Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH

To: Tom Sevy <[email protected]>
Subject: Re: [FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH
From: [email protected]
Date: Thu, 26 Oct 2000 11:21:26 -0600
Cc: [email protected]
Sender: [email protected]


http://www.phoneboy.com/fw1/faq/0408.html
I left mine in, on the reasoning that 'they put it in there for a reason'
and if you read the release notes it covers it very well.
If you have a lot of these I suggest you look elsewhere for the cause (sync
- network - switches - etc.)
Don't forget that the connection will be re-transmitted and the user should
see no problem.
Paul
--------------------------------------------------------------------------------------------

C. Paul Simons
Corporate Network Services
IHS Energy Group, Englewood, CO.

Main:Direct:Fax:Mobile:Tom Sevy <[email protected]>                                                                                           
                    Sent by:                                    To:     "Check Point FW List (E-mail)"                                 
                    [email protected]        <[email protected]>                      
                    kpoint.com                                  cc:                                                                    
                                                                Subject:     [FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH            
                                                                                                                                       
                    26-10-00 09:59                                                                                                     
                                                                                                                                       
                                                                                                                                       




After upgrading two IP440's to 4.1 SP2, we starting seeing lots of drops on
rule 0 with reason: unknown established TCP packet

I uncommented the #define ALLOW_NON_SYN_RULEBASE_MATCH statement in
lib/fwui_head.def and pushed the policy out.  Cleared up the problem right
away.

Comment:  This was disrupting communication from our Internal zone into the
DMZ zone.  Critical.  Can't tolerate this.

Questions:

1) How great is the danger of leaving this non-match in effect?
2) Wouldn't this create more problems if one of the Nokias fails over to
the
other?  Seems there would be a painful period of re-establishing all TCP
connections, and again when failing back to primary Nokia.






================================================================================

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================







================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] How to eliminate the dns time-out for slow telnet conne ction?
Next by Date: Re: [FW1] Strange warning message
Previous by thread: [FW1] 4.1 SP2 and ALLOW_NON_SYN_RULEBASE_MATCH
Next by thread: [FW1] Strange warning message
Index(es):
- Date
- Thread