[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] installing new policy without losing connections
From the knowledgebase.....
Haven't tried it yet because i was not 100% sure i was losing connections...
Also weary about changing the way non-TCP SYN packets are handled.
Hope it helps..
_________________________________________________
When a new Security Policy is installed, the connections table is
cleared. Established connections are then moved to the old connections
table for the remainder of their TCP timeout. When this timeout reaches
its end, packets arriving to the VPN-1/FireWall-1 Modules that are not
from an established connection entry in either of the tables, are
dropped. In other words, only TCP SYN (TCP connection initiation)
packets and connections present in the old connection table are
allowed to be matched to the Rule Base. Non-SYN packets that do not
belong to any known connection are dropped.
Fix
1. Close all VPN-1/FireWall-1 GUI clients.
2. Edit the $FWDIR/conf/objects.C file on the management module (Use
a simple text editor such as Notepad/Wordpad. Do not use a Word
processor). See also How to edit the objects.C file.
3. Under the :props section of $FWDIR/conf/objects.C, add the following
line:
:tcpestb_grace_period (XX)
All non TCP SYN packets that are not part of an established connection
in either table will be matched against the Rule Base for XX seconds
after a Security Policy installation.
4. Save the changes to the objects.C file
5. Reinstall the security policy
6. For properties that involve the security servers, VPN-1/FireWall-1
must be restarted"
________________________________________________________________
-----Original Message-----
From: Anuska Arag�n Fern�ndez [mailto:[email protected]]
Sent: Wednesday, September 11, 2002 7:40 PM
To: [email protected]
Subject: [FW-1] installing new policy without losing connections
Hi all,
Is there any way of installing a new policy without losing all the
connection?
Greetings,
--
A n u s k a A r a g � n
Servicio Inform�tico e-mail: [email protected]
Universidad de La Rioja Tf.: +34 941 299233
Av. de La Paz 93, 26004 Logro�o Fax: +34 941 299180
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
**********************************************************************
CONFIDENTIAL COMMUNICATION
This e-mail and any files transmitted with it is intended solely for the use of the
individual or entity to whom it is addressed. If you are not the intended recipient,
or the person responsible for delivering the e-mail to the intended recipient, please
immediately notify the sender by e-mail and delete the original transmission and its
contents. Any use, dissemination, forwarding, printing, or copying of this e-mail and
any file attachments is prohibited.
**********************************************************************
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================