[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW-1 SP2 (reloading policy and connection table)
Rajeev, In FW-1 4.0 reload of security policy doesn't clear connections. In a Lab environment I reloaded security policy during a ftp download and there wasn't any interruptions... But I donot know abt ver4.1. regards baskar -----Original Message----- From: Rajeev Kumar [mailto:[email protected]] Sent: Thursday, September 14, 2000 10:59 AM To: Firewall-1 Maillist Subject: [FW1] FW-1 SP2 (reloading policy and connection table) Hello All, As many of you have been migrated to FW-1 SP2. Correct me if I am wrong here. -> Whenever you run fwstop;fwstart , FW-1 flushes its connection table and as a default behavior it won't allow established connection anymore. (Since they are sending NON-SYN) packets after FW-1 restart. And you will see lots of "Unknown established TCP packets". RESULT: You will loose all valid connections. (telnet, ftp, rlogin, any client/server application based on TCP/IP) after FW-1 restart process. ->Same thing happens even if you try to reload security policy from management GUI. It also flushes connection table and loose all established connections. So what that means is , I can not modify/reload security policy during day time as I know lots of users will scream at me. If you have multi-site setup spread all over globe, then users are busy round-the-clock and again I can not reload policy without hurting users. IS THERE ANY EASY SOLUTION TO THIS in FW-1 SP2? (I want to keep this feature of rejecting "Unknown TCP Packets" (if they are really unknown) but also do not want to loose my valid established connections.) Yes! I want to have my own cake and eat it too!! Thanks!! Rajeev -- ******************************************************************** Rajeev Kumar ([email protected]) http://www.rajeevnet.com ******************************************************************** ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|