Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan

[David Knoll <david@FW1-NOSPAMUPBIT.CO.IL>]

Title: Strange problem with Web access to an Access Point defined in a DMZ lan

Yes well it is not so much a problem as it is a security feature (Well part of it at least).

 

As the one and only Dameon D. Welch points out:

 

There can be two reasons for this behaviour:

 

1)       The HTTP Security Server of FW-1 performs DNS reverse lookup to ascertain whether the IP address is registered and registered correctly. Many domain names have several IP addresses mapped to them but not all of those addresses were assigned a PTR record. Others simply never took the time to create the PTR record. This is a security feature of FW-1 that prevents impersonation. In any case to solve this do one of the following:

A)      Ask the destination site to add a PTR record for the site in question in his DNS records.

B)      Use the name returned by the reverse lookup instead of the FQDN you usually use.

C)      Add a PTR record to the DNS Server against which the FW makes it's name resolutions.

D)      Welch's solution – "Add an entry in your Firewall's local host file and have the system resolve against the hosts file first (note: This is untested)"

E)      "Exclude the sites in question from going through the security server by adding a rule above your security server rule that permits normal HTTP to the site"

 

2)       Connection to the desired site timed out. Some users indicated that allocating greater timeout for Bind in Policy properties -à resolving Tab, solved that problem for them, but I am sceptical.

 

 

 

The Reverse Lookup behaviour was first made public by Arjan van der Valk on March 2^nd 1999.

 

 

 

 

 

David Knoll
UpBIT Solutions Ltd


Tel:+ 972-3-6476387

Fax:+ 972-3-6476396

Cellular:+ 972-54-496357

 

E-mail: david@upbit.co.il

 

Upbit Solutions Ltd

9 Nissan Street

Tel-Aviv 69715, Israel

--------------------------------------------
This message may contain confidential and/or proprietary information, and is intended only for the person / entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated.

 

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@beethoven.us.checkpoint.com] On Behalf Of Chontzopoulos, Dimitris
Sent: Thursday, February 21, 2002 1:26 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan

 

Does configuring a HTTP resource has to do something with that? I am merely asking because i have the same problem with MANY Web sites. I have also configured 4 HTTP resources and before doing that (the HTTP resources that is) i had no problems. Now you will say, "Geeeeeeee, nice going dude... What do you do for a living? Nuclear scientist ?"... Ok. I have to admit that. But how come i haven't seen just one time so far a question like this? That is, except once i posted a question like this myself... Can someone give us the light in here? How about Checkpoint? Isn't that a little dooooooooohhhhh? Just asking boys and girls...

-----Original Message-----
From: David Knoll [mailto:david@UPBIT.CO.IL]
Sent: Thursday, February 21, 2002 12:23 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Strange problem with Web access to an Access Point defined in a DMZ lan

Do you use a security sever (add with resource) for HTTP?

 

David Knoll
UpBIT Solutions Ltd


Tel:+ 972-3-6476387

Fax:+ 972-3-6476396

Cellular:+ 972-54-496357

 

E-mail: david@upbit.co.il

 

Upbit Solutions Ltd

9 Nissan Street

Tel-Aviv 69715, Israel

--------------------------------------------
This message may contain confidential and/or proprietary information, and is intended only for the person / entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated.

 

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@beethoven.us.checkpoint.com] On Behalf Of admin@IAA.GOV.IL
Sent: Wednesday, February 20, 2002 4:26 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] Strange problem with Web access to an Access Point defined in a DMZ lan

 

Afternoon all,

I have a very odd situation here that I am unable to work out.

I have a setup as follows :

Internal Network

|

|

FW ---- Secured VLAN

|

|

Internet

On the secured VLAN I have a Lan dedicated only to Access Points.

I have a rule allowing specific users to access the AP's from the Internal Network using HTTP and Telnet.

The users can Telnet to the AP's fine.

The users attempt to access the AP's via HTTP. I see the sessions established in the log' and in the browser I get :

"FW-1 at fw: Failed to connect to the WWW server".

This again, despite the fact that I see the session established in the logs, and Telnet (standard) works fine.

Anyone have any idea what could be causing this ?

Thanks,

 

Mike Glassman

System & Security Admin

Computer & Information Systems

Israeli Airports Authority

Ben-Gurion Airport

http://www.ben-gurion-airport.co.il

Tel : 972-3-9710785

Fax : 972-3-9710939

Email : admin@iaa.gov.il

Usage of this email address or any email address at iaa.gov.il for the purpose of sales pitches, SPAM or any other such unwanted garbage, is illegal, and any person, whether corporate or alone doing so, will be prosecuted to the fullest possible extent.