| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
Hey Norbert,
The box in question is a SunFire 280R w/ dual 900MHz UltraSPARC
III processors, 2GB of memory, dual 10K 36GB internal disks, and three
NICs. One of the NICs plugs into (for all practical purposes) our
Internet router, and the other two plug into different internal
networks. There is an identical box running in parallel to which
connections are load balanced across. All of the load balancing is
handled by hardware devices and thus we aren't running HA on either
firewall, they are acting as independent servers. There are
approximately 3000 servers and 125,000 PC's on one of the internal
networks, and about 100 servers and 1000 users on the other internal
network. We are trying to setup inbound URL filtering to stop certain
types of HTTP requests on the ingress.
These two boxes are fresh builds with the latest Solaris 8 patch
cluster and all of the Sun and Checkpoint recommended tweaks applied.
We aren't ready to upgrade to FP2 yet, as it still need to go through
our QA process to make sure the subtle new differences in the way it
makes NG work isn't going to break something that we're doing.
Unfortunately, that isn't an option for fixing the issue at this point.
I guess I was hoping that this was going to be an obvious clue as to
something that is wrong, and it would be an easy fix, but I suppose I
should have known better. =)
Thanks for the info about the netso.ini file! I'll take a look
through the User Authority PDF and see what I can turn up. I'm
guessing, however, that this is just another one of those 'normal' error
messages that I'll receive if I don't have some feature enabled.
Thanks,
Abe
--
Abe L. Getchell
Security Engineer
[email protected]
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]] On
> Behalf Of Schaar, Norbert
> Sent: Friday, June 07, 2002 2:43 PM
> To: [email protected]
> Subject: [FW-1] AW: [FW-1] HTTP security server woes on NG...
> frustration level r ising...
>
>
> Abe,
>
> Sometimes, the error messages being posted to the list are
> really hard to verify or just only popping up under very
> specific conditions, and so nobody is able to bring up a
> solution as fast and easy as you perhaps expect. Well, the
> "bad socket/type" stuff is such a case. Probably, it's a good
> idea to not only provide your Solaris and FW-1 version but
> also the hardware you are running. This sometimes gives us a
> better chance to come up with an idea...
>
> However, I would at least apply the latest Sun patch cluster
> for Solaris 8 and upgrade to Feature Pack 2, as it fixes many
> bugs and slightly changes the way NG works. Take a look at
> the FP2 Release Notes to get an understanding what was
> changed or enhanced by Check Point:
> http://www.checkpoint.com/support/downloads/docs/firewall1/ng/
> fp2/CPSuiteNG-
> FP2-RN.pdf. There are also enhancements regarding HTTP
> Security Server.
>
> At least with the last part of your e-mail I may help you
> out. The file /opt/CPfw1-50/conf/netso.ini has to do with the
> UserAuthority server in FW-1 which is used to authenticate
> and authorize network and web apps. The file (which I think
> is an abbreviation for network sign-on) carries some
> definitions for authentication properties regarding Windows
> domains (e.g. equality of authentication domains). Check out
> http://www.checkpoint.com/support/downloads/docs/firewall1/ng/
> fp2/UserAuthor
> ity.pdf for more information.
>
> Hope that helps a bit.
> Regards. Norbert
>
>
> -----Ursprüngliche Nachricht-----
> Von: Abe L. Getchell [mailto:[email protected]]
> Gesendet: Freitag, 7. Juni 2002 19:11
> An: [email protected]
> Betreff: [FW-1] HTTP security server woes on NG...
> frustration level rising...
>
>
> Greetings all,
> I'm having an issue with the HTTP security server
> (trying to do some URL filtering) and I'm hoping someone has
> come up with a solution to this, 'cause I'm finding lots of
> people asking the question but no one offering a solution.
> I'm running FireWall-1 NG FP1 on Solaris 8 in 64-bit mode.
> The original problem was that I was receiving a lot
> of "error in accept statement: Too many open files" errors in
> ahttpd.elog. Searched on Google, came up with a fix (added
> "set rlim_fd_max=32768" and "set rlim_fd_cur=4096" in
> /etc/system - as well as a number of other tweaks I found in
> a performance tuning guide on Checkpoint's web site), and I'm
> no longer receiving that error message. Instead, I'm now
> receiving and equally large number of the following:
>
> T_get_event: bad socket/type: 1075/0
> T_get_event: bad socket/type: 1076/0
> T_get_event: bad socket/type: 1076/0
> T_get_event: bad socket/type: 1077/1
> T_get_event: bad socket/type: 1077/1
> T_get_event: bad socket/type: 1078/1
> T_get_event: bad socket/type: 1078/1
> T_get_event: bad socket/type: 1079/0
> T_get_event: bad socket/type: 1079/0
> T_get_event: bad socket/type: 1080/0
> T_get_event: bad socket/type: 1080/0
> T_get_event: bad socket/type: 1081/0
> T_get_event: bad socket/type: 1081/0
> T_get_event: bad socket/type: 1082/0
> T_get_event: bad socket/type: 1082/0
>
> Seems to be incrementing port numbers, but I'm not
> sure why it would be saying that it couldn't bind a socket to
> that port... if that indeed is what it's saying. =) Anywho,
> has anyone ran across this and come up with a fix?
> I'm also receiving tons of "Cannot connect to
> WWW-server: Transport endpoint is not connected" errors in
> ahttpd.elg. From what I can find after some searching is
> that this is a "normal" error which could mean that a user
> might have hit "Cancel" while a page was loading or in some
> other way broke the connection. Is this true? If it is, how
> can I keep the log from being flooded with these?
> Last but not least, I'm also receiving the following
> entries in
> ahttpd.elg:
>
> cpsc: Unable to find default lang tag
> Could not open file /opt/CPfw1-50/conf/netso.ini
>
> Everything works fine regardless of these errors, but
> what is netso.ini and SHOULD it have been created somehow
> during the installation or configuration of the firewall?
>
> Thanks,
> Abe
>
> --
> Abe L. Getchell
> Security Engineer
> [email protected]
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
