[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1-MAILINGLIST Digest - 15 Jan 2002 to 16 Jan 2002 (#2002-1 7)
All, Getting SecuRemote to work with the Linksys boxes are relatively easy. There are a couple of different ways to do this. On some of the later firmware updates for Linksys BEFSR41, 1.40, there is nothing that has to be done to get this to work as long as you are using UDP encapsulation. For this to work, you will need to have Checkpoint 4.1 on at least SP2 and SecuRemote client needs to also be on 4176 or higher. If you look at the release notes for SP2 for the firewall it will explain how to set up UDP encapsulation on your firewall. It is fairly easy to set up so read the doc and you are good to go. Generally it will automatically do UDP encapsulation for you from the SecuRemote client after you set up that feature on the firewall. You can also force that connection to use the UDP encapsulation method. To do that add :force_udp_encapsulation (true) in your userc.c file on the clients machine. That file is under c:\prog files\checkpoint\securemote\database. Under build 4185 and 4199 you can open the client and under tools/encryption scheme there is an advanced options button. Under that button you can check a box to force UDP encapsulation if you want. Another big problem with the Linksys boxes and many other DSL/Cablemodem routers is that they do not allow fragmented packets back into their dial-up boxes. This usually happens if you are using certificates to connect with SecuRemote. If you are using shared secret fragmentation never occurs. To solve this problem Checkpoint enabled a new feature, Support IKE over TCP (TCP 500). This was enabled in Checkpoint v4.1 SP4 for the firewall. You can use this feature on the client end only if you are on Build 4185 or higher. Under the tools/encryption scheme/advanced options there is a check box that will allow you to turn that feature on or off on the client end. Check the release notes for 4.1 SP4 for the firewall for the setup in objects.C, it is just too much to put into this mail. Basically, this feature will make the initial call in phase one go out over TCP 500 instead of UDP 500. This helps keep the packet sizes small enough to keep from being fragmented. It will continue on after the intial phase one connection with UDP 500 and then finally to IP protocol 50 or UDP 2746 (UDP encapsulation) depending on if you are using that feature or not. All in all UDP encapsulation used UDP port 2746 instead of having to use IP protocol 50. You will also use TCP 264 for topology updates as well as UDP port 500 for the Phase one negotiations. If you choose to use Support IKE over TCP, that will, use TCP 500. You will still need to allow the UDP 500 because it will still send out one UDP 500 packet at the end of the Phase one negotiation. Ok. So with all the above stated, I have yet to get a Linksys box not to work either a regular one or a wireless one when doing the above 2 setups. You will need to use the UDP encapsulation every time since the Linksys does Port address translation but the IKE over TCP will only need to be used if you are doing certificate based authentication. Good Luck. Andy Faulkner Perot Systems -----Original Message----- From: Automatic digest processor [mailto:[email protected]] Sent: Thursday, January 17, 2002 2:00 AM To: Recipients of FW-1-MAILINGLIST digests Subject: FW-1-MAILINGLIST Digest - 15 Jan 2002 to 16 Jan 2002 (#2002-17) There are 46 messages totalling 3437 lines in this issue. Topics of the day: 1. SecuRemote access via GPRS mobile 2. Internal authentication error / SecureRemote 3. IP440 Failure - ot 4. Accept Control Connections disabled (2) 5. Checkpoint/Netscreen VPN IKE Error Messages 6. Not able to ping from FW to either way 7. Unable to open '/dev/fw0': No such device or address 8. Security Policy inst. error 9. PPTP Connections through Hide NAT (2) 10. Anti-spoofing and sendmail (6) 11. Domain Controller (7) 12. Remote connection with CheckPoint (3) 13. logging to a mgt console 14. Securemote with Linksys BEFSR41 router settings (?) (3) 15. Broken FTP Logging in 4.1 16. SecuRemote through NAT device??? 17. Using Cisco IOS firewall feature set (3) 18. Opsec Lea events handling 19. Free S/WAN and VPN-1 20. AW: [FW-1] Connection lost problem 21. nokia duplidisk??? (2) 22. IPSO + Content Filtering 23. FW-1 NG Rule Install slow???? 24. ISDN-Backup for VPN-Connection 25. Unable to connect to Citrix via NFuse 26. Checkpoint FW-1 2000 installation on Windows 2000 ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ---------------------------------------------------------------------- Date: Wed, 16 Jan 2002 09:34:08 +0100 From: Reinhard Stich <[email protected]> Subject: Re: SecuRemote access via GPRS mobile hi, At 17:07 15.01.2002 +0000, Michael Haller wrote: >I'm getting "no-ip protocol in use" errors during authentication >when I try to connect via my mobile using GPRS. If I uncheck >"only TCP/IP protocols are used" I no longer get the above error >but I still can't connect to the protected network. It is not >clear why (i.e., nothing in log). > >Has anybody had any success connecting via a GPRS network? If >so can you tell me what I need to do? does it work with "normal" internet-access? with GPRS, you normally get private IP-addresses with a NAT-device at your gsm-provider. ask your gsm-provider to setup a APN for you with official IP-addresses for the client and no filtering between the client and the internet. cheers -reinhard -- Reinhard Stich, ASSIST [email protected] Internet Security AG, 1190 Wien, Nussdorfer Laende 29-33 Tel: +43 1 370 94 40 RS784-RIPE Fax: +43 1 370 94 40-10 ------------------------------ Date: Wed, 16 Jan 2002 10:08:36 +0100 From: Holmes Jeremy <[email protected]> Subject: Internal authentication error / SecureRemote Hi, I have just replaced the server on which our firewall-1 was installed (NG FP1) for something more powerful. I rebuilt the server offline and swapped machines.(same IP address and rules) Everything works correctly except for SecureRemote access using hybrid mode IKE. Users can authenticate and download the topology but as soon as they try and access any machine in the encryption domain, the receive the error "Error: Internal Authentication Error". I have checked the configuration using the checkpoint document on Hybrid mode IKE and all appears to be the same as before (which worked correctly) I have tried to re-install securemote and upgraded to the latest version( 51057) but I still receive the same error. Can anyone help me to resolve this problem? Regards ========================================================================== This message and any attachments are confidential and may also be privileged. Its contents do not constitute a commitment by the Channel Tunnel Group Ltda nd/or France-Manche S.A. except where provided for in a written agreement between you and The Channel Tunnel Group Ltd and/or France-Manche S.A. Any unauthorised disclosure, use or dissemination, either whole or partial is prohibited. If you are not the intended recipient of the message, please notify the sender immediately. The views expressed in this message do not necessarily reflect those of The Channel Tunnel Group Ltd and/or France-Manche S.A. or any of their subsidiary companies. Ce message et ses annexes sont confidentiels et peuvent contenir des informations protégées par le secret professionnel. Son contenu ne représente en aucun cas un engagement de la part de The Channel Tunnel Group Ltd et/ou France-Manche S.A. sous réserve d'un accord conclu par écrit entre vous et The Channel Tunnel Group Ltd et/ou France-Manche S.A. Toute publication, utilisation ou diffusion, même partielle, est interdite. Si vous n'êtes pas destinataire de ce message, merci d'en avertir immédiatement l'expéditeur. Les opinions exprimées dans ce message ne reflètent pas nécessairement celles de The Channel Tunnel Group Ltd et/ou France-Manche S.A. ou de leurs sociétés filiales ------------------------------ Date: Wed, 16 Jan 2002 09:46:30 +0100 From: richard marshall <[email protected]> Subject: Re: IP440 Failure - ot I've tried, both. It's dead-dead. :( I think I'll leave it to the service guys to fix... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Jorge Espinel Sent: 15 January 2002 20:53 To: [email protected] Subject: Re: [FW-1] IP440 Failure - ot Are you using the console port or just the keyboard and a monitor when you try to get into the IP440??? -----Mensaje original----- De: richard marshall [mailto:[email protected]] Enviado el: martes 15 de enero de 2002 13:29 Para: [email protected] Asunto: [FW-1] IP440 Failure - ot Hi, I have an IP440 with a celeron-333 processor that has a hardware failure (it won't even turn on, never mind boot!) It appears to be a BIOS or motherboard problem. Is it possible to rebuild it with 'off the shelf' parts? If so has anyone done this, and with what parts. thanks ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Wed, 16 Jan 2002 09:42:44 +0000 From: Martin Horsley <[email protected]> Subject: Re: Accept Control Connections disabled I can only give suggestions for the CCSA NG exam, if you are doing the 2000 exams then I'm not sure how relevant this will be. My advice would be to make sure you know NAT and Authentication inside out, also learn the default settings for things like TCP and UDP timeouts (Global Properties). I was asked a number of detailed questions about the fw command. I think part of the reason for my failure was to do with the ambiguous nature of some of the questions. I put this down to lack of experience in sitting exams (the last exam I took was around 10 years ago), well that's my excuse!! Anyway, expect some basic questions (Firewall definition), and a number of questions on correct use of rules, i.e. You will be given a situation and five rules, you have to choose the best one (two of them will be correct, one of them will be more correct). The exam is 90 minutes long, and you have to answer 98 questions. I re take the exam on Friday. Good luck, and hope this helps. Martin. >Hi Martin, > >I am going to take the exam next month, I am just curious about the CCSA >exam and wanted to ask if you had any suggestions in preparing for it. >Sorry I could not help with your question. > ------------------------------ Date: Tue, 15 Jan 2002 13:12:25 -0500 From: [email protected] Subject: Checkpoint/Netscreen VPN IKE Error Messages Hello, We are having trouble for the past few weeks trying to get a Netscreen 5 to an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational. Generally IKE Phase 1 completes between the firewalls, but only very infrequently does IKE Phase 2 compete between the firewalls, according to the Checkpoint and Netscreen logs. When Phase 2 does complete, outbound traffic is encrypted but the return decrypts do not come back. We have encryption schemes identical for Phase 1 & Phase 2 between the Checkpoint & Netscreen boxes. When Phase 2 does not complete, messages in the log viewer include "Received delete SA from Peer" and "Received Notification from Peer: payload malformed", with the source address being the Checkpoint firewall and the destination being the Netscreen. Just for kicks, we tried creating a VPN connection to two other Checkpoint 4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K using 4.1 SP5) using the same Netscreen 5 box with identical encryption properties, and both Phase 1 & Phase 2 became operational, and traffic was being encrypted and decrypted in both directions. Thus I eliminated the possibility that the Netscreen may be the issue. I then compared a few files on the various firewalls (crypt.def, objects.C), and could not find anything except cosmetic items that were different. I also tried the various debugging tools (fw monitor, fw -d d, FWIKE_DEBUG), and have examined the resultant file output, and was not able to decipher anything enlightening from these files, although I must admit that I don't know exactly what kind of packet flow or sequencing I should be looking for. Thanks in advance for any assistance. ============================ Dave Parmer Senior Network Engineer Distributed Systems Services [email protected] ------------------------------ Date: Wed, 16 Jan 2002 11:59:27 -0000 From: Andrew Doble <[email protected]> Subject: Re: Not able to ping from FW to either way Do you have a stealth rule that blocks all unauthorised access to your firewall? In the case of pinging, your "echo-request" packet is being generated by the firewall, but the "echo-reply" packet is being dropped. Check your firewall log for ICMP drops. Andrew -----Original Message----- From: Puneet Kumar Bhardwaj [mailto:[email protected]] Sent: 15 January 2002 16:14 To: [email protected] Subject: Re: [FW-1] Not able to ping from FW to either way Thanks for your reply Don, 1)Its local.arp only 2)I enabled the specific rule, Thanks 3)Able to telnet remote computer but need to test my telnet from remote computer. Thanks for ur support. Puneet. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Don Sent: Monday, January 14, 2002 7:54 PM To: [email protected] Subject: Re: [FW-1] Not able to ping from FW to either way > 1)The arp entry is like this > 206.234.243.134 <MAC address of FW's external interface> Well that is correct. And this is in local.arp? > 3)I am able to ping my router now 206.234.243.1 and host also 172.16.1.134 > but only after checking the option Policy>Properties> > Security Policy>Accept ICMP(before last) You should enable a specific rule in your firewall policy instead of allowing ICMP through the implied policy. > 4)I am able to reach my FW's external IP from tracert.com but not able to > reach my NAT IP 206.234.243.134 from the net(in this case i fail to each my > FW's external IP also!!) Traceroute is a funny protocol and is not the best for troubleshooting. You may wish to test connectivity with an application such as telnet or http. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Wed, 16 Jan 2002 19:15:38 +0530 From: Mohan Sundar <[email protected]> Subject: Unable to open '/dev/fw0': No such device or address Hi I have also faced this problem and got solved by reinstallaing CheckPoint License.. Pls. check The file dev/fw0 is having your firewall's External IP Try this ... .. All the Best Regards, MOHi _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ------------------------------ Date: Wed, 16 Jan 2002 19:30:26 +0530 From: Mohan Sundar <[email protected]> Subject: Accept Control Connections disabled Hi all, I hope the "fw unload localhost" command will help to solve this. If you execute this the current policy will be unloaded then you can communicate with your firewall & mannagement module and can install a new policy. Once I did when the GUI lost communication with management server. I have not checked the above for control connection.. But I Hope this will Solve the problem. Regards, MOHi _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ------------------------------ Date: Wed, 16 Jan 2002 19:37:13 +0530 From: Mohan Sundar <[email protected]> Subject: Security Policy inst. error Hi All, I also faced the follwing error, Installing Security Policy Genel on all.all@kybele Unable to open '\Device\FW1': The system cannot find the file specified. Failed to get interface list: The system cannot find the file specified. Has only loopback (lo) interface, aborting... Failed to Load Security Policy: The system cannot find the file = specified. Installing Security Policy on localhost(kybele) failed Pls. check Interfaces listed in your firewall workstation objects. Solun: I solved this by installing SNMP service. Regards, MOHi _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ------------------------------ Date: Wed, 16 Jan 2002 09:16:31 -0500 From: Jeremy Morrill <[email protected]> Subject: Re: PPTP Connections through Hide NAT This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C19E6E.81AA5720 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" I have used ISA and Guardian (no longer in business) and they both do PPTP flawlessly without any type of special configuration. Checkpoint however is a different story. See the following document for proper configuration of PPTP with Checkpoint FW-1. ftp://ftp.andover.edu/test/pptp.pdf -JRM Jeremy Morrill Network Project Manager Phillips Academy E-mail: [email protected] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Antoniani, Alessandro Sent: Tuesday, January 15, 2002 11:48 AM To: [email protected] Subject: [FW-1] PPTP Connections through Hide NAT Hi all, we have FW-1 protecting our LAN with Hide NAT. Our users need to connect to customers' LANs using PPTP VPNs with the standard Windows 2000 client. I've tried to configure the rule base to allow for this, but it seems that the only way to have a LAN client connect is to setup a static NAT for the client, while what I really want is to have anybody on the LAN be able to do it without requesting a particular configuration to IT. ISA Server does this easily, our old firewall (Guardian) could do this without problems as well, anybody have suggestions? Thanks in advance alex _________________________________ Alessandro Antoniani, IT Manager Bowne Global Solutions, formerly Mendez Office Via Ripamonti, 131/133 20141 Milano, Italy Phone +39 02 53570225 Mobile +39 335 453629 Fax +39 02 53570222 [email protected] www.bowneglobal.com ------=_NextPart_000_0004_01C19E6E.81AA5720 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <html> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)"> <title>PPTP Connections through Hide NAT</title> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:blue; text-decoration:underline;} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} p {margin-right:0in; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle18 {font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dblue> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> = I have used ISA and Guardian (no longer in business) and they both do PPTP flawlessly without any type of special configuration. Checkpoint however = is a different story. See the following document for proper configuration of = PPTP with Checkpoint FW-1.</span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> = <a href=3D"ftp://ftp.andover.edu/test/pptp.pdf">ftp://ftp.andover.edu/test/p= ptp.pdf</a></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> = &= nbsp; &n= bsp; &nb= sp; &nbs= p;  = ; -JRM</span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <div> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New = Roman"><span style=3D'font-size:12.0pt;color:navy'>Jeremy Morrill</span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New = Roman"><span style=3D'font-size:12.0pt;color:navy'>Network Project = Manager</span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New = Roman"><span style=3D'font-size:12.0pt;color:navy'>Phillips Academy</span></font></p> <p class=3DMsoAutoSig><font size=3D3 color=3Dnavy face=3D"Times New = Roman"><span style=3D'font-size:12.0pt;color:navy'>E-mail: = [email protected]</span></font></p> </div> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original = Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> Mailing list for = discussion of Firewall-1 [mailto:[email protected]] = <b><span style=3D'font-weight:bold'>On Behalf Of </span></b>Antoniani, = Alessandro<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, January = 15, 2002 11:48 AM<br> <b><span style=3D'font-weight:bold'>To:</span></b> [email protected]<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> [FW-1] PPTP = Connections through Hide NAT</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></font></p> <p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial'>Hi all,</span></font> <br> <font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'>we have FW-1 protecting our LAN with Hide NAT. Our users need to connect to customers' LANs using PPTP VPNs with the standard Windows 2000 client. = I've tried to configure the rule base to allow for this, but it seems that = the only way to have a LAN client connect is to setup a static NAT for the = client, while what I really want is to have anybody on the LAN be able to do it = without requesting a particular configuration to IT.</span></font></p> <p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial'>ISA Server does this easily, our old firewall (Guardian) could do this without problems as well, anybody have = suggestions?</span></font></p> <p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial'>Thanks in advance</span></font> </p> <p style=3D'margin-left:.5in'><font size=3D2 face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial'>alex</span></font> </p> <p style=3D'margin-left:.5in'><font size=3D3 color=3Dmaroon = face=3DArial><span style=3D'font-size:12.0pt;font-family:Arial;color:maroon'>_______________= __________________</span></font> <br> <b><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial; font-weight:bold'>Alessandro Antoniani</span></font></b><font size=3D1 face=3DArial><span style=3D'font-size:7.5pt;font-family:Arial'>, IT = Manager</span></font> <br> <b><font size=3D2 color=3Dmaroon face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial;color:maroon;font-weight:bold'>Bowne Global = Solutions,</span></font></b> <font size=3D1 color=3Dnavy face=3DArial><span = style=3D'font-size:7.5pt;font-family: Arial;color:navy'>formerly Mendez</span></font> </p> <p style=3D'margin-left:.5in'><i><font size=3D1 color=3Dblack = face=3DArial><span style=3D'font-size:7.5pt;font-family:Arial;color:black;font-style:italic'= >Office </span></font></i> <font size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt;font-family: Arial;color:black'>Via Ripamonti, 131/133</span></font> <br> <font size=3D1 color=3Dblack = face=3DArial><span style=3D'font-size:7.5pt;font-family:Arial;color:black'>20141 Milano, = </span></font><font size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt;font-family:Arial; color:black'>Italy</span></font> <br> <i><font size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt;font-family: Arial;color:black;font-style:italic'>Phone</span></font></i><font = size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt;font-family:Arial; color:black'> +39 02 53570225</span></font> <br> <i><font size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt; = font-family:Arial;color:black;font-style:italic'>Mobile</span></font></i>= <font size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt;font-family:Arial; color:black'> +39 335 453629</span></font> <br> <i><font size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt;font-family: Arial;color:black;font-style:italic'>Fax</span></font></i> &nb= sp; <font size=3D1 color=3Dblack face=3DArial><span = style=3D'font-size:7.5pt;font-family: Arial;color:black'>+39 02 53570222</span></font> <br> <u><font size=3D1 color=3Dblue face=3DArial><span = style=3D'font-size:7.5pt;font-family: Arial;color:blue'>[email protected]</span></font></u> = <br> <a href=3D"www.bowneglobal.com"><font size=3D1 face=3DArial><span = style=3D'font-size: 7.5pt;font-family:Arial'>www.bowneglobal.com</span></font></a> </p> <p class=3DMsoNormal = style=3D'margin-right:0in;margin-bottom:12.0pt;margin-left: .5in'><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size:12.0pt'> </span></font></p> </div> </body> </html> ------=_NextPart_000_0004_01C19E6E.81AA5720-- ------------------------------ Date: Wed, 16 Jan 2002 11:04:25 -0500 From: Michael Glenn <[email protected]> Subject: Anti-spoofing and sendmail Hello all, Some quick questions on anti-spoofing and sendmail. We were using and IDS script to send e-mail alerts from our firewall (4.1). We recently activated anti-spoofing on the firewall's interfaces and the mail no longer arrives. In the fw log I noticed that sendmail was using the address of the firewalls external interface as a source address and was therefore dropping the packets (rule 0 - spoofing). Anti-spoofing on the internal interface was configured with "This net", so I created a group containing the Internal network object and a new workstation object I created giving it the firewall's external interface IP and set this as the "Specific" valid address. The packets still get dropped on rule 0 - spoofing. Does the firewall service need to be restarted for spoofing rules to take effect? Is there something else I'm not thinking about? Thanks! Michael ------------------------------ Date: Wed, 16 Jan 2002 11:36:12 -0500 From: Aeon Hale <[email protected]> Subject: Domain Controller Please forgive me for sending the list an "off checkpoint subject" but i'm hoping somebody here has run into this situation: DMZ: contains numberous webservers. Our NT guys want to setup a Domain Controller on DMZ for centralized authentication. It will NOT sync with internal Domain Controller. Question: We currently have a radius server used for authentication (checkpoint uses this for user, client, session and securemote). I would like to know if there is a way to have the DMZ domain controller "trust" the radius server that way we can cut back on the amount of accounts we need to create? Without the trust between the DMZ Domain controller and radius, each user will have to have 3 accounts: One on Internal DC, one on DMZ DC, and one on Radius Server. We're trying to keep it to a minimum, i'm sure you guys can understand. Any help would be greatly appreciated. Thanks, Aeon Hale ------------------------------ Date: Wed, 16 Jan 2002 17:36:15 +0100 From: Guido Fraietta <[email protected]> Subject: Remote connection with CheckPoint This is a multi-part message in MIME format. ------=_NextPart_000_001F_01C19EB4.4CA0E800 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect = to it from a remote host to run the fw policy editor visual tool. I succeed to start the tool from the remote machine, but when it tries = to connect to the server, after "Loading Encryption Method" mask, I have = the message: "No response from server!" Any suggestion on this!? Thanks in advance, Guido Fraietta ------=_NextPart_000_001F_01C19EB4.4CA0E800 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#d8d0c8> <DIV><FONT face=3D"Times New Roman">Hi all,</FONT></DIV> <DIV><FONT face=3D"Times New Roman"></FONT> </DIV> <DIV><FONT face=3D"Times New Roman">I use Check Point VPN-1 & = FireWall-1=20 Version 4.1 and I need to connect to it from a remote host to run the fw = policy=20 editor visual tool.</FONT></DIV> <DIV><FONT face=3D"Times New Roman"></FONT> </DIV> <DIV><FONT face=3D"Times New Roman">I succeed to start the tool from the = remote=20 machine, but when it tries to connect to the server, after "Loading=20 Encryption Method" mask, I have the message: </FONT><FONT=20 face=3D"Times New Roman">"No response from server!"</FONT></DIV> <DIV><FONT face=3D"Times New Roman"></FONT> </DIV> <DIV><FONT face=3D"Times New Roman">Any suggestion on = this!?</FONT></DIV> <DIV><FONT face=3D"Times New Roman"></FONT> </DIV> <DIV><FONT face=3D"Times New Roman">Thanks in advance,</FONT></DIV> <DIV><FONT face=3D"Times New Roman">Guido = Fraietta</FONT></DIV></BODY></HTML> ------=_NextPart_000_001F_01C19EB4.4CA0E800-- ------------------------------ Date: Wed, 16 Jan 2002 11:59:42 -0500 From: Stanley Lieberman <[email protected]> Subject: Re: Anti-spoofing and sendmail You want to remove the FW object and add object for external mail address to that group.. Good Luck Stanley > Hello all, > > Some quick questions on anti-spoofing and sendmail. > > We were using and IDS script to send e-mail alerts from our firewall (4.1). > We recently activated anti-spoofing on the firewall's interfaces and the mail no > longer arrives. > In the fw log I noticed that sendmail was using the address of the firewalls > external interface as a source address and was therefore dropping the packets > (rule 0 - spoofing). > Anti-spoofing on the internal interface was configured with "This net", so I > created a group containing the Internal network object and a new workstation > object I created giving it the firewall's external interface IP and set this as > the "Specific" valid address. > > The packets still get dropped on rule 0 - spoofing. > > Does the firewall service need to be restarted for spoofing rules to take > effect? > > Is there something else I'm not thinking about? > > Thanks! > > Michael > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ------------------------------ Date: Wed, 16 Jan 2002 17:06:49 -0000 From: Sam Denton <[email protected]> Subject: Re: Remote connection with CheckPoint This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C19EB0.2F7F7740 Content-Type: text/plain; charset="iso-8859-1" Is it a GUI Client? -----Original Message----- From: Guido Fraietta [mailto:[email protected]] Sent: 16 January 2002 16:36 To: [email protected] Subject: [FW-1] Remote connection with CheckPoint Hi all, I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect to it from a remote host to run the fw policy editor visual tool. I succeed to start the tool from the remote machine, but when it tries to connect to the server, after "Loading Encryption Method" mask, I have the message: "No response from server!" Any suggestion on this!? Thanks in advance, Guido Fraietta ------_=_NextPart_001_01C19EB0.2F7F7740 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2712.300" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#d8d0c8> <DIV><SPAN class=2002><FONT face=Arial color=#0000ff size=2>Is it a GUI Client?</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Guido Fraietta [mailto:[email protected]]<BR><B>Sent:</B> 16 January 2002 16:36<BR><B>To:</B> [email protected]<BR><B>Subject:</B> [FW-1] Remote connection with CheckPoint<BR><BR></FONT></DIV> <DIV><FONT face="Times New Roman">Hi all,</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect to it from a remote host to run the fw policy editor visual tool.</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">I succeed to start the tool from the remote machine, but when it tries to connect to the server, after "Loading Encryption Method" mask, I have the message: </FONT><FONT face="Times New Roman">"No response from server!"</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">Any suggestion on this!?</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">Thanks in advance,</FONT></DIV> <DIV><FONT face="Times New Roman">Guido Fraietta</FONT></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C19EB0.2F7F7740-- ------------------------------ Date: Wed, 16 Jan 2002 12:17:09 -0500 From: "King, Arron S." <[email protected]> Subject: Re: Domain Controller We have a similar situation. The solution we found was to use Steel-belted RADIUS by funk software. It can authenticate against Active Directory, NT4-style domains, it's own account list, and an account list in sql server. HTH Arron _________________________________________________ Arron King Network & Systems Administrator Ohio Dominican College [email protected] http:\\www.odc.edu\~kinga -----Original Message----- From: Aeon Hale [mailto:[email protected]] Sent: Wednesday, January 16, 2002 11:36 AM To: [email protected] Subject: [FW-1] Domain Controller Please forgive me for sending the list an "off checkpoint subject" but i'm hoping somebody here has run into this situation: DMZ: contains numberous webservers. Our NT guys want to setup a Domain Controller on DMZ for centralized authentication. It will NOT sync with internal Domain Controller. Question: We currently have a radius server used for authentication (checkpoint uses this for user, client, session and securemote). I would like to know if there is a way to have the DMZ domain controller "trust" the radius server that way we can cut back on the amount of accounts we need to create? Without the trust between the DMZ Domain controller and radius, each user will have to have 3 accounts: One on Internal DC, one on DMZ DC, and one on Radius Server. We're trying to keep it to a minimum, i'm sure you guys can understand. Any help would be greatly appreciated. Thanks, Aeon Hale ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Wed, 16 Jan 2002 12:07:57 -0500 From: Don Guyer <[email protected]> Subject: Re: Remote connection with CheckPoint This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C19EB0.5879E220 Content-Type: text/plain; charset="iso-8859-1" Guido, IIRC, don't you have to add yourself as a user and/or your remote machine's IP address in the firewall config, to be able to remotely access the rulebase? Don Guyer Information Systems Citadel Federal Credit Union Ph:Fax:www.citadelfcu.org -----Original Message----- From: Guido Fraietta [mailto:[email protected]] Sent: Wednesday, January 16, 2002 11:36 AM To: [email protected] Subject: [FW-1] Remote connection with CheckPoint Hi all, I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect to it from a remote host to run the fw policy editor visual tool. I succeed to start the tool from the remote machine, but when it tries to connect to the server, after "Loading Encryption Method" mask, I have the message: "No response from server!" Any suggestion on this!? Thanks in advance, Guido Fraietta ------_=_NextPart_001_01C19EB0.5879E220 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2600.0" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#d8d0c8> <DIV><SPAN class=2002><FONT face=Arial color=#0000ff size=2>Guido,</FONT></SPAN></DIV> <DIV><SPAN class=2002><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=2002> <FONT face=Arial color=#0000ff size=2>IIRC, don't you have to add yourself as a user and/or your remote machine's IP address in the firewall config, to be able to remotely access the rulebase?</FONT></SPAN></DIV> <DIV> </DIV> <P><FONT face=Tahoma size=2>Don Guyer</FONT> <BR><FONT face=Tahoma size=2>Information Systems</FONT> <BR><FONT face=Tahoma size=2>Citadel Federal Credit Union</FONT> <BR><FONT face=Tahoma size=2>Ph:x7072</FONT> <BR><FONT face=Tahoma size=2>Fax:</FONT> <BR><FONT face=Tahoma size=2>www.citadelfcu.org</FONT> </P> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Guido Fraietta [mailto:[email protected]]<BR><B>Sent:</B> Wednesday, January 16, 2002 11:36 AM<BR><B>To:</B> [email protected]<BR><B>Subject:</B> [FW-1] Remote connection with CheckPoint<BR><BR></FONT></DIV> <DIV><FONT face="Times New Roman">Hi all,</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">I use Check Point VPN-1 & FireWall-1 Version 4.1 and I need to connect to it from a remote host to run the fw policy editor visual tool.</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">I succeed to start the tool from the remote machine, but when it tries to connect to the server, after "Loading Encryption Method" mask, I have the message: </FONT><FONT face="Times New Roman">"No response from server!"</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">Any suggestion on this!?</FONT></DIV> <DIV><FONT face="Times New Roman"></FONT> </DIV> <DIV><FONT face="Times New Roman">Thanks in advance,</FONT></DIV> <DIV><FONT face="Times New Roman">Guido Fraietta</FONT></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C19EB0.5879E220-- ------------------------------ Date: Wed, 16 Jan 2002 12:12:37 -0500 From: "Stover, Joseph E" <[email protected]> Subject: logging to a mgt console Hello All I'm new to the Nokia/Checkpoint equipment. We have several FWs sending logs to our mgt console. I'm trying to get a new nokia ip530 to report its log activity to our management console, and it doesn't seem to be sending any log info (what I can see from the [log view]) In the file $FWDIR/conf/masters +10.35.1.1 (address of the mgt console) there is a 'plus' sign to allow logging. I'm not sure what I am missing. I'm currently browsing checkpoint's secureKnowledge dbase for info. Joe Stover ------------------------------ Date: Wed, 16 Jan 2002 18:29:50 +0100 From: "Reed Mohn, Anders" <[email protected]> Subject: Re: Domain Controller AFAIK, RSA has software that let's you use their RADIUS server for NT authentication, but I think that's only when used with securID tokens. Cheers, Anders :) > -----Original Message----- > From: Aeon Hale [mailto:[email protected]] > Sent: 16. januar 2002 17:36 > To: [email protected] > Subject: [FW-1] Domain Controller > > > Please forgive me for sending the list an "off checkpoint subject" but > i'm hoping somebody here has run into this situation: > > DMZ: > > contains numberous webservers. Our NT guys want to setup a Domain > Controller on DMZ for centralized authentication. It will > NOT sync with > internal Domain Controller. > > Question: > > We currently have a radius server used for authentication (checkpoint > uses this for user, client, session and securemote). I would like to > know if there is a way to have the DMZ domain controller "trust" the > radius server that way we can cut back on the amount of > accounts we need > to create? > > Without the trust between the DMZ Domain controller and radius, each > user will have to have 3 accounts: One on Internal DC, one on DMZ DC, > and one on Radius Server. We're trying to keep it to a minimum, i'm > sure you guys can understand. > > Any help would be greatly appreciated. > > Thanks, > > Aeon Hale > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ------------------------------ Date: Wed, 16 Jan 2002 12:37:29 -0500 From: Yves Belle-Isle <[email protected]> Subject: Re: Anti-spoofing and sendmail Why are you sure it's antispoofing related. Rule 0 is FOR ALL IMPLIED RULES not just antispoofing. Did you check the Info. field of the log to be sure it's caused by the antispoofing ? The most commun cause of rule 0 reject on my FW-1 is reason: unknown established TCP packet the second is: message SYNDefender warning: SYN -> SYN-ACK -> RST or timeout At 11:04 2002-01-16, Michael Glenn wrote: >Hello all, > >Some quick questions on anti-spoofing and sendmail. > >We were using and IDS script to send e-mail alerts from our firewall (4.1). >We recently activated anti-spoofing on the firewall's interfaces and the mail no >longer arrives. >In the fw log I noticed that sendmail was using the address of the firewalls >external interface as a source address and was therefore dropping the packets >(rule 0 - spoofing). >Anti-spoofing on the internal interface was configured with "This net", so I >created a group containing the Internal network object and a new workstation >object I created giving it the firewall's external interface IP and set this as >the "Specific" valid address. > >The packets still get dropped on rule 0 - spoofing. > >Does the firewall service need to be restarted for spoofing rules to take >effect? > >Is there something else I'm not thinking about? > >Thanks! > >Michael > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ------------------------------ Date: Wed, 16 Jan 2002 09:43:18 -0800 From: Anthony Mendoza <[email protected]> Subject: Re: Domain Controller Can Steel Belted radius authenticate against 2 separate NT4 domains? King, Arron S. wrote: > We have a similar situation. The solution we found was to use Steel-belted RADIUS by funk software. > > It can authenticate against Active Directory, NT4-style domains, it's own account list, and an account list in sql server. > > HTH > > Arron > > _________________________________________________ > Arron King > Network & Systems Administrator > Ohio Dominican College > voice> fax> [email protected] > http:\\www.odc.edu\~kinga > > > -----Original Message----- > From: Aeon Hale [mailto:[email protected]] > Sent: Wednesday, January 16, 2002 11:36 AM > To: [email protected] > Subject: [FW-1] Domain Controller > > > Please forgive me for sending the list an "off checkpoint subject" but > i'm hoping somebody here has run into this situation: > > DMZ: > > contains numberous webservers. Our NT guys want to setup a Domain > Controller on DMZ for centralized authentication. It will NOT sync with > internal Domain Controller. > > Question: > > We currently have a radius server used for authentication (checkpoint > uses this for user, client, session and securemote). I would like to > know if there is a way to have the DMZ domain controller "trust" the > radius server that way we can cut back on the amount of accounts we need > to create? > > Without the trust between the DMZ Domain controller and radius, each > user will have to have 3 accounts: One on Internal DC, one on DMZ DC, > and one on Radius Server. We're trying to keep it to a minimum, i'm > sure you guys can understand. > > Any help would be greatly appreciated. > > Thanks, > > Aeon Hale > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > -- Anthony Mendoza IT & Customer Support [email protected] t:/ c:p:/ f:------------------------------ Date: Wed, 16 Jan 2002 12:37:19 -0500 From: Work <[email protected]> Subject: Re: Domain Controller Aeon, >From my understanding, I think you can make your Radius Server a Win2k box and have it act as a Domain Controller from the same database/box. If you don't want to have everything on one box I think you could have the Radius box feed off of the Domain Controller. If I am wrong someone please feel free to straighten me out. > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of Aeon > Hale > Sent: Wednesday, January 16, 2002 11:36 AM > To: [email protected] > Subject: [FW-1] Domain Controller > > > Please forgive me for sending the list an "off checkpoint subject" but > i'm hoping somebody here has run into this situation: > > DMZ: > > contains numberous webservers. Our NT guys want to setup a Domain > Controller on DMZ for centralized authentication. It will NOT sync with > internal Domain Controller. > > Question: > > We currently have a radius server used for authentication (checkpoint > uses this for user, client, session and securemote). I would like to > know if there is a way to have the DMZ domain controller "trust" the > radius server that way we can cut back on the amount of accounts we need > to create? > > Without the trust between the DMZ Domain controller and radius, each > user will have to have 3 accounts: One on Internal DC, one on DMZ DC, > and one on Radius Server. We're trying to keep it to a minimum, i'm > sure you guys can understand. > > Any help would be greatly appreciated. > > Thanks, > > Aeon Hale > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ------------------------------ Date: Wed, 16 Jan 2002 09:58:26 -0800 From: John Tanouye <[email protected]> Subject: Securemote with Linksys BEFSR41 router settings (?) There seems to be a lot of discussion about being able to connect the Linksys router with Checkpoint's VPN. With various methods available tailored to each setup, it's difficult to know what works for one specific setup. What I would like to see are the detailed settings from people who got it working. I am willing to keep an archive of these for people who need it in the future. I know six people here at work using DSL/cable with a router, and all six have the same Linksys one. This should prove useful to the many other Linksys users out there. So how about it? Let's see your setup. Some of the settings that would be good to share: objects.C modifications Checkpoint version and SP Securemote version and SP Incoming/Outgoing ports opened on Firewall Linksys firmware revision Linksys port mappings Linksys DHCP/NAT settings MTU value filter settings Tips or anything else you found relevant to have a successful connection Thanks everyone, John ------------------------------ Date: Wed, 16 Jan 2002 12:30:35 -0500 From: Yves Belle-Isle <[email protected]> Subject: Re: PPTP Connections through Hide NAT What Alessandro want to do is to have many PPTP client behing the FW-1 establishing connections to PPTP servers at his customers sites as i understand it. You, Jeremy refer it to a paper which speak of supporting a PPTP server behing a FW-1. That paper is almost obsolete in FW-1 4.1 because those services are already defined in the product. Myself run such a PPTP server behing a FW-1 4.1 but i don't use NAT for that server and the paper you mention doesn't too. I use PPTP clients behing the FW-1 4.1 to access clients lan and it work's but i don't use NAT at all... So we did not respond to Alessandro question which was: How do i setup my FW-1 so i can have PPTP clients behing my FW-1 accessing PPTP servers at customers location and have those PPTP clients behing hide NAT address ? I don't have the answer as i doesn't have that problem, i hope someone else can answer his question. By the way Jeremy did you try to have PPTP clients, with private IP address behing your ISA or Guardian firewall doing NAT to public address to those PPTP clients, establishing connections to remote PPTP server. Does it worked ? At 09:16 2002-01-16, Jeremy Morrill wrote: > > > I have used ISA and Guardian (no longer in business) and they both do PPTP flawlessly without any type of special configuration. Checkpoint however is a different story. See the following document for proper configuration of PPTP with Checkpoint FW-1. > > > > ftp://ftp.andover.edu/test/pptp.pdf > > > > -JRM > > > >Jeremy Morrill > >Network Project Manager > >Phillips Academy > >E-mail: [email protected] > > > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Antoniani, Alessandro >Sent: Tuesday, January 15, 2002 11:48 AM >To: [email protected] >Subject: [FW-1] PPTP Connections through Hide NAT > > > >Hi all, >we have FW-1 protecting our LAN with Hide NAT. Our users need to connect to customers' LANs using PPTP VPNs with the standard Windows 2000 client. I've tried to configure the rule base to allow for this, but it seems that the only way to have a LAN client connect is to setup a static NAT for the client, while what I really want is to have anybody on the LAN be able to do it without requesting a particular configuration to IT. > >ISA Server does this easily, our old firewall (Guardian) could do this without problems as well, anybody have suggestions? > >Thanks in advance > >alex > >_________________________________ >Alessandro Antoniani, IT Manager >Bowne Global Solutions, formerly Mendez > >Office Via Ripamonti, 131/133 > 20141 Milano, Italy >Phone +39 02 53570225 >Mobile +39 335 453629 >Fax +39 02 53570222 >[email protected] >www.bowneglobal.com > > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ------------------------------ Date: Wed, 16 Jan 2002 13:15:23 -0500 From: "Howell, Paul" <[email protected]> Subject: Broken FTP Logging in 4.1 Hi, Let me begin by saying that we're using Nokia 650's, IPSO 3.3, Fwall-1 4.1 SP3. We've noticed that the FTP COMMAND connection is logged, but that the FTP DATA connection is not logged. We're using "long" logging. This difference can result in the mistaken conclusion that an ftp session was succsessful when in fact, the COMMAND connection was accepted but the DATA command was rejected. We've been bitten by this a couple of times. Does anyone know of a way to get the FTP DATA connection logged? Thanks, < paul ------------------------------ Date: Wed, 16 Jan 2002 13:33:03 -0500 From: "King, Arron S." <[email protected]> Subject: Re: Domain Controller Not sure about 2 NT 4 domains. We are using it to authenticate via a sql server table and Active Directory, and it is working okay. They have a 30 day free eval on their site -----Original Message----- From: Anthony Mendoza [mailto:[email protected]] Sent: Wednesday, January 16, 2002 12:43 PM To: [email protected] Subject: Re: [FW-1] Domain Controller Can Steel Belted radius authenticate against 2 separate NT4 domains? King, Arron S. wrote: > We have a similar situation. The solution we found was to use Steel-belted RADIUS by funk software. > > It can authenticate against Active Directory, NT4-style domains, it's own account list, and an account list in sql server. > > HTH > > Arron > > _________________________________________________ > Arron King > Network & Systems Administrator > Ohio Dominican College > voice> fax> [email protected] > http:\\www.odc.edu\~kinga > > > -----Original Message----- > From: Aeon Hale [mailto:[email protected]] > Sent: Wednesday, January 16, 2002 11:36 AM > To: [email protected] > Subject: [FW-1] Domain Controller > > > Please forgive me for sending the list an "off checkpoint subject" but > i'm hoping somebody here has run into this situation: > > DMZ: > > contains numberous webservers. Our NT guys want to setup a Domain > Controller on DMZ for centralized authentication. It will NOT sync with > internal Domain Controller. > > Question: > > We currently have a radius server used for authentication (checkpoint > uses this for user, client, session and securemote). I would like to > know if there is a way to have the DMZ domain controller "trust" the > radius server that way we can cut back on the amount of accounts we need > to create? > > Without the trust between the DMZ Domain controller and radius, each > user will have to have 3 accounts: One on Internal DC, one on DMZ DC, > and one on Radius Server. We're trying to keep it to a minimum, i'm > sure you guys can understand. > > Any help would be greatly appreciated. > > Thanks, > > Aeon Hale > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > -- Anthony Mendoza IT & Customer Support [email protected] t:/ c:p:/ f:================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Wed, 16 Jan 2002 13:39:36 -0500 From: Michael Glenn <[email protected]> Subject: Re: Anti-spoofing and sendmail What type do I use to create an "external mail address"? I had simply used a workstation type object and assigned it the ip address of the external firewall interface... [...] [...] You want to remove the FW object and add object for external mail address to that group.. Good Luck Stanley > Hello all, > > Some quick questions on anti-spoofing and sendmail. > > We were using and IDS script to send e-mail alerts from our firewall (4.1). > We recently activated anti-spoofing on the firewall's interfaces and the mail no > longer arrives. > In the fw log I noticed that sendmail was using the address of the firewalls > external interface as a source address and was therefore dropping the packets > (rule 0 - spoofing). > Anti-spoofing on the internal interface was configured with "This net", so I > created a group containing the Internal network object and a new workstation > object I created giving it the firewall's external interface IP and set this as > the "Specific" valid address. > > The packets still get dropped on rule 0 - spoofing. > > Does the firewall service need to be restarted for spoofing rules to take > effect? > > Is there something else I'm not thinking about? > > Thanks! > > Michael > ------------------------------ Date: Wed, 16 Jan 2002 13:40:30 -0500 From: Michael Glenn <[email protected]> Subject: Re: Anti-spoofing and sendmail I'm sure because the info field says "reason: local interface address spoofing" [...] Why are you sure it's antispoofing related. Rule 0 is FOR ALL IMPLIED RULES not just antispoofing. Did you check the Info. field of the log to be sure it's caused by the antispoofing ? The most commun cause of rule 0 reject on my FW-1 is reason: unknown established TCP packet the second is: message SYNDefender warning: SYN -> SYN-ACK -> RST or timeout At 11:04 2002-01-16, Michael Glenn wrote: >Hello all, > >Some quick questions on anti-spoofing and sendmail. > >We were using and IDS script to send e-mail alerts from our firewall (4.1). >We recently activated anti-spoofing on the firewall's interfaces and the mail no >longer arrives. >In the fw log I noticed that sendmail was using the address of the firewalls >external interface as a source address and was therefore dropping the packets >(rule 0 - spoofing). >Anti-spoofing on the internal interface was configured with "This net", so I >created a group containing the Internal network object and a new workstation >object I created giving it the firewall's external interface IP and set this as >the "Specific" valid address. > >The packets still get dropped on rule 0 - spoofing. > >Does the firewall service need to be restarted for spoofing rules to take >effect? > >Is there something else I'm not thinking about? > >Thanks! > >Michael > [...] ------------------------------ Date: Wed, 16 Jan 2002 13:35:39 -0500 From: Aeon Hale <[email protected]> Subject: Re: Domain Controller Both the DMZ DC and Radius Server are on Win2k. I am also willing to have all my webservers authenticate to the radius server and not setup the new DC anyway. Does anybody know if this is possible and maybe some general pointers on setup? Thanks to all for the responses. -----Original Message----- From: Work [mailto:[email protected]] Sent: Wednesday, January 16, 2002 12:37 PM To: [email protected] Subject: Re: [FW-1] Domain Controller Aeon, >From my understanding, I think you can make your Radius Server a Win2k box and have it act as a Domain Controller from the same database/box. If you don't want to have everything on one box I think you could have the Radius box feed off of the Domain Controller. If I am wrong someone please feel free to straighten me out. > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of Aeon > Hale > Sent: Wednesday, January 16, 2002 11:36 AM > To: [email protected] > Subject: [FW-1] Domain Controller > > > Please forgive me for sending the list an "off checkpoint subject" but > i'm hoping somebody here has run into this situation: > > DMZ: > > contains numberous webservers. Our NT guys want to setup a Domain > Controller on DMZ for centralized authentication. It will NOT sync with > internal Domain Controller. > > Question: > > We currently have a radius server used for authentication (checkpoint > uses this for user, client, session and securemote). I would like to > know if there is a way to have the DMZ domain controller "trust" the > radius server that way we can cut back on the amount of accounts we need > to create? > > Without the trust between the DMZ Domain controller and radius, each > user will have to have 3 accounts: One on Internal DC, one on DMZ DC, > and one on Radius Server. We're trying to keep it to a minimum, i'm > sure you guys can understand. > > Any help would be greatly appreciated. > > Thanks, > > Aeon Hale > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Wed, 16 Jan 2002 10:56:05 -0800 From: "Hanke, Christian (DC)" <[email protected]> Subject: Re: SecuRemote through NAT device??? It was, I am embarrassed to admit, the "lost" network I had lurking behind the scenes which caused the Securemote to fail when behind the Linksys device. Couldn't have solved it without you guy so hats off to you all. I can finally put this miserable experience behind me. I do have one more problem though. Now, I have a user using Linksys NAT device with multiple machines behind it. He is able to use Securemote with no problem from his XP desktop machine. On his W2K laptop, which has a docking station in the office and is part of our domain, he can't use SecuRemote from home to access our network. I vaguely remember reading something about this somewhere but can't for the life of me remember where. Does this ring a bell with anyone? Any thoughts? Thanks all, Christian -----Original Message----- From: Fowler, Gary [mailto:[email protected]] Sent: Monday, January 14, 2002 3:15 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? My money is on routing as the issue. Assuming (192.168.1.0)--Linksys--Internet--Firewall1--InternalNet(192.168.1.0)--BackE ndRouters. If the NAT'd network is addressed the same/similar as your Internal network, then your will run into problems. The servers 'see' the client's real IP(not the Linksys' External IP). What path does a traceroute, from an internal server, show for the NAT'd network? Linksys IPSec pass-through is not relevant; since the IPSec packet is encapsulated is a UDP packet. The NAT'd Network, for all intents and purposes, becomes a part of your internal network. I recommend the client should have your internal WINS servers configured. As a rule, you have to assign each of these linksys(or netgear, or whatever home/small) routers a Class C, from your internal address space, all it's own. This rule also help in tracking misbehaving users. IP Pool NAT is an evil thing, avoid it if you can. Make sure NetBIOS_NAT is false in objects.C And be sure to have a dnsinfo.C configured; everyone should have a dnsinfo.C. Gary -----Original Message----- From: Stanley Lieberman [mailto:[email protected]] Sent: Monday, January 07, 2002 1:30 PM To: [email protected] Subject: Re: [FW-1] SecuRemote through NAT device??? Russell and list, Fwz is an in-place encryption, which means the packet never changes, when you have an internal router most likely you doing nat, pqacket leaves firewall it has non-routable address.. I am only guessing but you probably just connect to dial-up for secureremote, which means you always have routable address.. When you use IKE it will wrap the packet in the firewall and send it out with a routable address, this is why you must use ike when dealing with nating on client side.. Stanley "Etts, Russell" wrote: > Hi there > > I was curious - why is IKE better? For some reason we can only use FWZ.... > on the client machines, we get an error stating that we cannot use IKE... > > Thanks > > Russell > > PS - Yes, I am new to this... > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Wed, 16 Jan 2002 21:15:26 +0200 From: Eric Appelboom <[email protected]> Subject: Using Cisco IOS firewall feature set This is a multi-part message in MIME format. ------_=_NextPart_001_01C19EC2.2769D4B5 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am looking at complimenting our FW-1's with switches installed with the Cisco IOS firewall feature set. =20 I would like to implement this on 6500 switches also using layer 3 switching so inspection can be done on switches and not on fw nic. We primarily would like to reduce unessesary internal to internal traffic. =20 We will use the Cisco Policy Manager version 3 which appears to be similar to the FW-1 GUI and not commandline. =20 There doesn't appear to be many people using the IOS firewall feature set and it appears quite apt and manageable. I am aware of the TCP\UDP only inspection limitation of CBAC. =20 Does anyone used the IOS firewall in production and can give advice? Are there any peformance comparisons? =20 Regards Eric =20 =20 =20 *** Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, forward, print, use or disseminate the information contained in the email. Any representations (contractual or otherwise), views or opinions presented are solely those of the author and do not necessarily represent those of the employer or any of its affiliates. =20 ------_=_NextPart_001_01C19EC2.2769D4B5 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <TITLE>Message</TITLE> <META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I = am looking at=20 complimenting our FW-1's with switches installed with = the Cisco=20 IOS firewall feature set.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN = class=3D2002>I would like to=20 implement this on 6500 switches also using layer 3 switching so = inspection=20 can be done on switches and not on fw nic.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We = primarily would=20 like to reduce unessesary internal to internal = traffic.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>We = will use the=20 Cisco Policy Manager version 3 which appears to be similar to the FW-1 = GUI and=20 not commandline.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>There = doesn't appear=20 to be many people using the IOS firewall feature set and it appears = quite apt=20 and manageable.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002>I am = aware of the=20 TCP\UDP only inspection limitation of CBAC.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><SPAN=20 class=3D2002>Does anyone used the IOS firewall in = production and can=20 give advice</SPAN><FONT face=3DArial size=3D2><SPAN=20 class=3D2002>?</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN class=3D2002>Are there any peformance=20 comparisons?</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN = class=3D2002></SPAN></FONT></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN = class=3D2002>Regards</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D2002><FONT = face=3DArial=20 size=3D2><SPAN = class=3D2002>Eric</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D2002></SPAN></FONT> </DIV> <P style=3D"MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px" align=3Dleft><FONT=20 face=3D"Times New Roman" size=3D2></FONT></P><FONT face=3DArial = size=3D2></FONT> <DIV><FONT face=3D"Times New Roman" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Times New Roman" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Times New Roman" size=3D2>*** Disclaimer: The = information in this=20 email is confidential and is intended solely for the addressee(s). = Access to=20 this email by anyone else is unauthorised. If you are not an intended = recipient,=20 you must not read, forward, print, use or disseminate the information = contained=20 in the email. Any representations (contractual or otherwise), views or = opinions=20 presented are solely those of the author and do not necessarily = represent those=20 of the employer or any of its affiliates.</FONT></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C19EC2.2769D4B5-- ------------------------------ Date: Thu, 17 Jan 2002 07:08:07 +1100 From: "Chan, Jack" <[email protected]> Subject: Opsec Lea events handling This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C19EC9.83A83AA0 Content-Type: text/plain Hello List, I am new to Opsec and Lea stuff, with a rusty C++ background. I am implementing a opsec lea starting with the downloaded example. (ver 4.1.2). I compiled the LEA example client, compiled and works, but... Coming from a functional C++ background, I do not know HOW and WHEN does an event happens, hence I cannot control the flow of the program. Can anyone kindly explain to me what determines the events being generated and where does the handler get the parameters? The sample program flows as follows: Lea_start_handler Opsec_mainloop() Lea_dictionary_handler for 7 times Lea_record_handler once Lea_dictionary_handler for 9 times Lea_record_handler for 3 times Lea_end_handler..... Thanks! Jack P.s. this is my first time on the list, take it easy if I asked a dumb question. ------_=_NextPart_001_01C19EC9.83A83AA0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>[FW-1] Opsec Lea events handling</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Hello List,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I am new to Opsec and Lea stuff, with = a rusty C++ background.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">I am implementing a opsec lea = starting with the downloaded example. (ver 4.1.2).</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">I compiled the LEA example client, = compiled and works, but...</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Coming from a functional C++ = background, I do not know HOW and WHEN does an event happens, hence I = cannot control the flow of the program. Can anyone kindly explain to me = what determines the events being generated and where does the handler = get the parameters?</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">The sample program flows as = follows:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Lea_start_handler</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Opsec_mainloop()</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_dictionary_handler for 7 = times</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_record_handler once</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_dictionary_handler for 9 = times</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_record_handler for 3 times</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Lea_end_handler.....</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks!</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Jack</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">P.s. this is my first time on the = list, take it easy if I asked a dumb = question.<B><I></I></B></FONT><B><I></I></B><B><I></I></B> </P> </BODY> </HTML> ------_=_NextPart_001_01C19EC9.83A83AA0-- ------------------------------ Date: Wed, 16 Jan 2002 13:41:50 -0700 From: "Michael S. Hobbs" <[email protected]> Subject: Free S/WAN and VPN-1 Anyone, There is a document out on checkpoint's website that supposedly tells you how to set up Free S/WAN (an open-source ike/vpn client) to connect to FW-1(VPN-1). Has anyone gotten this to work or knows someone who has? I get an error in the 1st phase of IKE negotiation. Michael S. Hobbs Unicon, Inc. PhoneCellFax------------------------------ Date: Wed, 16 Jan 2002 16:17:28 -0500 From: Joe Pampel <[email protected]> Subject: Re: Using Cisco IOS firewall feature set we run it on our routers as an extra layer of protection, to control traffic on the LAN and to cut down on traffic that gets logged to IDS, FW, etc. (make the logs count..) I think it's just newish and folks are worried about CPU too much? I think it works well although our loads are not that heavy in general. I've only run it on 3600 series routers, dunno about switches, sorry! - Joe btw - i think it's a great idea. you should do it IMHO (for whatever that's worth!) ps: you can use kiwi syslog server to catch the log entries and stuff them into MSSQL and then run coldfusion queries (or whatever) against that for a central monitoring website.. just an idea a buddy of mine is using. >>> Eric Appelboom <[email protected]> 01/16/02 02:15PM >>> I am looking at complimenting our FW-1's with switches installed with the Cisco IOS firewall feature set. I would like to implement this on 6500 switches also using layer 3 switching so inspection can be done on switches and not on fw nic. We primarily would like to reduce unessesary internal to internal traffic. We will use the Cisco Policy Manager version 3 which appears to be similar to the FW-1 GUI and not commandline. There doesn't appear to be many people using the IOS firewall feature set and it appears quite apt and manageable. I am aware of the TCP\UDP only inspection limitation of CBAC. Does anyone used the IOS firewall in production and can give advice? Are there any peformance comparisons? Regards Eric *** Disclaimer: The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, forward, print, use or disseminate the information contained in the email. Any representations (contractual or otherwise), views or opinions presented are solely those of the author and do not necessarily represent those of the employer or any of its affiliates. ------------------------------ Date: Wed, 16 Jan 2002 22:52:47 +0100 From: Andras DORN <[email protected]> Subject: Re: AW: [FW-1] Connection lost problem Many thanks. Udvozlettel: _____________________________________________________________________ Dorn Andras [email protected], [email protected] Andrew Dorn Budapesti Muszaki Egyetem Technical University of Budapest Karman Todor Kollegium Karman Todor Student Hostel --------------------------------------------------------------------- -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Joerg Fritsch Sent: Tuesday, January 15, 2002 3:39 PM To: [email protected] Subject: [FW-1] AW: [FW-1] Connection lost problem Hi, you can increase it in the submenue Policy-->>Properties TcpSessionTimeOut --Joerg -----Ursprüngliche Nachricht----- Von: Andras DORN [mailto:[email protected]] Gesendet: Dienstag, 15. Januar 2002 08:51 An: [email protected] Betreff: [FW-1] Connection lost problem Hi! I have problem with tcp connection interrupting time. When I make a tcp connetcion across my FW1 and the connetcion so quite more than half an hour, the firewall interrupt it, and I loose the connection. So where can I increase this default time? Is it possible? My system is FW1 4.1 running f on WinNt 4.0. Best regards, _____________________________________________________________________ Dorn Andras [email protected], [email protected] Andrew Dorn Budapesti Muszaki Egyetem Technical University of Budapest Karman Todor Kollegium Karman Todor Student Hostel --------------------------------------------------------------------- ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ------------------------------ Date: Wed, 16 Jan 2002 16:55:06 -0500 From: "Einar Petana A." <[email protected]> Subject: Re: Anti-spoofing and sendmail Hi: I have a big problem. I have Checkpoint Firewall-1 on Linux RedHat 7.0 and the server is going down everytime my buffer size memory reaches its maximum. I rebooted my server and the problem was solved. The problem is that the buffer size is increasing at an alarming rate and we don´t why this happening. Any idea about this ?. Server Specifications: Processor: Pentium III 733 MHz Memory RAM: 512 MB Thanks, Einar ------------------------------ Date: Wed, 16 Jan 2002 16:34:42 -0600 From: Richard Collins <[email protected]> Subject: Re: Securemote with Linksys BEFSR41 router settings (?) John Tanouye wrote: > There seems to be a lot of discussion about being able to connect the > Linksys router with Checkpoint's VPN. With various methods available > tailored to each setup, it's difficult to know what works for one specific > setup. What I would like to see are the detailed settings from people who > got it working. > > I am willing to keep an archive of these for people who need it in the > future. I know six people here at work using DSL/cable with a router, and > all six have the same Linksys one. This should prove useful to the many > other Linksys users out there. So how about it? Let's see your setup. > > Some of the settings that would be good to share: > > objects.C modifications > Checkpoint version and SP > Securemote version and SP > Incoming/Outgoing ports opened on Firewall > > Linksys firmware revision > Linksys port mappings > Linksys DHCP/NAT settings > MTU value > filter settings > > Tips or anything else you found relevant to have a successful > connection > > Thanks everyone, > > John > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= John, I would be very interested in anything you find out. Its exactly what I'd like to set up. Thanks for posting the question, lets hope that someone responds. Richard Collins Oak Park Ill. ------------------------------ Date: Wed, 16 Jan 2002 16:34:37 -0600 From: "Mehta, Phoram" <[email protected]> Subject: nokia duplidisk??? This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C19EDD.FAB32510 Content-Type: text/plain; charset="iso-8859-1" this might be a sales question but still, is duplidisk the only an the best way for disk mirroring on nokia IP440/fw. what other alternatives do we have? any pointers on buying duplidisk or other devices(s/w) might also be helpful. Phoram Mehta Trabon Solutions Network Engineer <mailto:Email:[email protected]> Email:[email protected] Tel:ext: 519 ------_=_NextPart_001_01C19EDD.FAB32510 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.2920.0" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial size=2><SPAN class=2002>this might be a sales question but still, is duplidisk the only an the best way for disk mirroring on nokia IP440/fw. what other alternatives do we have?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002>any pointers on buying duplidisk or other devices(s/w) might also be helpful.</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=2002></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2>Phoram Mehta</FONT></DIV> <DIV><FONT face=Arial size=2>Trabon Solutions</FONT></DIV> <DIV><FONT face=Arial size=2>Network Engineer</FONT></DIV> <DIV><A href="mailto:Email:[email protected]"><FONT face=Arial size=2>Email:[email protected]</FONT></A></DIV><FONT face=Arial> <DIV><FONT size=2>Tel:ext: 519</FONT></FONT></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C19EDD.FAB32510-- ------------------------------ Date: Wed, 16 Jan 2002 15:41:32 -0800 From: Anthony Mendoza <[email protected]> Subject: Re: Securemote with Linksys BEFSR41 router settings (?) I have this working at home and will post up info tonight. Richard Collins wrote: > John Tanouye wrote: > > > > John, > > I would be very interested in anything you find out. Its exactly what I'd > like to set up. > > Thanks for posting the question, lets hope that someone responds. > > Richard Collins > Oak Park Ill. -- Anthony Mendoza IT & Customer Support [email protected] t:/ c:p:/ f:------------------------------ Date: Wed, 16 Jan 2002 20:43:39 -0500 From: Frank Darden <[email protected]> Subject: Re: nokia duplidisk??? This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C19EF8.636CE630 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit That's the only supported config. Duplidisk controllers are easy to find. However, if you put a non-Nokia supplied duplidisk card in your Nokia, you will void the warranty, and the box will not be supported by Nokia. Frank -----Original Message----- From: Mehta, Phoram [mailto:[email protected]] Sent: Wednesday, January 16, 2002 5:35 PM To: [email protected] Subject: [FW-1] nokia duplidisk??? this might be a sales question but still, is duplidisk the only an the best way for disk mirroring on nokia IP440/fw. what other alternatives do we have? any pointers on buying duplidisk or other devices(s/w) might also be helpful. Phoram Mehta Trabon Solutions Network Engineer <mailto:Email:[email protected]> Email:[email protected] Tel:ext: 519 ------_=_NextPart_001_01C19EF8.636CE630 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DUS-ASCII"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:[email protected]"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:483648 8 0 66047 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:blue; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-reply; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dblue = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>That's the only supported config. Duplidisk controllers are easy to find. However, if you put a non-Nokia supplied duplidisk card in your Nokia, you will void the warranty, and = the box will not be supported by Nokia.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>= <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Frank<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>= <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>= <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original = Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> Mehta, Phoram [mailto:[email protected]] <br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, January = 16, 2002 5:35 PM<br> <b><span style=3D'font-weight:bold'>To:</span></b> [email protected]<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> [FW-1] nokia = duplidisk???</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>this might be a sales = question but still, is duplidisk the only an the best way for disk mirroring on = nokia IP440/fw. what other alternatives do we = have?</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>any pointers on buying = duplidisk or other devices(s/w) might also be helpful.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Phoram = Mehta</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Trabon = Solutions</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Network = Engineer</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><a = href=3D"mailto:Email:[email protected]"><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'>Email:pmehta@trabonsolution= s.com</span></font></a><o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Tel:ext: = 519</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p> </div> </div> </body> </html> ------_=_NextPart_001_01C19EF8.636CE630-- ------------------------------ Date: Thu, 17 Jan 2002 13:11:02 +1100 From: Brendan Laws <[email protected]> Subject: IPSO + Content Filtering This is a multi-part message in MIME format. ------=_NextPart_000_0048_01C19F58.6DA801B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi people, simple question, can anyone recommend any content filtering software have/had running on IPSO/FW-1 Thanks Brendan ------=_NextPart_000_0048_01C19F58.6DA801B0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.0.4630.0"> <TITLE>IPSO + Content Filtering</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Arial">Hi people,</FONT> </P> <P> <FONT SIZE=3D2 = FACE=3D"Arial">simple question, can anyone recommend any content = filtering software have/had running on IPSO/FW-1</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Brendan</FONT> </P> <BR> </BODY> </HTML> ------=_NextPart_000_0048_01C19F58.6DA801B0-- ------------------------------ Date: Wed, 16 Jan 2002 23:19:50 -0400 From: Bill McSephney <[email protected]> Subject: FW-1 NG Rule Install slow???? --=====================_872700093==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Hi all, I'm new to the to this list, I have been though most of the archive, I have not been able to fine an answer to my problem. My problem: I have a Sun Ultra5 running Solaris7 with FW-1 NG HF2 on it. It is a replacement system for an aging SS2 with FW-1 30b-SP9. I have built the system up as close to the same rules and IPaddresses that I have on the old SS2 getting it ready to swap the two systems. As of this evening the rule base (about 20 rules) is taking about 20-30 minutes, yes that minutes not seconds to install. I have built up 3 other systems just like this one for other costumers both new and replacement systems in the last 2 months with out problems. I can't figure this out, any one with some Ideas? ---------- Bill McSephney,Senior Systems Analyst Sbi (Systems Business Integration) Suite 237, 48 Par-La-Ville Rd. Hamilton, Bermuda HM 11 ) Cellular:( Office:( Home:1 Office Fax:+ Email: [email protected] + other Email: [email protected]/[email protected]/[email protected] & Personal Web: http://www.bigbill.ca & Office Web: http://www.sbi.bm --=====================_872700093==_.ALT Content-Type: text/html; charset="us-ascii" <html><br> <br> <div>Hi all,</div> <br> <div>I'm new to the to this list, I have been though most of the archive, I have not been able to fine an answer to my problem.</div> <br> <br> <div>My problem:</div> <br> <div>I have a Sun Ultra5 running Solaris7 with FW-1 NG HF2 on it. </div> <div>It is a replacement system for an aging SS2 with FW-1 30b-SP9. </div> <br> I have built the system up as close to the same rules and IPaddresses that I have on the old SS2 getting it ready to swap the two systems. As of this evening the rule base (about 20 rules) is taking about 20-30 minutes, yes that minutes not seconds to install. I have built up 3 other systems just like this one for other costumers both new and replacement systems in the last 2 months with out problems. I can't figure this out, any one with some Ideas? <br> <hr> <font face="Times New Roman, Times" size=5 color="#000080"><b>Bill McSephney</b></font><font face="Courier New, Courier" size=1 color="#000080">,</font><font face="Courier New, Courier" size=2 color="#000080"><b>Senior Systems Analyst<br> </font><font face="Times New Roman CE, Times" size=4 color="#000080">Sbi (Systems Business Integration)<br> </font><font face="Times New Roman CE, Times" size=2 color="#808080"><i>Suite 237, 48 Par-La-Ville Rd. Hamilton, Bermuda HM 11<br> </i></font><font face="Wingdings" size=2>)</font><font face="Courier New, Courier" size=2> </font><font face="Times New Roman CE, Times" size=2>Cellular:</b></font><font face="Courier New, Courier" size=1> </font><font face="Wingdings" color="#808080">(</font><font face="Courier New, Courier" size=1 color="#808080"> </font><font face="Times New Roman CE, Times" size=1 color="#808080">Office:<br> </font><font face="Wingdings" color="#C0C0C0">(</font><font face="Courier New, Courier" size=1 color="#C0C0C0"> Home:</font><font face="Courier New, Courier" size=1> </font><font face="Wingdings" color="#808080">1</font><font face="Courier New, Courier" size=1 color="#808080"> </font><font face="Times New Roman CE, Times" size=1 color="#808080">Office Fax:<br> </font><font face="Wingdings" size=2><b>+</font><font face="Courier New, Courier" size=2> Email: [email protected]</b></font><font face="Courier New, Courier" size=1> </font><font face="Wingdings" color="#808080">+</font><font face="Courier New, Courier" size=1 color="#808080"> </font><font face="Times New Roman CYR, Times" size=1 color="#808080">other Email: [email protected]/[email protected]/[email protected]<br> </font><font face="Wingdings">&</font><font face="Courier New, Courier"> </font><font face="Times New Roman CE, Times" size=1>Personal Web:</font><font face="Times New Roman CE, Times" size=1 color="#808080"> <a href="http://www.bigbill.ca/" eudora="autourl"><u>http</a></font><font face="Times New Roman CE, Times" size=1 color="#0000FF">://</u><a href="http://www.bigbill.ca/" eudora="autourl">www.bigbill.ca</a></font><font face="Courier New, Courier" size=1> </font><font face="Wingdings" color="#808080">&</font><font face="Courier New, Courier" size=1 color="#808080"> </font><font face="Times New Roman CE, Times" size=1 color="#808080">Office Web: <a href="http://www.sbi.bm/" eudora="autourl"><u>http://www.sbi.bm</a></font></u></html> --=====================_872700093==_.ALT-- ------------------------------ Date: Thu, 17 Jan 2002 06:36:41 +0100 From: [email protected] Subject: ISDN-Backup for VPN-Connection Hi He have a central FW4.1(SUN-System) and some Nokia-Boxen (IP440- FW4.1) on the branch office. They are connected about a VPN-Tunnel. Is it possible to make a ISDN-Backup for this VPN-Connection? Can I do this with a Routing-Protokoll ? Have anyone an idea where I can found any information about this issue. many thanks manfred ------------------------------ Date: Thu, 17 Jan 2002 01:36:23 -0500 From: Don <[email protected]> Subject: Re: Using Cisco IOS firewall feature set > I am looking at complimenting our FW-1's with switches installed with > the Cisco IOS firewall feature set. > > I would like to implement this on 6500 switches also using layer 3 > switching so inspection can be done on switches and not on fw nic. > We primarily would like to reduce unessesary internal to internal > traffic. > > Does anyone used the IOS firewall in production and can give advice? I have used both standard access lists and IOS Firewall in production. IOS Firewall is a lot like PIX-lite. If you need a smaller firewall for a limited set of reasons, then it may be perfect. When I have CheckPoint in an environment, I tend to let the firewall act like a firewall and I reserve access lists and IOS firewall for things like anti-spoofing, blocking attacks on the router or switch directly, and limited other uses. It makes troubleshooting problems a lot easier when you do not need to figure out what system is a causing a problem, your router, your switch or your firewall. > Are there any peformance comparisons? It would not be fair to compare performance because the capabilities of IOS Firewall and PIX or CheckPoint are very different. -Don ------------------------------ Date: Thu, 17 Jan 2002 08:57:23 +0200 From: Mike Glassman - Admin <[email protected]> Subject: Unable to connect to Citrix via NFuse Morning all, We are having a very odd issue here regarding NFuse via a FW. We set up our Citrix farm (4 servers) and created the NFuse on our IIS server as per the documentation. I then set up a WS object for the IIS server with a valid IP address NAT. We can connect to the NFuse system and run applications fine from inside the network, and when we access the NAT'd address or the internal address of the IIS server (Via VPN) via the Internet, all is fine as far as the logon screen and the application screen. The moment we try to run an application we get an error stating that "There is no Citrix Server configured on the specified address". We have set up the /altaddr parameter and changed the corresponding files to show this address (the NAT'd address of the IIS server) with no luck at all. I know this should work, but for the life of me I do not know what else to do. As far as I can tell, the FW setup is ok, with a rule allowing pre-defined users to access the Citrix server (IIS NFuse setup) using http. I also tried allowing any protocol with no luck. Any ideas at all ? Is it something on the FW side ? I'd really appreciate some help on this one. Thanks, Mike Glassman System & Security Admin Computer & Information Systems Israeli Airports Authority Ben-Gurion Airport http://www.ben-gurion-airport.co.il Tel : 972-3-9710785 Fax : 972-3-9710939 Email : [email protected] Usage of this email address or any email address at iaa.gov.il for the purpose of sales pitches, SPAM or any other such unwanted garbage, is illegal, and any person, whether corporate or alone doing so, will be prosecuted to the fullest possible extent. ------------------------------ Date: Thu, 17 Jan 2002 07:46:08 +0000 From: =?iso-8859-1?q?jethra=20shah?= <[email protected]> Subject: Checkpoint FW-1 2000 installation on Windows 2000 Hello gurus's I have been trying to installation Checkpoint 2000 (Fw-1/VPN,Meta-IP) on a Windows 2000 server to no success. I have encountered the following issues: - The autorun terminates with suggestion of manual installation. - Manual Installation works fine but the problem comes when installing the FW rulebase. I am getting the following error: Standard.W: Security Policy Script generated into Standard.pf Standard: Compiled OK. Downloading Security Policy C:\WINNT\FW1\4.1\conf\Standard.pf to localhost(mtz5fw) Downloading on localhost(mtz5fw) succeeded Installing Security Policy Standard on all.all@mtz5fw Using external interface '' Unable to open '\Device\FW1': The system cannot find the file specified. Failed to get interface list: The system cannot find the file specified. Has only loopback (lo) interface, aborting... Failed to Load Security Policy: The system cannot find the file specified. Installing Security Policy on localhost(mtz5fw) failed . Is there a specific build of Checkpoint 2000 for Windows 2000 server . Any help will be appreciated shah __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ------------------------------ End of FW-1-MAILINGLIST Digest - 15 Jan 2002 to 16 Jan 2002 (#2002-17) ********************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|