[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Decreasing tcpendtimeout
We had a somewhat similar situation with our VPN and Terminal Services. Seemed to be related to a security feature in NAT spoofing. Found a line in the FW config that corrected the situation. Here's what we did to the \lib\fwgui_head.def file in 4.1... * Uncomment the following line to enable TCP Non-SYN packet to go through * the rule-base. */ #define ALLOW_NON_SYN_RULEBASE_MATCH Brad Rusnak Bank One - EIG 300 S. Riverside Plaza M/L IL1-0746 Chicago, IL 60670 (V)(P)(C)(F)[email protected] [email protected] Italo Dacosta <[email protected]>@beethoven.us.checkpoint.com> on 08/20/2002 09:31:28 AM Please respond to Mailing list for discussion of Firewall-1 <[email protected]> Sent by: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] cc: Subject: [FW-1] Decreasing tcpendtimeout Hello everyone, I have problems with windows NT 4.0 PCs trying to print documents using a remote printer (HP jetdirect + LaserJet 1200) across the firewall (Check Point VPN1 NG FP1) with Microsoft LPD/LPR printer protocol (port 515). We found that the print application will frequently close connections, and then in less than 50 seconds, it will try to open them again, causing "Syn for established connection" droped packets. We found that one solution is to decrease the default timer for half-closed connections (tcpendtimeout) to a much smaller value than 50 seconds (p.e. 10 seconds). We would like to know what are the risks or problems associated with this change. We have two Nokia IP330 appliances (IPSO 3.4.2) in cluster configuration (VRRP) with Check Point VPN-1/Firewall-1 NG Feature Pack 1. Thanks in advance for your help. Regards. Italo Dacosta ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|