[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1]
Hi, We've tried using this URI rule and exp similar problems with the webservers. Perhaps you could look at the logs to see if there's any connection using this rule. If yes, take a look at the destination IPs and see if it's any host in your internal or dmz. if it's none of the host, would assume it's safe to disable this rule as it takes up lotsa resources in the FW. At times it might display access denied or unknown webserver for valid conx. public > Any suggestions? Thanks alan ----- Original Message ----- From: "King, Arron S." <[email protected]> To: <[email protected]> Sent: Thursday, March 28, 2002 11:15 AM Subject: [FW-1] > Hello, > > We instituted a rule that blocks inbound Nimda/Code Red attacks based upon a Checkpoint KB article on how to setup a URI for Nimda/Code Red. (any internal -> any external reject if http(nimda URI)) > > We are running Checkpoint 4.1 SP1 on a Nokia IP 440 (w/ a Win2k mgmt station running 4.1 SP5) We have 3mbps of Internet speed > > However, after we instituted this rule, we began receiving several complaints about specific sites being horribly slow (several minutes between page loads). I did some investigating, and found that if I turn the rule off, the pages load very quickly. Turn the rule back on, and they take forever. Every other site that I've seen (and used personally) works fine. Digging deeper, the pages in question seem to "POST" forms, some of which are large. I've been able to restore speed by putting a second rule (in front of the NIMDA block, specific to the site in question) that allows HTTP. (I know this bypasses the Nimda check; but the sites I've done this for are required for academics here, and I would much rather limit my exposure to a few specific hosts (rather than get rid of the rule entirely) > > The URI we are using (as I read the Checkpoint KB article) is: > Conn Methods (Transparent, proxy) > URI Match Spec: Wildcards > Exception Track: None > Match: http GET - > Path - {*cmd.exe,*root.exe,*admin.dll,*readme.exe,*default.ida} > > Anyone else seen this? > > TIA > > _________________________________________________ > Arron King > Network & Systems Administrator > Ohio Dominican College > voice> fax> [email protected] > http:\\www.odc.edu\~kinga > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|