 2002
4:26 PM
To:
[email protected]
Subject: [FW-1] Strange problem
with Web access to an Access Point defined in a DMZ lan
Afternoon all,
I have a very odd situation here
that I am unable to work out.
I have a setup as follows :
Internal Network
|
|
FW ---- Secured VLAN
|
|
Internet
On the secured VLAN I have a Lan
dedicated only to Access Points.
I have a rule allowing specific
users to access the AP's from the Internal Network using HTTP and Telnet.
The users can Telnet to the AP's
fine.
The users attempt to access the AP's
via HTTP. I see the sessions established in the log' and in the browser I get :
"FW-1 at fw: Failed to connect
to the WWW server".
This again, despite the fact that I
see the session established in the logs, and Telnet (standard) works fine.
Anyone have any idea what could be
causing this ?
Thanks,
Mike Glassman
System & Security Admin
Computer & Information Systems
Israeli Airports Authority
Ben-Gurion Airport
http://www.ben-gurion-airport.co.il
Tel : 972-3-9710785
Fax : 972-3-9710939
Email : [email protected]
Usage of this email address or any email
address at iaa.gov.il for the purpose of sales pitches, SPAM or any other such
unwanted garbage, is illegal, and any person, whether corporate or alone doing
so, will be prosecuted to the fullest possible extent.