Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Syn for established connection

To: [email protected]
Subject: Re: [FW-1] Syn for established connection
From: "Wales, Holly" <[email protected]>
Date: Thu, 30 May 2002 12:42:52 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] Syn for established connection

Checkpoint is working on a hotfix that will sit on top of NG FP2 to solve this problem and behave like 4.1. They are testing now. I, too, encountered this problem several months back ago and opened a trouble ticket with Checkpoint to figure out what was going on. David Grabowski had the same problem and I told him what Checkpoint said about our application and the problem seemed similiar. Turns out they were the exact same problem as yours is as well. Our application was also hardcoded with a specific source port and had back-to-back connections that would get dropped. Our application worked fine with 4.1, but bombed on NG due to their "security enhancements" as they call it. They are working on a fix but I would encourage everyone who has this problem to make sure they open up a trouble ticket so that Checkpoint knows all the folks who are encountering this problem.

-----Original Message-----
From: Jim Parker [mailto:[email protected]]
Sent: Thursday, May 30, 2002 5:06 AM
To: [email protected]
Subject: [FW-1] Syn for established connection

Hi everyone ! Just want to know does anyone encounter a "SYN packet for established connection" error in NG fp2? actually i read an article by David Grabowski- about what he learned in FW-1 state table..that an established TCP session will by default have a lifetime of 3600 sec. and every packet traverse will reset the timer..After the session will closed (via FIN or RSt packet) it enters a "half-closed" state..the lifetime is 50 sec. the problem is the Device im using uses a statically coded source port for its communication and there is no way we can reconfigure this. if a new syn connection is attemted and matches the established connection it is dropped by the FW-1. In version FW-1 4.1 this syn packet will be match against the rulebase..does anyone knows how to revert the behavior of NG to 4.1 on how it handles a syn connection or a workaround.

_____________________________________________________________
Where you'll find everything under the Sun for the Sun.......www.SunGuru.com

_____________________________________________________________
Promote your group and strengthen ties to your members with [email protected] by Everyone.net http://www.everyone.net/?btn=tag

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Client VPN on MAC OS
Next by Date: [FW-1] High Availability
Previous by thread: [FW-1] AW: [FW-1] Syn for established connection
Next by thread: Re: [FW-1] Anti Virus and URL filtering using the same U RI Resource?
Index(es):
- Date
- Thread