[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan
Title: RE: Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan Dave, In most cases I would agree, but in this case the solutions don't apply since : We are accessing the units by their IP address and not by a name, so there is no reason there should be a DNS record or PTR for them (as well as these being in the Secured VLAN and not a DMZ, and the Telnet to the exact same IP address works fine. I am not using the HTTP security server option at all. Mike -----Original Message----- From: David Knoll [SMTP:[email protected]] Sent: ä ôáøåàø 21 2002 6:18 Subject: Re: [FW-1] Strange problem with Web access to an Access Point def ined in a DMZ lan Yes well it is not so much a problem as it is a security feature (Well part of it at least).
As the one and only Dameon D. Welch points out:
There can be two reasons for this behaviour:
1) The HTTP Security Server of FW-1 performs DNS reverse lookup to ascertain whether the IP address is registered and registered correctly. Many domain names have several IP addresses mapped to them but not all of those addresses were assigned a PTR record. Others simply never took the time to create the PTR record. This is a security feature of FW-1 that prevents impersonation. In any case to solve this do one of the following: A) Ask the destination site to add a PTR record for the site in question in his DNS records. B) Use the name returned by the reverse lookup instead of the FQDN you usually use. C) Add a PTR record to the DNS Server against which the FW makes it's name resolutions. D) Welch's solution – "Add an entry in your Firewall's local host file and have the system resolve against the hosts file first (note: This is untested)" E) "Exclude the sites in question from going through the security server by adding a rule above your security server rule that permits normal HTTP to the site"
2) Connection to the desired site timed out. Some users indicated that allocating greater timeout for Bind in Policy properties -à resolving Tab, solved that problem for them, but I am sceptical.
The Reverse Lookup behaviour was first made public by Arjan van der Valk on March 2nd 1999.
David Knoll Fax:+ 972-3-6476396 Cellular:+ 972-54-496357
E-mail: [email protected]
Upbit Solutions Ltd 9 Nissan Street Tel-Aviv 69715, Israel --------------------------------------------
-----Original Message-----
Does configuring a HTTP resource has to do something with that? I am merely asking because i have the same problem with MANY Web sites. I have also configured 4 HTTP resources and before doing that (the HTTP resources that is) i had no problems. Now you will say, "Geeeeeeee, nice going dude... What do you do for a living? Nuclear scientist ?"... Ok. I have to admit that. But how come i haven't seen just one time so far a question like this? That is, except once i posted a question like this myself... Can someone give us the light in here? How about Checkpoint? Isn't that a little dooooooooohhhhh? Just asking boys and girls... -----Original Message----- Do you use a security sever (add with resource) for HTTP?
David Knoll Fax:+ 972-3-6476396 Cellular:+ 972-54-496357
E-mail: [email protected]
Upbit Solutions Ltd 9 Nissan Street Tel-Aviv 69715, Israel --------------------------------------------
-----Original Message-----
Afternoon all, I have a very odd situation here that I am unable to work out. I have a setup as follows : Internal Network | | FW ---- Secured VLAN | | Internet On the secured VLAN I have a Lan dedicated only to Access Points. I have a rule allowing specific users to access the AP's from the Internal Network using HTTP and Telnet. The users can Telnet to the AP's fine. The users attempt to access the AP's via HTTP. I see the sessions established in the log' and in the browser I get : "FW-1 at fw: Failed to connect to the WWW server". This again, despite the fact that I see the session established in the logs, and Telnet (standard) works fine. Anyone have any idea what could be causing this ? Thanks,
Mike Glassman System & Security Admin Computer & Information Systems Israeli Airports Authority Ben-Gurion Airport <http://www.ben-gurion-airport.co.il> Tel : 972-3-9710785 Fax : 972-3-9710939 Email : [email protected] Usage of this email address or any email address at iaa.gov.il for the purpose of sales pitches, SPAM or any other such unwanted garbage, is illegal, and any person, whether corporate or alone doing so, will be prosecuted to the fullest possible extent.
|