Re: [FW-1] Problem with Checkpoint NG FP3HF1 and certain WebSites

["Steven J. Surdock, PE" <ssurdock@FW1-NOSPAMENGINEERED-NET.COM>]

I had problems with several sites under FP2 and FP3.  The following changes
appeared to have fixed the problems:

1) Use dbedit to modify the following parameters:
:http_connection_method_transparent (true)
:http_connection_method_proxy (true)
:http_connection_method_tunneling (true)
:http_max_header_length (8492)
:http_max_url_length (8492)
:http_allow_ranges (true)
:http_cvp_allow_chunked (true)
:http_allow_double_slash (true)
:http_check_request_validity (false)
:http_check_response_validity (false)
:http_allow_content_disposition (true)
:http_enable_uri_queries (false)
:http_disable_content_type (true)
:http_disable_content_enc (true)

2) cpstop

3) Edit /conf/fwauthd.conf on the management module and add
443 fwssd in.ahttpd wait 0

4) cpstart

5) Edit the HTTPS service in the GUI and under the advanced button make the
service HTTP.  I also made mine available for TCP resources which is another

check box on the same advanced tab.

6) Make one rule for HTTPS traffic
localusers@localnet -> any -> HTTPS -> user auth (set to all servers)

7) Make one rule for other authed traffic such as HTTP and FTP
localusers@localnet -> any -> Authenticated Group -> user auth (set to all
servers)

8) Set the browser proxy to be the internal interface of the FW-1 gateway
port 80 for all services


-Steve S.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================