[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1-MAILINGLIST Digest - 26 Oct 2001 to 27 Oct 2001 (#2001-24)
delete from mailing list -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Automatic digest processor Sent: Sunday, October 28, 2001 1:00 AM To: Recipients of FW-1-MAILINGLIST digests Subject: FW-1-MAILINGLIST Digest - 26 Oct 2001 to 27 Oct 2001 (#2001-24) There are 15 messages totalling 1437 lines in this issue. Topics of the day: 1. R: [FW-1] Novice with log viewing 2. Ian Hogg2/UK/IBM is out of the office. 3. Solaris 8 with checkpoint one 4.1.2 4. Nokia IP330 Configuration questions 5. Time change and FW1 6. NAT and Lost Connections 7. Help configuring FTP PAssive mode 8. [vpn] RE: [FW-1] VPN with OSPF for Failover (2) 9. messages : /bootpd: Error 0 - in Log 10. Log entries 11. [FW1] FW1 error message 12. Webmail Sites 13. Problem when rebooting LAN clients 14. <No subject given> =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ---------------------------------------------------------------------- Date: Sat, 27 Oct 2001 09:53:28 +0200 From: Francesco Luconi <[email protected]> Subject: R: [FW-1] Novice with log viewing maybe just a problem of conversion? did you check the ASCII/BIN status? i suggest in any case to zip/gzip the file and the ftp them in binary mode. -----Messaggio originale----- Da: Mailing list for discussion of Firewall-1 [mailto:[email protected]]Per conto di A/I Roberto A. Carriquiry Inviato: venerdì 26 ottobre 2001 15.01 A: [email protected] Oggetto: [FW-1] Novice with log viewing I am sorry to ask such a novice "like question", but it would be of much help if someone can answer me. I am using Nokia 330 Firewall with ipso. In order to FTP out the logs files weekly I made a small script that does the fw logswitch and the upload of the log files into a ftp server. The problem comes when I try to view the Logs y backed up. I do the FTP in the other direction (i mean INTO the IPSO) and try to view those files with the GUI but it rejects saying that the files are not valid LOG files. Am I doing something wrong? Is there another way to consult the log files without restoring them into the IPSO again? Many thanks. Roberto =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ------------------------------ Date: Sat, 27 Oct 2001 08:53:28 +0100 From: Ian Hogg2 <[email protected]> Subject: Ian Hogg2/UK/IBM is out of the office. I will be out of the office starting October 26, 2001 and will not return until November 5, 2001. ------------------------------ Date: Sat, 27 Oct 2001 12:19:34 +0200 From: Nico De Ranter <[email protected]> Subject: Re: Solaris 8 with checkpoint one 4.1.2 You'll need SP4(?) or SP5 to run FW-1 on Solaris 8 (32-bit only!!!). However you can't install SP4/5 if FW-1 so here is the trick: edit the "InstallU" installation script. Uncomment the section that checks the Solaris version: [...snip...] OS_TYPE=`uname` #if [ "$OS_TYPE" = 'SunOS' ] ; then OS_REV=`uname -r` # if [ $OS_REV = '5.8' ] ; then # clear # echo "WARNING:" # echo "Solaris 2.8 is not supported by Check Point 2000, Service Pack 2." # exit 1 # fi OS_TYPE=`uname -p` #fi [...snip...] Now you should be able to install FW-1. Make sure to upgrade IMMEDIATELY to SP4 or SP5. Note/disclaimer: I only tested this with the management console! Since the firewall module will probably make changes to the kernel I'm not sure what will happen. So make sure not to start the firewall or reboot the machine before you upgraded to SP4 or SP5!!!! Nico ps: to check whether you are running Solaris 8 in 32 or 64 bit: isainfo -b On Fri, Oct 26, 2001 at 05:50:38PM -0200, Medeiros, Claudio wrote: > Hi ! > > Is anyone running Solaris 8 with Checkpoint1 4.1.2 ??? Has anyone > implemented this solution? > > Because I had the following problems when installing the Checkpoint 4.1.2 > Warning: Solaris 2.8 is not supported by check point 2000, service pack 2. > > Then I tried to install checkpoint1 4.1.1 and had the following msg: > DEVFSADM: Device sucessfully created by failed to attach: Installation > aborted. > > Next step is to try to install NG. > > I Appreciate any feedback. > > Claudio > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] ------------------------------ Date: Sat, 27 Oct 2001 11:14:53 +0100 From: "Tim Holman (home)" <[email protected]> Subject: Re: Nokia IP330 Configuration questions Drivers are included in the supported version of IPSO for this device, so the 330 will pick it up straightaway and let you configure via Voyager. You may want to consult the owner of the other end of your T1 connection to make sure all the settings are compatible. Check with Nokia that you have the right version of IPSO. If you've got to upgrade from 3.2.1, then remember you have to upgrade boot manager seperately otherwise your box won't come back up... :) -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Kelly, Patrick Sent: 26 October 2001 20:32 To: [email protected] Subject: [FW-1] Nokia IP330 Configuration questions I am looking at the Nokia IP330 I have ordered the T1/E1 wan card and have questions about deployment. Is the documentation shipping with the device adequate to install and configure this card component? If my company wants to upgrade the T1 circuit from 1.5 M to 3.0 M will this card handle that? Thanks for your time. Patrick Kelly =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------------------------------ Date: Sat, 27 Oct 2001 11:14:59 +0100 From: "Tim Holman (home)" <[email protected]> Subject: Re: Time change and FW1 This is a multi-part message in MIME format. ------=_NextPart_000_001C_01C15ED8.9DED3540 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit As long as all VPN and trusted firewall modules all go back 1 hour as well, then no.... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Ed Davidson Sent: 26 October 2001 19:09 To: [email protected] Subject: [FW-1] Time change and FW1 Any issues with the time change going back 1 hour this weekend? (I am aware it doesn't affect all of us.) This will be my first time doing this w/FW1. Anything I should be aware of in the log files? What about my Checkpoint DNS servers? Anything funny happen with them when the timec hanges? Thanks! TruckingJobs http://www.primeinc.com ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please reply to the sender of the message. The views expressed in this correspondence may not reflect the views of Prime, Inc. This footnote also confirms that this email message has been scanned for the presence of computer viruses. *********************************************************************** ------=_NextPart_000_001C_01C15ED8.9DED3540 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD> <BODY bgColor=3D#ffffff> <DIV><SPAN class=3D2001>As long as all VPN and trusted = firewall=20 modules all go back 1 hour as well, then no....</SPAN></DIV> <DIV><SPAN class=3D2001></SPAN> </DIV> <BLOCKQUOTE> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for = discussion=20 of Firewall-1 = [mailto:[email protected]]<B>On=20 Behalf Of </B>Ed Davidson<BR><B>Sent:</B> 26 October 2001 = 19:09<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> [FW-1] = Time=20 change and FW1<BR><BR></FONT></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Any = issues with=20 the time change going back 1 hour this weekend? (I am aware it = doesn't=20 affect all of us.)</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>This = will be my=20 first time doing this w/FW1.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial = size=3D2>Anything I should=20 be aware of in the log files?</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>What = about my=20 Checkpoint DNS servers? Anything funny happen with them when the = timec=20 hanges? </FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>Thanks!</FONT></SPAN></DIV> <DIV> </DIV> <STYLE type=3Dtext/css>A:link { COLOR: #400080 } A:visited { COLOR: #400080 } A:active { COLOR: #000000 } A.headline { COLOR: navy; TEXT-DECORATION: underline } A:hover { COLOR: blue; BACKGROUND-COLOR: #ffffff; TEXT-DECORATION: underline } A { FONT-SIZE: 16px; COLOR: black; FONT-FAMILY: arial, sans-serif; = TEXT-DECORATION: none } BODY { SCROLLBAR-FACE-COLOR: #684878; SCROLLBAR-HIGHLIGHT-COLOR: #ff9999; = SCROLLBAR-SHADOW-COLOR: #335997; SCROLLBAR-3DLIGHT-COLOR: #335997; = SCROLLBAR-ARROW-COLOR: #f8ec78; SCROLLBAR-TRACK-COLOR: #b89848; = SCROLLBAR-DARKSHADOW-COLOR: black } </STYLE> <MARQUEE id=3DMARQUEE1 style=3D"WIDTH: 300px; HEIGHT: 40px" = scrollDelay=3D30=20 direction=3Dup behavior=3Dslide loop=3D1 height=3D5 border=3D"0"><FONT = face=3DScript=20 size=3D6><B><SPAN class=3D1999><IMG alt=3D"Edwin = Davidson"=20 src=3D"http://www.acmenews.com/images/signature.jpg" = NOSEND=3D"1"></SPAN></B>=20 </FONT></MARQUEE><BR><FONT = face=3DCoolsville> <A=20 href=3D"http://www.truckjob.com/">TruckingJobs</A>=20 <P><FONT size=3D2></FONT> </P></FONT> <DIV> </DIV><CODE><FONT=20 = size=3D3><BR><BR>http://www.primeinc.com<BR>*****************************= *****************************************<BR>This=20 email and any files transmitted with it are confidential<BR>and = intended=20 solely for the use of the individual or entity to<BR>whom they are = addressed.=20 If you have received this email<BR>in error please reply to the sender = of the=20 message.<BR><BR>The views expressed in this correspondence may = not<BR>reflect=20 the views of Prime, Inc.<BR><BR>This footnote also confirms that this = email=20 message has<BR>been scanned for the presence of computer=20 = viruses.<BR>*************************************************************= **********<BR></BLOCKQUOTE></FONT></CODE></BODY></HTML> ------=_NextPart_000_001C_01C15ED8.9DED3540-- ------------------------------ Date: Sat, 27 Oct 2001 11:14:47 +0100 From: "Tim Holman (home)" <[email protected]> Subject: Re: NAT and Lost Connections This is a multi-part message in MIME format. ------=_NextPart_000_0018_01C15ED8.9653B660 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit NAT and Lost ConnectionsWeb requests will go via the secure web server component of Check Point, and in effect are proxied. Check Point's proxy does fully not support all kinds of web traffic, especially xml, dhtml and webdav components, so I'd check what your remote user is trying to do here. If Check Point doesn't understand or support something, it will show the connection as accepted, but then the proxy component will drop it without any warning whatsoever ! Tim -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Rob Michayluk Sent: 26 October 2001 19:17 To: [email protected] Subject: [FW-1] NAT and Lost Connections Hello, I am running Checkpoint 4.1 sp4 on Windows NT 4.0 sp6. I have a webserver in a DMZ that has its address translated at the firewall. The NAT is static, there is a route on the firewall and an entry in the local.arp file for the webserver such that the firewall listens on the legal address and routes traffic for the legal back to the illegal address in the DMZ. In fact, everything works as it should most of the time. The problem is that sometimes a host on the internet will attempt to connect to the webserver and it gets a connection timeout error. For the failed connection, I see a connection attempt made on the firewall and the connection is accepted, but there is no corresponding entry on the webserver. I am trying to narrow the field of investigation and I was wondering if anyone has seen this behaviour for FW-1 before. Any information would be helpful. Thanks! Rob Michayluk Computer Network Services Analyst ACD Systems Ltd. The Digital Imaging Company Tel:Fax:[email protected] www.ACDSYSTEMS.com ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------=_NextPart_000_0018_01C15ED8.9653B660 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>NAT and Lost Connections</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; charset=3DISO-8859-1"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si= ze=3D2>Web=20 requests will go via the secure web server component of Check Point, and in= effect are proxied.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si= ze=3D2>Check=20 Point's proxy does fully not support all kinds of web traffic, especially x= ml,=20 dhtml and webdav components, so I'd check what your remote user is trying t= o do=20 here.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si= ze=3D2>If=20 Check Point doesn't understand or support something, it will show the conne= ction=20 as accepted, but then the proxy component will drop it without any warning= whatsoever !</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20 size=3D2>Tim</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <BLOCKQUOTE> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT face=3DTah= oma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for disc= ussion=20 of Firewall-1 [mailto:[email protected]]<B>On= Behalf Of </B>Rob Michayluk<BR><B>Sent:</B> 26 October 2001=20 19:17<BR><B>To:</B>=20 [email protected]<BR><B>Subject:</B> [FW-1] NA= T and=20 Lost Connections<BR><BR></FONT></DIV> <P><FONT face=3DArial size=3D2>Hello,</FONT> </P> <P><FONT face=3DArial size=3D2>I am running Checkpoint 4.1 sp4 on Windows= NT 4.0=20 sp6. I have a webserver in a DMZ that has its address translated at the= firewall. The NAT is static, there is a route on the firewall and an ent= ry in=20 the local.arp file for the webserver such that the firewall listens on th= e=20 legal address and routes traffic for the legal back to the illegal addres= s in=20 the DMZ. In fact, everything works as it should most of the time. The pro= blem=20 is that sometimes a host on the internet will attempt to connect to the= webserver and it gets a connection timeout error. For the failed connect= ion, I=20 see a connection attempt made on the firewall and the connection is accep= ted,=20 but there is no corresponding entry on the webserver. I am trying to narr= ow=20 the field of investigation and I was wondering if anyone has seen this=20 behaviour for FW-1 before.</FONT></P> <P><FONT face=3DArial size=3D2>Any information would be helpful.</FONT> <= BR><FONT=20 face=3DArial size=3D2>Thanks!</FONT> </P> <P><FONT face=3DArial size=3D2>Rob Michayluk</FONT> <BR><FONT face=3DAria= l=20 size=3D2>Computer Network Services Analyst</FONT> <BR><FONT face=3DArial= size=3D2>ACD Systems Ltd.</FONT> <BR><FONT face=3DArial size=3D2>The Dig= ital Imaging=20 Company</FONT> <BR><FONT face=3DArial size=3D2>Tel:</FONT>= <BR><FONT face=3DArial size=3D2>Fax:</FONT> <BR><FONT fac= e=3DArial=20 size=3D2>[email protected]</FONT> <BR><U><FONT face=3DArial color= =3D#0000ff=20 size=3D2>www.ACDSYSTEMS.com</FONT></U> </P><BR></BLOCKQUOTE><CODE><FONT S= IZE=3D3><BR> <BR> **********************************************************************<BR> This email and any files transmitted with it are confidential and<BR> intended solely for the use of the individual or entity to whom they<BR> are addressed. If you have received this email in error please notify<BR> the system manager.<BR> <BR> This footnote also confirms that this email message has been swept by<BR> Dimension Data mail system for the presence of computer viruses.<BR> <BR> www.uk.didata.com<BR> **********************************************************************<BR> </FONT></CODE> </BODY></HTML> ------=_NextPart_000_0018_01C15ED8.9653B660-- ------------------------------ Date: Sat, 27 Oct 2001 11:14:37 +0100 From: "Tim Holman (home)" <[email protected]> Subject: Re: Help configuring FTP PAssive mode This is a multi-part message in MIME format. ------=_NextPart_000_0014_01C15ED8.90CBB260 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Before trying to do all this 'manually', try selecting the accept FTP PASV connections tick box in policy properties. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of RBHATIA Sent: 26 October 2001 23:35 To: [email protected] Subject: [FW-1] Help configuring FTP PAssive mode I have FTP active mode enabled on my firewall. Due to port failure errors I need to switch over to FTP PASSIVE transfer mode. I need help configuring FTP Passive mode. I've looked all over the Phoneboy.com site but came across pages concerning the difference between Active and Passive mode but nothing about actually enabling Passive mode ftp. I already have FTP control Port (21) open both coming in and going out of my FTP server. I'm wondering about the data connection port. Do I need to remove the FTP data service (20) that was originally configured for Active FTP transfers ? In the list of services, I see a service called FTP-PASV. Do I have to allow this service both coming into my FTP server and going out of my FTP server ? i.e. should my rulebase look like this ? Source Destination Service Action FTPserver Any FTP-Passive Allow Any FTPserver FTP-PAssive Allow In Policy - Properties - Services tab - I have the Enable FTP_PORT DAta Connections and Enable FTP_PASV Data connections options already checked. Please advise. Thanks. RB ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------=_NextPart_000_0014_01C15ED8.90CBB260 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D2001><FONT face=3DArial color=3D#0000ff si= ze=3D2>Before=20 trying to do all this 'manually', try selecting the accept FTP PASV connect= ions=20 tick box in policy properties.</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT face=3DTah= oma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Mailing list for disc= ussion=20 of Firewall-1 [mailto:[email protected]]<B>On= Behalf Of </B>RBHATIA<BR><B>Sent:</B> 26 October 2001 23:35<BR><B>To:</B= >=20 [email protected]<BR><B>Subject:</B> [FW-1] He= lp=20 configuring FTP PAssive mode<BR><BR></FONT></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>I have = FTP active=20 mode enabled on my firewall. Due to port failure errors I need to switch = over=20 to FTP PASSIVE transfer mode. I need help configuring FTP Passive mode. I= 've=20 looked all over the Phoneboy.com site but came across pages concerning th= e=20 difference between Active and Passive mode but nothing about actually ena= bling=20 Passive mode ftp.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>I alrea= dy have FTP=20 control Port (21) open both coming in and going out of my FTP server. I'm= wondering about the data connection port.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Do I ne= ed to=20 remove the FTP data service (20) that was originally configured for Activ= e FTP=20 transfers ?</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>In the = list of=20 services, I see a service called FTP-PASV. Do I have to allow this servic= e=20 both coming into my FTP server and going out of my FTP server=20 ?</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>i.e. sh= ould my=20 rulebase look like this ?</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>Source =20 Destination =20 Service = Action</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>FTPserver =20 Any &nbs= p; =20 FTP-Passive Allow</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>Any &= nbsp;=20 FTPserver =20 FTP-PAssive Allow</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>In Poli= cy -=20 Properties - Services tab - I have the Enable FTP_PORT DAta Connections a= nd=20 Enable FTP_PASV Data connections options already checked.</FONT></SPAN></= DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D2001><FONT face=3DArial size=3D2>Please= advise.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>Thanks.</FONT></SPAN></DIV> <DIV><SPAN class=3D2001><FONT face=3DArial=20 size=3D2>RB</FONT></SPAN></DIV></BLOCKQUOTE><CODE><FONT SIZE=3D3><BR> <BR> **********************************************************************<BR> This email and any files transmitted with it are confidential and<BR> intended solely for the use of the individual or entity to whom they<BR> are addressed. If you have received this email in error please notify<BR> the system manager.<BR> <BR> This footnote also confirms that this email message has been swept by<BR> Dimension Data mail system for the presence of computer viruses.<BR> <BR> www.uk.didata.com<BR> **********************************************************************<BR> </FONT></CODE> </BODY></HTML> ------=_NextPart_000_0014_01C15ED8.90CBB260-- ------------------------------ Date: Sat, 27 Oct 2001 11:14:30 +0100 From: "Tim Holman (home)" <[email protected]> Subject: Re: [vpn] RE: [FW-1] VPN with OSPF for Failover What's he doing considering firewall technology if all he needs is an overlying VPN mesh ? As long as each node does not require local internet breakout, then they don't need any firewalls. VPN-only hardware is far cheaper than anything with the word firewall in it ! I always thought you could buy an add on OSPF license for Nokia boxes ? After all, there is a menu option for it under Voyager ! -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Cardona, Alberto Sent: 26 October 2001 18:13 To: [email protected] Subject: Re: [FW-1] [vpn] RE: [FW-1] VPN with OSPF for Failover As for security involving protecting the VPN appliance. Is safe to assume the Firewall capabilities of the Cisco Router add-on Firewall package (CBAC) is equivalent to Check Point FW-1? We are now comparing Firewall to Firewall. If they are comparable. Then I should be able to replace my Check Point firewall with a Cisco Router using its firewall add-on package. One more thing involving Multicast. Does the IP stack of a Nokia or Cisco support ip-multicast protected by IPSec? I read a document regarding this proposal. It was called "An IPSec-based Host Architecture for Secure Internet Multicast" I guess it is similar to IAB SMuG. Regards, AC -----Original Message----- From: Stephen Hope [mailto:[email protected]] Sent: Friday, October 26, 2001 4:10 AM To: 'Cardona, Alberto'; 'Chris Arnold'; '[email protected] '; [email protected] Subject: RE: [vpn] RE: [FW-1] VPN with OSPF for Failover Alberto, i work as a designer / consultant for a UK reseller of both cisco and nokia - so i have some bias for this type of project. 1 point - the Nokia running checkpoint does support OSPF. your friend may be able to extend his VPN to the new site, then interconnect at the 2 hub point and exchange OSPF routes with the cisco system. If nothing else this should reduce capital cost and project complexity, although i think your "all cisco" design could be cheaper in year on year support charges. However, the critical bit with a hybrid system is what happens under fault conditions - the checkpoint topology you describe probably doesnt react effectively to system faults - you description implies there isnt any resilience at the moment, whereas a dual centred star type topology can survive a hub site failure. If you can make the nokia system reroute around a fault (the major fault to worry about is failure of a hub site), then the existing VPN will interwork OK - if you cant resolve that issue then replacement may be the only option. standing back from this i have 2 comments: 1. If voice transport is an issue, then the requirement MUST be written down in the project scope for this migration - your friend should be giving input to that process. Hopefully, if it isnt, there is some broad comment somewhere about "maintain existing services and performance" 2. This is a classic example of a project which needs to be modelled on a bench before anyone tinkers with the real network - you are not going to get clear unambiguous known solutions to this unless you "kick the tires" before you start. It is possible that the proposal for cisco replacement is there to give either a worst case cost model, or a system design which reduces skills, support costs and so on - if you dont know what is important is setting the project up, and make sure existing requirements are taken into account, then this migration is going to be difficult. Finally, check to see if existing uses have been taken into account - Nokia is often used as a remote access gateway, and a change to cisco may involve reworking every RAS client to go from checkpoint VPN client to Cisco...... regards Stephen Stephen Hope C. Eng, Network Consultant, [email protected], Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Cardona, Alberto [mailto:[email protected]] > Sent: 25 October 2001 16:55 > To: 'Chris Arnold'; '[email protected] '; > [email protected] > Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover > > > What I want to do is for my friend's remote vpn sites (10) to > fail over to > his secondary VPN HUB. > Here is his scenario. > > He just got acquired by another company. > His current company relies on a Full blown IPsec VPN mesh > with a backup > ISDN. > He is running Voice over IP thru his IPsec 3DES VPN. > > This new company relies on a LARGE Frame network that runs > OSPF on Cisco's. > They now want to implement a VPN running OSPF because they use OSPF. > They installed a frame link from his location (New York) to there > headquarters (Detroit). > Now they want to implements a secondary location (Houston) which has a > internet connection and a frame connection > back into the headquarters (Detroit). > They want this secondary location (Houston) to be a backup incase his > location (New York) fails for his remote sites. > > Someone within this new company mentioned that his current > Nokia/Check Point > solution won't work with the > failover design because IPsec can't handle multicast > broadcast traffic (ex > OSPF). > They need to run OSPF for a failover design. > > Their solution is to REMOVE all of his Nokia/Check Point and > implement a > Cisco Router based VPN design. > Cisco's 1750 for Remote sites and 7140 for each Hub. > Each router both remote site and hub will have Cisco's > firewall/IDS package > and encryption module > The Cisco's VPN tunnels are going to be using GRE > encapsulation for the > OSPF. > Incase of a failover to the Secondary HUB and OSPF will > update the Frame > network regarding the failover. > IPsec 3DES for the data encryption. > This new design is not going to be a MESH but a Hub and Spoke. > > His problem with this HUB and SPOKE design is this. > > 1). He is afraid because this design relies on a 1 tier > security design. > The Cisco's routers will be handling the VPN, Routing Protocols, > Firewall, and IDS on each router. > His current design is 2 tier level. > Cisco for the Internet router and Nokia/Check Point for > VPN/Firewall > > 2). He thinks his Voice over IP will fail between remote > sites because the > MESH will be gone. > > 3). The performance an the Cisco. Would they be able to > handle the load? > Since they will be doing everything. (VPN, Routing, and IDS) > > Has anyone implemented this solution? > > > > AC > > > > -----Original Message----- > From: Chris Arnold [mailto:[email protected]] > Sent: Wednesday, October 24, 2001 10:12 PM > To: 'Cardona, Alberto '; > '[email protected] ' > Subject: RE: [FW-1] VPN with OSPF > > > That depends on what you mean by "running site to site IPsec > VPNs and using > OSPF." Do you mean tunneling OSPF through an IPSec tunnel > for some reason > or using OSPF to route traffic to available VPN endpoints before going > through a tunnel or on your edge routers once your VPN > traffic has been > encapsulated? > > Chris > > -----Original Message----- > From: Cardona, Alberto > To: [email protected] > Sent: 10/24/01 4:16 PM > Subject: [FW-1] VPN with OSPF > > Is anyone running site to site IPsec VPNs and using OSPF? > If so did you have to implement GRE? > > > Thanks > > > AC > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > VPN is sponsored by SecurityFocus.com > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Dimension Data mail system for the presence of computer viruses. www.uk.didata.com ********************************************************************** ------------------------------ Date: Sat, 27 Oct 2001 14:06:10 UTC From: Juan Concepcion <[email protected]> Subject: Re: [vpn] RE: [FW-1] VPN with OSPF for Failover You don't need to buy an add on license to enable any of the Configurations for OSPF, you simply have to activate it. On Sat, 27 Oct 2001 11:14:30 +0100, Stephen Hope [mailto:[email protected]] wrote: >What's he doing considering firewall technology if all he needs is an >overlying VPN mesh ? >As long as each node does not require local internet breakout, then they >don't need any firewalls. >VPN-only hardware is far cheaper than anything with the word firewall in it >! >I always thought you could buy an add on OSPF license for Nokia boxes ? >After all, there is a menu option for it under Voyager ! > > > > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[email protected]]On Behalf Of >Cardona, Alberto >Sent: 26 October 2001 18:13 >To: [email protected] >Subject: Re: [FW-1] [vpn] RE: [FW-1] VPN with OSPF for Failover > > >As for security involving protecting the VPN appliance. >Is safe to assume the Firewall capabilities of the Cisco Router add-on >Firewall package (CBAC) is equivalent to >Check Point FW-1? We are now comparing Firewall to Firewall. >If they are comparable. >Then I should be able to replace my Check Point firewall with a Cisco Router >using its firewall add-on package. > >One more thing involving Multicast. >Does the IP stack of a Nokia or Cisco support ip-multicast protected by >IPSec? >I read a document regarding this proposal. >It was called "An IPSec-based Host Architecture for Secure Internet >Multicast" >I guess it is similar to IAB SMuG. > > > >Regards, > > >AC > >-----Original Message----- >From: Stephen Hope [mailto:[email protected]] >Sent: Friday, October 26, 2001 4:10 AM >To: 'Cardona, Alberto'; 'Chris Arnold'; >'[email protected] '; [email protected] >Subject: RE: [vpn] RE: [FW-1] VPN with OSPF for Failover > > >Alberto, > >i work as a designer / consultant for a UK reseller of both cisco and nokia >- so i have some bias for this type of project. > >1 point - the Nokia running checkpoint does support OSPF. > >your friend may be able to extend his VPN to the new site, then interconnect >at the 2 hub point and exchange OSPF routes with the cisco system. > >If nothing else this should reduce capital cost and project complexity, >although i think your "all cisco" design could be cheaper in year on year >support charges. > >However, the critical bit with a hybrid system is what happens under fault >conditions - the checkpoint topology you describe probably doesnt react >effectively to system faults - you description implies there isnt any >resilience at the moment, whereas a dual centred star type topology can >survive a hub site failure. > >If you can make the nokia system reroute around a fault (the major fault to >worry about is failure of a hub site), then the existing VPN will interwork >OK - if you cant resolve that issue then replacement may be the only option. > >standing back from this i have 2 comments: > >1. If voice transport is an issue, then the requirement MUST be written >down in the project scope for this migration - your friend should be giving >input to that process. Hopefully, if it isnt, there is some broad comment >somewhere about "maintain existing services and performance" > >2. This is a classic example of a project which needs to be modelled on >a bench before anyone tinkers with the real network - you are not going to >get clear unambiguous known solutions to this unless you "kick the tires" >before you start. > >It is possible that the proposal for cisco replacement is there to give >either a worst case cost model, or a system design which reduces skills, >support costs and so on - if you dont know what is important is setting the >project up, and make sure existing requirements are taken into account, then >this migration is going to be difficult. > >Finally, check to see if existing uses have been taken into account - Nokia >is often used as a remote access gateway, and a change to cisco may involve >reworking every RAS client to go from checkpoint VPN client to Cisco...... > >regards > >Stephen > >Stephen Hope C. Eng, Network Consultant, [email protected], >Energis UK, WWW: http://www.energis.com >Carrington Business Park, Carrington, Manchester , UK. M31 4ZU >Tel: +44 (0)Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 >4189 > > >> -----Original Message----- >> From: Cardona, Alberto [mailto:[email protected]] >> Sent: 25 October 2001 16:55 >> To: 'Chris Arnold'; '[email protected] '; >> [email protected] >> Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover >> >> >> What I want to do is for my friend's remote vpn sites (10) to >> fail over to >> his secondary VPN HUB. >> Here is his scenario. >> >> He just got acquired by another company. >> His current company relies on a Full blown IPsec VPN mesh >> with a backup >> ISDN. >> He is running Voice over IP thru his IPsec 3DES VPN. >> >> This new company relies on a LARGE Frame network that runs >> OSPF on Cisco's. >> They now want to implement a VPN running OSPF because they use OSPF. >> They installed a frame link from his location (New York) to there >> headquarters (Detroit). >> Now they want to implements a secondary location (Houston) which has a >> internet connection and a frame connection >> back into the headquarters (Detroit). >> They want this secondary location (Houston) to be a backup incase his >> location (New York) fails for his remote sites. >> >> Someone within this new company mentioned that his current >> Nokia/Check Point >> solution won't work with the >> failover design because IPsec can't handle multicast >> broadcast traffic (ex >> OSPF). >> They need to run OSPF for a failover design. >> >> Their solution is to REMOVE all of his Nokia/Check Point and >> implement a >> Cisco Router based VPN design. >> Cisco's 1750 for Remote sites and 7140 for each Hub. >> Each router both remote site and hub will have Cisco's >> firewall/IDS package >> and encryption module >> The Cisco's VPN tunnels are going to be using GRE >> encapsulation for the >> OSPF. >> Incase of a failover to the Secondary HUB and OSPF will >> update the Frame >> network regarding the failover. >> IPsec 3DES for the data encryption. >> This new design is not going to be a MESH but a Hub and Spoke. >> >> His problem with this HUB and SPOKE design is this. >> >> 1). He is afraid because this design relies on a 1 tier >> security design. >> The Cisco's routers will be handling the VPN, Routing Protocols, >> Firewall, and IDS on each router. >> His current design is 2 tier level. >> Cisco for the Internet router and Nokia/Check Point for >> VPN/Firewall >> >> 2). He thinks his Voice over IP will fail between remote >> sites because the >> MESH will be gone. >> >> 3). The performance an the Cisco. Would they be able to >> handle the load? >> Since they will be doing everything. (VPN, Routing, and IDS) >> >> Has anyone implemented this solution? >> >> >> >> AC >> >> >> >> -----Original Message----- >> From: Chris Arnold [mailto:[email protected]] >> Sent: Wednesday, October 24, 2001 10:12 PM >> To: 'Cardona, Alberto '; >> '[email protected] ' >> Subject: RE: [FW-1] VPN with OSPF >> >> >> That depends on what you mean by "running site to site IPsec >> VPNs and using >> OSPF." Do you mean tunneling OSPF through an IPSec tunnel >> for some reason >> or using OSPF to route traffic to available VPN endpoints before going >> through a tunnel or on your edge routers once your VPN >> traffic has been >> encapsulated? >> >> Chris >> >> -----Original Message----- >> From: Cardona, Alberto >> To: [email protected] >> Sent: 10/24/01 4:16 PM >> Subject: [FW-1] VPN with OSPF >> >> Is anyone running site to site IPsec VPNs and using OSPF? >> If so did you have to implement GRE? >> >> >> Thanks >> >> >> AC >> >> =============================================== >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> =============================================== >> >> VPN is sponsored by SecurityFocus.com >> > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >=============================================== > > > >********************************************************************** >This email and any files transmitted with it are confidential and >intended solely for the use of the individual or entity to whom they >are addressed. If you have received this email in error please notify >the system manager. > >This footnote also confirms that this email message has been swept by >Dimension Data mail system for the presence of computer viruses. > >www.uk.didata.com >********************************************************************** > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >=============================================== > ------------------------------ Date: Sat, 27 Oct 2001 09:27:26 -0500 From: Jesus Corrales - Soporte de Sistemas <[email protected]> Subject: messages : /bootpd: Error 0 - in Log Hi all Somebody he knows why yourself is appearing this message at my log of the Sun : inetd[15079]: execv /usr/sbin/bootpd: Error 0 Thank you ------------------------------ Date: Sat, 27 Oct 2001 14:24:58 -0400 From: Dick Conrad <[email protected]> Subject: Log entries Hi: Our FW-1 log is displaying an increasing number of incoming http requests that show no destination address, protocol, port, rule, etc. We are not getting complaints about access to internal servers. Is this malicious traffic? How do we block it? Thank you. Dick Conrad ------------------------------ Date: Sat, 27 Oct 2001 15:54:28 -0400 From: Andy Druda <[email protected]> Subject: [FW1] FW1 error message Did anyone ever find any information about this error message? At 04:11 PM 4/24/01, Peter SoCalGuy wrote: >Hello All, > >I have been getting the following error from my Firewall > >fwh323_hdr_analyze header does not start with 03 > >I have been researching this issue, but I can't seem to find much >information about it. If anyone has any info regading this message it will >be greatly appreciated. > >Thanks, >Pete >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com > > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > ------------------------------ Date: Sat, 27 Oct 2001 19:28:22 -0200 From: Marinho Paiva Duarte <[email protected]> Subject: Webmail Sites Hi!!! I would like to know how may I deny the access to webmail sites in checkpoint firewall-1? We use NAT, and about of 70% of the traffic across the firewall is of people downloading files from their external e-mails (like hotmail, yahoo...). This is a big problem for us. I have a little idea of how it can be done, some people said that is using URI (??), but I'm not sure. Does anyone know how to do it?? Thank you. Marinho Paiva Duarte _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ------------------------------ Date: Sun, 28 Oct 2001 00:37:21 +0300 From: Sezgin Bayrak <[email protected]> Subject: Problem when rebooting LAN clients We've installed Checkpoint FW-1 sp2 on NT Server sp6a with two interfaces.One is the external one and the other is internal which is assigned as LAN where clients are located.Everything looks fine about accessing the internet but there's a strange problem with all clients (both with hide and static address xlated clients); After rebooting the clients they can not ping or access the internet for about 45 seconds even they can ping the internal interface of FW-1 or any other client in LAN! But then after sometime they start to access the internet and never get out of connection again. This case is exactly the same for every client in internal network and repeats at every reboot.. Does anyone have any idea about this strange kind of position? We'll really appreciate any help. Thank you Sezgin Bayrak Filpark Technologies [email protected] ------------------------------ Date: Sat, 27 Oct 2001 21:04:40 -0400 From: "Olmstead, Frank M." <[email protected]> Subject: <No subject given> Hi all, I just installed a new instance of FW-1 firewall on a separete PC. Then I copied my object.c and rulebase.* into the pc. Is there a way to get my SecureClient user dbase into the new machine ? Frank ------------------------------ End of FW-1-MAILINGLIST Digest - 26 Oct 2001 to 27 Oct 2001 (#2001-24) ********************************************************************** =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|