[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG AI Problem
Hi Kari, you have luck yesterday I got the solution from checkpoint and it works for me: ==== The checking for the connect command can be disabled by the following property: asm_http_allow_connect. I have provided the fix on all OS for your reference. Here are instructions on how to change the asm_http_allow_connect global kernel parameter from OS to OS: For Solaris environment: ======================== Edit /etc/system file and add the following line at the bottom: set fw:asm_http_allow_connect = 1 For Window environment: ======================= 1. Open the registry by running regedit from the command line. 2. Go to HKLM\System\CurrentControlSet\Services\FW1\parameters 3. Add a new key called "Globals" 4. Under the Globals key add a DWORD parameter called "asm_http_allow_connect" and set its value to 1. 5. Close the registry For Linux and SecurePlatform environment: ========================================= Edit the $FWDIR/boot/modules/fwkern.conf file. Add the 'asm_http_allow_connect' parameter with the value 1. For IPSO environment: ===================== Use the 'modzap' debugger to modify the 'asm_http_allow_connect' kernel parameter as follow: # modzap _asm_http_allow_connect $FWDIR/boot/modules/fwmod.o 1 For a Temporarily change (Will not survive a reboot) ======================== Use the following FireWall-1's kernel command to change a kernel variable temporarily, until the next reboot: # fw ctl set int asm_http_allow_connect 1 To verify the parameter value, issue: # fw ctl get int asm_http_allow_connect To clear this change simply reboot the box and push the policy. Please implement the solution above and then test the proxy traffic. ==== best regards fitz >Hi >You wrote to firewall mailinglist about problem with "CONNECT command >found in http request" error message. >Have you found a solution to this problem (I have the same problem and >Smartdefense settings don't seem to have any effect on this..) >Best regards >Kari Salmela >Nordic LAN&WAN Communication Oy >Espoo, Finland ----- Original Message ----- From: "t-systems-fitz" <[email protected]> To: "Checkpoint" <[email protected]> Sent: Tuesday, July 15, 2003 5:35 PM Subject: RE: [FW-1] NG AI Problem > Hi, > > I already did it without success. > > best regards > > -----Original Message----- > From: Reinhard Stich [mailto:[email protected]] > Sent: Tuesday, July 15, 2003 5:22 PM > To: [email protected] > Subject: Re: [FW-1] NG AI Problem > > hi, > check smart-defense settings for http and disable them. > cheers > reinhard > At 17:13 15.07.2003 +0200, you wrote: > >Hello guys, > > > >after upgrading from "NG FP3" to "NG AI" I have a cannot access https-Site > >over a proxychain. Here is the scenario: > > > > > >Client ------> SQUID1 -------> CP NG AI -------> > >SQUID2 --------> SSL-Webserver > > > > > >SQUID1 (Proxyserver) communicates over Port 80 with SQUID2 and I cannot > >change this Port, because I don't administrate SQUID2. HTTP-Connections > work > >fine, but If the client want to connect to an Webserver with HTTPS, > >Firewall1 drops the connection with: > > > >CONNECT command found in http request > > > >It seems, that Firewall1 with AI checks the http-protocol for > >connect-commands and that is true for untunneled connection, but for > >tunneled connections is a CONNECT method in the request. > > > >So how can I disable this checking for tunneled connections without > >changing the port ???? > > > >BTW: I also tried to change the service in the rulebase to TCP Port 80 > >without TYPE HTTP, but no success > > > > > >best regards ztif > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [email protected] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[email protected] > >================================================= > -- > Reinhard Stich, ASSIST [email protected] > Internet Security AG, 1190 Wien, Nussdorfer Laende 29-33 > Tel: +43 1 370 94 40 RS784-RIPE Fax: +43 1 370 94 40-10 > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|