[FW-1] fw log core dump on solaris
Hi, I have a problem when running fw log on a solaris management station. when the log file is bigger than 5 Mbs, the process cores (SIGSEGV or SIGBUS). adding the -p -n options doesn't solve the problem. could anyone tell me if there is a workaround to avoid this ? I suspect a memory issue with solaris. The server has no specific parameter in /etc/system. thanks ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] scratching my head over this one. Interface topology in NGx R61
cisco4ng a écrit : Hi, Once I define a checkpoint gateway object and gateway cluster object and put the gateway object into the gateway cluster object, under the topology, how can I tell the Internal interface that there is an network of 192.168.1.0/24 behind this interface as well?Is there a setting somewhere that can be done in NGx? if you edit the interface, and set the topology to internal, you can still define a group for the antispoofing. it looks similar to what you could do on r55. could you send a screen capture of the topology window you have ? In R55w, it used to be very simple, I just have to define a group object and put all of the networks behind a particular interface into that group object and assign it to that particular interface topology. help please. cisco4ng ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] scratching my head over this one. Interface topology in NGx R61
cisco4ng a écrit : The thing is that the topology is already set to internal without me doing anything about it. It would not even let me edit the topology. did you get the topology from the gateway or define it manually ? cisco4ng ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] cannot read fw monitor capture with ethereal
Hi, I have a fw monitor capture from a secureplatform, but as I try to open the file with ethereal, I have the following message : *The capture file appears to be damaged or corrupt. (snoop: File has 15872-byte record with packet size of 15872)* the secureplatform version is NGX. the file is sent by a client. I tried to capture a trace on a local installation, and the file generated can be open without the error message by ethereal. Has anyone ever seen this message ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] cannot read fw monitor capture with ethereal
Christian Chiaverini a écrit : Download the modified ethereal utility from CheckPoint's site. cpethereal there is another error message : the capture file appears to have been cut short in the middle of a packet. Christian Chiaverini CCSE -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of pkc_mls Sent: Wednesday, September 13, 2006 8:28 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] cannot read fw monitor capture with ethereal Hi, I have a fw monitor capture from a secureplatform, but as I try to open the file with ethereal, I have the following message : *The capture file appears to be damaged or corrupt. (snoop: File has 15872-byte record with packet size of 15872)* the secureplatform version is NGX. the file is sent by a client. I tried to capture a trace on a local installation, and the file generated can be open without the error message by ethereal. Has anyone ever seen this message ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.3/446 - Release Date: 9/12/2006 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] cannot read fw monitor capture with ethereal
Sergio Alvarez a écrit : Well, it could be in fact bad or corrupted, errors occur. Why don't you just try to get the capture again? tried soon, looks like the customer's fw monitor isn't ethereal compliant :) On 9/13/06, pkc_mls [EMAIL PROTECTED] wrote: Christian Chiaverini a écrit : Download the modified ethereal utility from CheckPoint's site. cpethereal there is another error message : the capture file appears to have been cut short in the middle of a packet. Christian Chiaverini CCSE -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of pkc_mls Sent: Wednesday, September 13, 2006 8:28 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] cannot read fw monitor capture with ethereal Hi, I have a fw monitor capture from a secureplatform, but as I try to open the file with ethereal, I have the following message : *The capture file appears to be damaged or corrupt. (snoop: File has 15872-byte record with packet size of 15872)* the secureplatform version is NGX. the file is sent by a client. I tried to capture a trace on a local installation, and the file generated can be open without the error message by ethereal. Has anyone ever seen this message ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.3/446 - Release Date: 9/12/2006 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] cannot read fw monitor capture with ethereal
Lars Troen a écrit : tried soon, looks like the customer's fw monitor isn't ethereal compliant :) Here's a howto on fw monitor and cpethereal: http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monito r_rev1_01.pdf Lars I tried this also .. ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] cannot read fw monitor capture with ethereal
Scott Tobias a écrit : I have seen this before when the file is uploaded ascii. Have then try it again in binary. That's what I asked. the client told me it was transfered in binary. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Hardware upgrade questions...
Joe Demarest a écrit : Folks, I have gotten to the bottom of my CP - HA flipping back and forth problems with Solaris. I put a much larger box in place of one of the firewalls and the problem has been better for some time now. This leads me to believe that I need to upgrade my hardware, which I have been saying for some time. I would prefer to move away from Solaris and get into an appliance. So should I go with Nokia or something else? Hi, I migrated a few years ago from solaris to nokia, because the dynamic routing on solaris wasn't easy, and vrrp on nokia looks also very interesting (I won't talk about multicast, because of an issue never corrected ...). I saw a message the other day on this list that someone was talking about a page on CP's website that pointed to hardware specs and connections for different hardware. Can someone send me that link and give me some ideas of what kind of experiences they have had with Nokia or some other appliances. Also, a second question. When I do upgrade to say a Nokia, can I just fail over to my backup box then join the Nokia to my HA cluster and then fail back to the Nokia? Or is it more complex than this? the upgrade ran this way : installing a nokia ha pair or cluster, starting to play with vrrp, dynamic routing, and so on, and then starting to migrate some rules (telnet or ftp for internal use) on nokia to debug anti spoffing, vrrp and so on. (try to switch from one pair to another, etc). it's never a good idea to have heterogeneous cluster. Thanks in advance! Joe = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Need help on upgrading
Kim Longenbaugh a écrit : Does the upgrade export/upgrade import take care of the routing and networking too? check the generated archive for any network definition file ... the answer is no. you have to save your routing and interface definitions and restore it to the new machine before you import. ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Question about outgoing rules...
Joe Demarest a écrit : OK, so this one gets me fired up, my FW is set up so that I am only inspecting incoming packets. So, why do I need to sometimes put outgoing rules in? I had one today where after fighting that the FW doesn't block outgoing packets I finally put a rule in for 446 so MS servers could get out and then it worked. What am I missing? It is kind of like the X windows stuff. You can put in an any service rule, you still need to put an X-windows rule after it. We always say, any doesn't really mean any with CP. If you have smartdefense inspecting your traffic, there is a proxy for each smartdefended service, so you'll have outgoing traffic. but this can also be enabled using the implied rules. do you have any log about your MS server and either smartdefense or the 446 port ? Joe = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] vpn1 edge + vpn-1 isp redundancy
Hi, I'd like to know if there is a way to set a vpn-1 edge to use automatically one or another IP address of a checkpoint VPN gateway configured with ISP redundancy. It looks like the securemote mode doesn't allow this, but has anyone ever tried to set such a configuration ? thanks ___ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] IKE : CRL is not yet valid
Hello, from a fresh install using ngx61, I have the following message when I try to set my splat gateway as vpn gateway : Information: Validation log: Certificate ICA_CERT cannot be validated. Reason: CRL is not yet valid. Make sure that the time, daylight saving time and date on your machine are well configured. DN: CN=splatlab VPN Certificate,O=CP61MngtSrv..vee9ya Instruction: If this log persists, contact the CA administrator. the date and time are set correctly (the management acts as ntp server for the gateway). I reinstalled both gateway and management, and I still have the same error. any idea ? ___ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] IKE : CRL is not yet valid
Claudia Cordova a écrit : Maybe, you create the certificate before SIC. Try to remove the certificate and renewed. Of course, you should to establish SIC before that. nice try, but there is no SIC with a vpn1 edge. I'll try to set an external CA, and see if it works better. I'll give feedback asap ... Claudia Cordova Soporte Tecnico SEFISA-El Salvador [EMAIL PROTECTED] Tel:(503)22890097 Cel:(503)78512041 -Mensaje original- De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] En nombre de pkc_mls Enviado el: Viernes, 06 de Octubre de 2006 05:01 a.m. Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Asunto: [FW-1] IKE : CRL is not yet valid Hello, from a fresh install using ngx61, I have the following message when I try to set my splat gateway as vpn gateway : Information: Validation log: Certificate ICA_CERT cannot be validated. Reason: CRL is not yet valid. Make sure that the time, daylight saving time and date on your machine are well configured. DN: CN=splatlab VPN Certificate,O=CP61MngtSrv..vee9ya Instruction: If this log persists, contact the CA administrator. the date and time are set correctly (the management acts as ntp server for the gateway). I reinstalled both gateway and management, and I still have the same error. any idea ? ___ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] add a driver to a splat iso
Hi, I'd like to install a splat on a dell 2950, but my media kit doesn't include the driver for the perc 5, and my server doesn't have any internal floppy disk. checkpoint site says I have to (buy and) use the latest media kit, but I think it's quite expensive to pay an extra media kit for a free driver. Is there a way I can modify the iso image to include the driver for the perc 5 ? thanks ___ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] IKE : CRL is not yet valid
pkc_mls a écrit : Claudia Cordova a écrit : Maybe, you create the certificate before SIC. Try to remove the certificate and renewed. Of course, you should to establish SIC before that. nice try, but there is no SIC with a vpn1 edge. I'll try to set an external CA, and see if it works better. I'll give feedback asap ... I edited all files containing this internal_CA_check_CRL: true and set to false. it works much better now. by the way, has anyone a working version of the gui dbedit for ngx on windows ? thanks ___ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] database integrity checking tool?
Nick Whitworth a écrit : Does anyone know of any tool for checking the integrity of databases on an NGX (R60) management station? you mean, something like cpstop fwm vdb cpstart ? I tried only on the management server. I don't know if it works on a firewall module, but cpstop isn't recommended on a gateway. Thanks Nick Whitworth ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] ssh through vpn
Hi, I try to setup a config between a splat and a vpn1 edge. when I try to connect using ftp, the banner comes immediately. When I try with ssh, I have to wait almost 2 minutes before it asks me for the login. the tracker shows some out of state connections, but even if I choose not to drop out of state tcp (on splat and vpn1), it's always slow. has anyone ever seen this ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] ssh through vpn
David Palmer a écrit : I have seen similar issue. It was corected by adding a static host entry could you please give further details ? (I tried to add host entry for the client on the server, and for the server on the client, but that didn't work). thanks -Original Message- From: [EMAIL PROTECTED] To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM [EMAIL PROTECTED] BCC: David Palmer [EMAIL PROTECTED] Creation Date: 10/17 8:09 am Subject: [FW-1] ssh through vpn Hi, I try to setup a config between a splat and a vpn1 edge. when I try to connect using ftp, the banner comes immediately. When I try with ssh, I have to wait almost 2 minutes before it asks me for the login. the tracker shows some out of state connections, but even if I choose not to drop out of state tcp (on splat and vpn1), it's always slow. has anyone ever seen this ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] reading a license
Miguel Angel Gutierrez a écrit : hello people... does anybody know of a document or link with a table or some sort of device that could help me read the features that a license file has? example: CPMP-VFF-U-NG CPVP-VSR-1000-NG CPVP-VPS-1-NG Hello, you can pick some infos from this page : http://www.fw-1.de/aerasec/ng/license-features-basic.html and also from this one : http://www.fw-1.de/aerasec/ng/license-features.html if you downloaded the infoview tool from checkpoint, there is an exe called licview. choose the version, then type * in the SKU field. CPMP-VFF-U-NG gives : vpn1 floodgate 1 module unlimited NG CPVP-VSR-1000-NG: vpn1 securemote for 1000 users CPVP-VPS-1-NG : VPN1 policy server for a single server I feel frustrated by not knowing what all those mean... is like having a drag-racing car and not being able to see under the hood :P hehehe... regards, TELVISTA CERTIFIED = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] ssh through vpn
[EMAIL PROTECTED] a écrit : Hi, Most of the times this is a resolver problem. Change your sshd_config: #UseDNS yes to UseDNS no restart sshd daemon man sshd and http://marc.theaimsgroup.com/?t=10513978811r=1w=2 Kr. Robby I tried the modification above, but I still have the same problem. I saw that the MSS are modified (by the vpn gateway or the vpn edge). client splat vpn edge server syn 1360 - 1360 - 1280 - 1280 syn-ack 1380 - 1380 - 1460 - 1460 has anyone a running config with an ssh through vpn ? if so, could he detail the installation ? (ssh client, ssh server, gateways, vpn settings). thanks On 10/17/06, pkc_mls [EMAIL PROTECTED] wrote: Hi, I try to setup a config between a splat and a vpn1 edge. when I try to connect using ftp, the banner comes immediately. When I try with ssh, I have to wait almost 2 minutes before it asks me for the login. the tracker shows some out of state connections, but even if I choose not to drop out of state tcp (on splat and vpn1), it's always slow. has anyone ever seen this ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] gui dbedit
Hi, I'm desperately looking for the gui for the dbedit command ? could anyone give me the link at the checkpoint site to download this tool ? or is it faster to edit manually the objects file(s) ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] gui dbedit
Brockhoven, Werner a écrit : Hi, You will find a copy of GuiDBedit.exe under your SmartConsole installation directory. E.g. C:\Program Files\CheckPoint\SmartConsole\R60\PROGRAM I can't find the binary. the guidbedit directory is created, but is empty :(. could anyone send me the guidbedit binary for r60/r61 on windows ? thanks Nicolas Figaro -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of pkc_mls Sent: Monday, October 23, 2006 09:21 To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] gui dbedit Hi, I'm desperately looking for the gui for the dbedit command ? could anyone give me the link at the checkpoint site to download this tool ? or is it faster to edit manually the objects file(s) ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] gui dbedit
pkc_mls a écrit : Brockhoven, Werner a écrit : Hi, You will find a copy of GuiDBedit.exe under your SmartConsole installation directory. E.g. C:\Program Files\CheckPoint\SmartConsole\R60\PROGRAM I can't find the binary. the guidbedit directory is created, but is empty :(. could anyone send me the guidbedit binary for r60/r61 on windows ? it looks like the gui dbedit is not installed on the smartcenter. I installed another smartconsole on another workstation, and the gui is there. ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Dell PowerEdge 1950
Miguel Angel Gutierrez a écrit : hello list, we were evaluating a dell 1950 in order to set up SPLAT in it, and already took a look at the hardware compatibility page: http://www.checkpoint.com/products/supported_platforms/recommended/ngx/v er_r60/017.html but I didn't catch the hard drive specs so well... is it safe to say that SPLAT can recognize, manage and work under this kind of hard drives: 341-3094 PERC 5/i, Integrated Controller Card 341-3030 146GB, SAS, 3.5-inch 10K RPM Hard Drive 341-3084 Integrated SAS/SATA RAID 1 PERC 5/i Integrated I wouldn't like any nasty surprises during the setup hehehe... thank you for the comments... for the perc5 you need specific media packs. the supported hardware is described at this url : http://www.checkpoint.com/products/supported_platforms/secureplatform.html check your cds before the installation. you can add a drive to splat during the installation only if you have an internal floppy (usb drives, usb floppies cannot be used to add a driver). if you're looking for the driver, dell doesn't provide it for linux RHEL3. you need to check at lsi site for the megaraid driver for linux. the dell 1950 requirements are detailled here : http://www.checkpoint.com/products/supported_platforms/recommended/ngx/ver_r60/017.html you need to pay for the medias or to use a SR ticket to obtain the media kit if you don't have the cds. hope this'll help. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC
cisco4ng a écrit : scenario: hostA---FWA---Internet---FWB---hostB FWA is a Cisco Pix version 7.2(1) FWB is running NGx R61 with HFA_01 running on IPSO 4.1 build 19 hostA is a windows XP Pro. with Service Pack 2 and latest patches hostB is Windows 2003 Service Pack 1 with latest patches I have site-to-site VPN between FWA and FWB. VPN is up and running and everything is allowed through the VPN tunnel. HostB is an Microsoft AD Controller, let call it nxia. When I tried to add hostA into domain nxia, I am seeing this in the smartview tracker: Number: 1917 Date: 29Oct2006 Time: 9:51:16 Product: SmartDefense Interface:eth3c0 Origin:10.209.84.36 Type: Log Action:Reject Service: gmsRPC-tcp (135) Source: 198147010097.nxia.com (192.168.1.97) Destination: h_10.85.84.27 (10.85.84.27) Protocol:tcp Source Port:1257 Attack Name: DCE-RPC Enforcement Violation Information: DCE-RPC Interface UID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 Attack Information: UUID is not allowed through the Rule Base Furthermore, if I add another Microsoft Windows 2003 Enterprise Server, hostC, behind FWA, and I tried to make hostC another AD controller of nxia domain, it fails with the same error that I am getting above. It seems to me that NGx R61 (even with HFA_01) is having issues with Microsoft AD to properly across the firewall. I've been researching Checkpoint Knowledge base and from those SKs, it seems that Checkpoint has fixed this in HFA_04 or NGx R60 or HFA_01 in NGx R61. But it is not working for me. The SKs are sk25562, sk31245 and sk31166. I tried to modify the dcercp.def file but these knowledge base is for NG AI or NGx R60 and not R61. Anyone is running into similar issue like this one and how do you fix this? thanks. there is a workaround proposed by microsoft about this issue (the uuid on 2003 sp1 are not the same). http://support.microsoft.com/kb/899148/fr I never tried this, but I hope this'll work for you. cisco4ng ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC
http://support.microsoft.com/kb/899148/fr remove the /fr for the same infos not in french. (quite hard on monday morning ... ) I never tried this, but I hope this'll work for you. cisco4ng ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Urgent help needed. NGx R61 with HFA_01 and Microsoft DCE-RPC
cisco4ng a écrit : hi, Thanks for the link. However, when I look under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\ I do not see Rpc subkey. The sk seems to imply that the sub key is already there. Furthermore, my windows Enterprise 2003 server is an AD server. Anymore ideas? thanks. if you have an access to the secureknoledge, you can search for dcerpc.def. otherwise, try the same search in the mailing list archive (msgs.securepoint.com allows you to search through the archives). cisco4ng pkc_mls [EMAIL PROTECTED] wrote: http://support.microsoft.com/kb/899148/fr remove the /fr for the same infos not in french. (quite hard on monday morning ... ) I never tried this, but I hope this'll work for you. cisco4ng ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = - Low, Low, Low Rates! Check out Yahoo! Messenger's cheap PC-to-Phone call rates. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] eth0:0 on a splat cluster
hello, I tried to configure a cluster interface on a virtual interface of a secureplatform cluster. the eth0:0 interfaces are configured on my cluster nodes. the topology is manually defined. but when the cluster works in load sharing mode, there is no response to the arp request to the cluster IP. in high availability, the cluster interface can be pinged. has anyone ever managed to set a virtual ip (no vlan) on a cluster in load sharing mode ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] virtual addresses on secureplatform
Hi, I'd like to use a virtual interface (eth0:0) on a secureplatform cluster running ngx r61. I can declare the interface on the topology, but as I try to ping the cluster IP, I have no arp response. each member's virtual interface can be pinged from a client workstation. it works fine if I use a vlan interface instead of a virtual interface. has anyone ever managed to have it run ? is there a documentation or sk entry that claims it's not possible to use virtual interfaces with cluster ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] did you try to ask checkpoint to fix a smartdefense issue ?
Hi all, Just curious regarding the number of sk entries about smartdefense, has anyone ever complained to checkpoint about normal traffic blocked by smartdefense ? if so, what was their answer ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] trad. VPN settings in simp. mode
David CALLEBAUT [AEMS Be] a écrit : Dear List members, I have a customer who wants to establish a site-to-site VPN between a FP2 cluster and a Cisco 2621 router. I know there are some pitfalls in setting something like this up. Anybody has some good info or documents related to setting up this kind of VPN? Note: the customer does not want to upgrade to a newer version of FW. The current firewall object is defined as a simplified mode object. I know in R55 that you have the button traditional mode configuration... in the VPN tab of the FW object to allow IKE settings for these kind of VPN tunnels, but I don't have this button in the object of the FP2 policy. Does anybody know where I have to set the traditional settings? Or must I revert back to creating a traditional object and then do the settings? the ike settings can be set on the vpn community properties. there is a way to also set the parameters on every gateway, but it's better to have the same settings on each gateway that participate to the same community, so each time you change a parameter, you don't have to change it for your n gateways. hope this'll help. David = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Help please regarding VPN NGX
Edouard Zorrilla a écrit : Hello There, Does anyone have already configured a host which perform a IP and IPSec traffic at the same time ? I mean, thru site A just IP traffic and thru Site B IPSec traffic. Hello, you can easily do this. the ipsec or ip traffic depends on your rulebase and on your vpn definitions. if you set a vpn community between your gateway and site b, and specify accept all encrypted traffic in the community or create a dedicated rule for vpn traffic, you'll see ipsec traffic between the network behind your gateway and the network behind site B's gateway. you can also set another rule to allow some traffic to site A. as site A is not part of any community, the traffic is IP only. you can also specify not to encrypt some protocols in your vpn community, so you'll see clear and encrypted traffic between your site and site B. hope this'll help. Thanks a lot, Regards ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] R: [FW-1] DL380G3/G4
Scarpati Massimiliano a écrit : Hi Sergio, Thanks for your replay.. Than in the specific recommended configuration of G3 on checkpoint site there is a Integrated Smart Array 5i Plus. Than I think that drivers for this array is present in secure platform.. but I must be sure of it. Is true? If it's true, before install secure platform I must configure raid with smart start to permit splat to see my raid? Hi, Checkpoint provides a secureplatform compatibility testing tool. You'll find this at this url : http://www.checkpoint.com/products/supported_platforms/secureplatform_testing_tool.html you should also have a look at the HCL : http://www.checkpoint.com/products/supported_platforms/secureplatform.html Don't try to install secureplatform if you don't have the hardware and the media the hardware requires. (some servers or nics requires specific version/media kit). If you plan not to buy such hardware, you need a proper support contract and patience, because the secureplatform new release don't come often. hope this'll help. ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Help please regarding VPN NGX
Edouard Zorrilla a écrit : Thanks for your Reply Sir, Regarding the point stated here I have a couple of question I hope you can answer this: 1.- You said: [ if you set a vpn community between your gateway and site b, and specify accept all encrypted traffic in the community or create a dedicated rule for vpn traffic, you'll see ipsec traffic between the network behind your gateway and the network behind site B's gateway.] Q1: That is what I have done and I get a error inside the tracker when I send traffic to site A saying that : encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information vpn debugging can take some time. grab the infoview from checkpoint, set the vpn debug ikeon on your firewall, and check the content of ike.elg afterwards to check where the vpn fails. 2.- You said: [you can also set another rule to allow some traffic to site A. as site A is not part of any community, the traffic is IP only. ]. Q2: When I do this I got the error stated in Q1, even If I put the rule over the vpn rule. What I am doing is making a mesh community and put inside this my module checkpoint NGX and also the host at site B. Do I need to place/move to anywhere else ? maybe I am forgetting something. Could someone send me a paper unicast to me ? I will really appreciate your help. If site A is not in the vpn domain declared for your gateway and site B's gateway, I still don't get the point why the traffic is encrypted. could you please describe a little bit more your configuration with ip addresses and networks for site A, site B, your site, the gateways, etc ? (don't put the real ones of course). 3.- You said: [ you can also specify not to encrypt some protocols in your vpn community, so you'll see clear and encrypted traffic between your site and site B.] Q3: But what happen when I need to send the same protocol/port to site A and B, I can not apply this, can't I ? you need : - for site B to declare exceptions in the vpn community - for site A to declare an explicit rule as site A is not part of the VPN Thanks averybody. Regards ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] uri ressource, https and failover
Hello, I defined a URI ressource and uses it with https on my rulebase for a solaris ha cluster. but when I switch from the running node to the other one, the https traffic is blocked. I need to reinstall the policy to have it work again. I guess the proxy information is not synchronized between the two nodes, but I didn't found any documentation about this. could anyone confirm the issue ? thanks ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] uri ressource, https and failover
pkc_mls a écrit : Hello, I defined a URI ressource and uses it with https on my rulebase for a solaris ha cluster. but when I switch from the running node to the other one, the https traffic is blocked. I need to reinstall the policy to have it work again. I guess the proxy information is not synchronized between the two nodes, but I didn't found any documentation about this. could anyone confirm the issue ? the answer is in the cluster xl doc. shame on me for posting before RTFMing ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] uri ressource, https and failover
Markus Schmidt a écrit : Can you share your solution anyway, please? sure, here is an extract from th ecluster xl guide for NGX R61 (page 38) : The state of connections using resources is maintained in a Security Server, so these connections cannot be synchronized for the same reason that user-authenticated connections cannot be synchronized. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] alteon switched firewall and antivirus
Hi all, Could anyone confirm that antivirus checking (no CVP) can't be done on a nortel switched firewall ? I tried to find some infos on nortel or checkpoint website, but didn't found anything interesting at the moment. Has anyone ever used such hardware ? If so, as gateway only or gateway + smartcenter ? Thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Nokia hard drive problem?
Bhavin Gandhi a écrit : Hi... I got below errors on 1 of our Nokia boxes kernel: wd0: interrupt timeout: kernel: wd0: status 50seekdone error 1no_dam kernel: wd0: wdtimeout() DMA status 0 kernel: wd0: wdunwedge failed: Could this mean the HD would give in someday?? sure, ask Nokia for an RAM if your box is under support asap. TIA B ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] checkpoint dns
Hello, I have some dns troubles to reach www.checkpoint.com. could anybody give me the ip address of www.checkpoint.com and secureknowledge.checkpoint.com ? thanks ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] alteon switched firewall and antivirus
pkc_mls a écrit : Hi all, Could anyone confirm that antivirus checking (no CVP) can't be done on a nortel switched firewall ? I tried to find some infos on nortel or checkpoint website, but didn't found anything interesting at the moment. Has anyone ever used such hardware ? If so, as gateway only or gateway + smartcenter ? Thanks Merry christmas all, the document located at http://www.checkpoint.com/products/downloads/express_ci_datasheet.pdf claims that : Check Point Express CI runs on Intel-processor-compatible Windows and Linux servers, as well as Sun Solaris servers ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] route based vpn with vpn1 edge
Hi, I'd like to use a route based vpn between a vpn1 edge and a splat cluster. The connections between the edge and the cluster are done via : - an MPLS link using private addresses - an internet link. the goal is to route in clear via the MPLS when this one is active, and to route via internet using a VPN tunnel. So I use ospf on the MPLS to exchange the routes between the edge and the fw cluster, and a default route via internet. the routing works fine. now I'd like to set up the VTI and use it. I declared : - 1 vti with ip 1.1.1.1 on my vpn1 edge - 1 vti on each splat : 2.2.2.2 for the virtual interface, 2.2.2.21 for splat1, 2.2.2.22 for splat2. the topology is set. the vpn domain for the community is set to an empty group. (according to the docs). How can I check for the routing table on the vpn1 edge ? The gui only shows the static routes, but as the packet goes correctly through one of my router, I guess the vpn1 edge learns the ospf routes correctly. Has anyone ever done this before ? thanks ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] route based vpn with vpn1 edge
pkc_mls a écrit : Hi, I'd like to use a route based vpn between a vpn1 edge and a splat cluster. hi and happy new year all. for those who are still interested with this config, its quite working, except for a weird issue : when the site to site vpn that uses the vti on the vpn1edge is active, the igmp packets from the vpn1 edge are dropped, even if there is a rule in the policy to allow those. the smartview tracker says : ip spoofed. the interfaces are set as external or antispoofing not defined on the smartdashboard. and as soon as I disable the route based vpn, the IGMP packets are sent properly, so the ospf works fine again and the routes are properly learned. has anyone ever opened a ticket by checkpoint about vpn1 edge issues ? I sent a mail to sofaware support, they answered with a link to a doc, and a quick message : for other debug, ask checkpoint ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] route based vpn with vpn1 edge
Hugo van der Kooij a écrit : On Tue, 2 Jan 2007, pkc_mls wrote: Sounds like you need to rethink the antispoofing settings. Nothing rulebase related in this log line. sure, but you can't modify the antispoofing settings for the vpn1 edge. the interfaces are set as external or antispoofing not defined on the smartdashboard. External is not equal to accept anything. By lack of other interface settings is is in fact hard tell what external might be in fact. the problem comes from the DMZ interface. the IGMP is blocked on this interface when the vpn is active the network trace shows the IGMP packets when the vpn is disabled. and no trace anymore on the vpn1edge. and as soon as I disable the route based vpn, the IGMP packets are sent properly, so the ospf works fine again and the routes are properly learned. has anyone ever opened a ticket by checkpoint about vpn1 edge issues ? Like running debug code to find the memory leaks and attaching consoles to machine to get 24x7 access to read the results? SURE. did you get any bug fixes after such a hard work ? Hugo. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] route based vpn with vpn1 edge
Hugo van der Kooij a écrit : On Wed, 3 Jan 2007, pkc_mls wrote: Ever noticed the rapid jumps made in the releases of VPN-1 Edge firmware? They happend around the time we were debugging this issue. It usually pays to upgrade your VPN-1 Edge firmware in my experience. I'm already using the latest 7.0.25 firmware. Let's pray for a quick new firmware update. thanks for the replies. Hugo. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] SPLAT idle timeout
Tom louis a écrit : anyone know how to change the idle timeout so it is a longer amount of time? you can set the value in the /etc/bashrc. check for the TMOUT settings in this file. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] eventia reporter : how to export/import the datas
Good morning, I have some problem after an upgrade for eventia reporter. (r55 - r61). The eventia reporter don't get any information from the database, so I'd like to reinstall the whole stuff, but keep the datas. what's the best way to export the datas from the actual config, and reimport them after the reinstallation ? is there any document about this ? (secureknowledge don't have any information about this). thanks a lot ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Rép. : Re: [FW-1] Load on module failed
Christian Billette a écrit : Sorry, I didn't mention the error Unable to open '/dev/fw0': No such file or directory Failed to get interface list: No such file or directory Cannot get interface list: No such file or directory Didn't you forget to reboot after your cpconfig/sysconfig ? Which entries do you have when you type cpconfig ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] tool to analyze debug files
hello, does anyone know any tool to read the content of a fw debug file, ie fw ctl kdebug -f debug.out ? thanks ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] tool to analyze debug files
Hugo van der Kooij a écrit : On Fri, 12 Jan 2007, pkc_mls wrote: does anyone know any tool to read the content of a fw debug file, ie fw ctl kdebug -f debug.out ? gvim usually does the trick for me. Hugo. I thought about a tool to make the reading of such file easier, like ikeview for ike.elg files. 300 Mos for the debug file is quite big ... ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VLANs and SPlat R55
Mark Senior a écrit : Hello list I've got a HA firewall, a pair of SPlat R55 boxen, on which I'm going to be splitting one interface (of each member, obviously) into two VLANs. We'll be swapping out some other network equipment at the same time, such that a bit of downtime will be inevitable - so for now at least there's no need to worry about keeping perfect uptime. If there are any gotchas with this, I'd appreciate anyone who can point them out to me. For one thing, I recall reading (possibly in the archives of this list) that you can't configure VLANs on SPlat R55, without also giving an IP address to the interface itself. So for example, if you want an eth1.100 and eth1.200, you have to give an IP and mask directly to eth1, even though the switch won't accept those packets. Can anyone confirm this or correct it? Hi, on IPSO, I used some trunks, and the restriction comes from the network equipment I think. you cannot bind one port to a vlan if you set a trunk (ie multiple vlans on one link) to this port. In this case, the IP address that's now on my eth1, will become the IP on one of eth1's VLANs, and the other VLAN will get a new IP. From Checkpoint's documentation of the ifconfig command, I don't see any obvious way at the SPlat CLI to actually remove an IP address. But then Checkpoint's docs for R55 are pretty lame... Some platforms' ifconfig's have options like 'delete' or '-alias' to remove IP addresses and leave no assigned address. Anyone know if SPlat's does? Or do I have to give the interface a bogus address anyway? check the files in /etc after your sysconfig to see how the settings are done after the reboot. Finally, with ifconfig and route, SPlat has the non-standard --save flag to make your changes permanent (since you can't just edit rc files). With vconfig do you need something similar, or do the changes automatically survive a reboot? So, I'm thinking of proceeding like this: 1) edit the topology in the SmartConsole 2) cphastop cluster member A 3) on cluster member A: a) set up VLANs on cluster member A with various vconfig calls b) take the IP address off eth1 (possibly by replacing it with a bogus one), assign IPs to the two VLANs c) add routes as appropriate for the VLAN interfaces d) configure the corresponding switch port with the appropriate VLANs 4) push policy 5) cphastart member A, cphastop member B 6a-6d) repeat 3a-3d for member B 7) push policy again for good measure 8) cphastart member B Anyone see any obvious flaws here? you could perhaps use a vmware or something similar to validate your scenario on a demo architecture. this could show some hints. Regards Mark = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN issue between IP Clustering and VRRP
Anupam Gaur a écrit : hai all, Please Please Please help We are using Checkpoint configured on Nokia IP 350 in IP Clustering load sharing at our two loactions Noida and Pune. Both the locations have their separate clusters with exactly the same hardware and same hot fix configurations. Both these locations have Site to Site VPN Connectivity with UK checkpoint which is configured on same Nokia IP 350 but with VRRP hi, do you have any nat involved in your VPN traffic ? do you allow NAT-T ? now the problem is that at our Noida Location , the users going through VPN logout suddenly and this happened not with all users but with certain part like 70/300 logout. but there is no such logout at our Pune Location i have checked up the configurations on Both Noida and Pune , they are exactly same the errors are like : Encryption Failure : Possible Replay Attack TCP Packet out of state: RST Packet from server side of an old connection what are the IPs for those smartview tracker log entries ? that's strange because after the IKE, the SA should be okay so you'll have only ESP packets or UDP on port 500, so it could be interesting to have more details about those out of state. The same logs are in pune Firewall but there is no logout in pune please provide your valuable inputs Do you have exactly the same OS/build number and the same checkpoint version/HFA ? you can try to debug the vpn using vpn debug trunk on the UK site and on Noida site, then check the content of ike.elg site via ikeview. regards Anupam gaur Security Consultant EXL Services, Noida The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from your computer. Microland takes all reasonable steps to ensure that its electronic communications are free from viruses. However, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] fwloghandle_check_string on : invalid char in string
Hi all, I have some troubles when trying to install the policy on a nokia running NGX R60 HFA 3 : fwloghandle_check_string: invalid char in string (ascii -24) Failed to Load Security Policy: Cannot allocate memory Failed to Load Security Policy: Kernel memory allocation failed Fetching Security Policy Failed the policy compiles fine. has anyone every seen such a message ? thanks. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] failed to load security policy : cannot allocate memory
References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit pkc_mls a écrit : Hi all, I have some troubles when trying to install the policy on a nokia running NGX R60 HFA 3 : fwloghandle_check_string: invalid char in string (ascii -24) the message above wasn't useful Failed to Load Security Policy: Cannot allocate memory Failed to Load Security Policy: Kernel memory allocation failed Fetching Security Policy Failed the message above was due to a f... accent in a rulename. I still have to find the one who declared the name with the accent ... the policy compiles fine. has anyone every seen such a message ? thanks. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] R: [FW-1] Routing...
Hi all, I recently received a pdf file that describes how to set source routing. as written by Paolo, this is not supported by checkpoint, but the pdf indicates that some customers are running such configs. I can send it directly, or put it somewhere on a website if any are interested. Mr Leu, if you read this message, and wish to put the file on your website, please answer directly. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] R: [FW-1] Routing...
sin a écrit : Edouard Zorrilla wrote: Me too, please send me the PDF, since so many people want this document maybe the original poster should put it somewhere where people cand download it and publish the URL on this list. sure, I already thougth about it and asked someone who already has some documents published. as someone already answered ... I think there might be a problem, because this document is - from Check Point - marked with CONFIDENTIAL - INTERNAL USE ONLY - marked with NOT INTENDED FOR CUSTOMER DISTRIBUTION So publishing this PDF on our server might / will result in problems with Check Point legal. I'll ask the guy from checkpoint who sent me the document if this one can be published somewehere without any risks. sin = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] R55 SPLAT last build?
Scarpati Massimiliano a écrit : Hi Guys, a question for you: I must install SPLAT on HP G4 and I have media kit Checkpoint R55 HFA 12 installed on a brand machine. At present My build of SPLAT installed is Build 121 On Compatibility list Checkpoint site G4 is supported from Build 124. What is the last build released of SPLAT R55 ? Better... what build number I ask to my partner to have the last Build? you need to ask him to ask checkpoint about this. checkpoint can put an iso on their ftp site, but it's not free. It will cost your partner the price of a checkpoint call. regarding the latest version, checkpoint gives sometimes infos, but never up to date. check this link : https://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?lid=sk31763 and you won't find the 121 or 124. if you ask your partner to open a call to get the latest iso, you'll have the 124 or another one, more recent. hope this'll help. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] [Newsletter]: [FW-1] R: [FW-1] Re: [FW-1] R55 SPLAT last build?
Scarpati Massimiliano a écrit : Ok, i have an Enterprise Software Subscription and Standard Support with my Licence that I pay. Is it useful for me to ask an Image? Or could my partner contact checkpoint and ask an iso for me with my Enterprise Software Subscription and Standard Support? If yes how many time to have a Build for my Hardware? I must install on this Hardware http://www.checkpoint.com/products/supported_platforms/recommended/ng/ver_r55/HP%20DL-380G4.html And here it seems to be ok with this Hardware from 124. At that hardware conf I must add a Pro1000MT/Dual Port and a Compaq NC7170 Dual PCI-X Copper 10/100/1000 Ethernet NIC. You need to have a CCSP contract to avoid the 1500$. If you don't have, I shouldn't tell you but the best for your partner is to use another company's usercenter ID, another company that has a ccsp contract ... for your nic cards, check if those are listed in the compatibility list here http://www.checkpoint.com/products/supported_platforms/recommended/ng/index.html ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] vpn1 edge adsl cannot connect
Hello, I'd like to set up an adsl vpn1 edge and connect it to a smartcenter, but every time I try to connect I have a message that says : cannot connect to smartcenter. the connectivity is fine, ie the vpn1 edge and the smartcenter can ping each other. the traffic between the vpn1 edge and the smartcenter looks fine (udp port 9280 and 9282). the vpn1 edge runs a recent firmware (6.5.48). the smartcenter runs on a host (secureplatform) with smartcenter and gateway installed. has anyone ever run such a config successfully ? what could be the next step in troubleshooting ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] [Newsletter]: Re: [FW-1] vpn1 edge adsl cannot connect
Mark Elsen a écrit : On 1/24/07, pkc_mls [EMAIL PROTECTED] wrote: Hello, I'd like to set up an adsl vpn1 edge and connect it to a smartcenter, but every time I try to connect I have a message that says : cannot connect to smartcenter. Is your edge included/allowed in the security policy ? the edge is declared. the global properties allow the control connections. otherwise there won't have been any response in the network trace. any other idea ? M. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn1 edge adsl cannot connect
Robby Cauwerts a écrit : #sk31524 ? for everyone who doesn't know all secureknowledge entries : sk31524 When the VPN-1 Edge device is managed by a SmartCenter Server it must not have a manual certificate installed. Only when the VPN-1 Edge device is standalone can a manual certificate be installed. In the case described by this SK solution, the VPN-1 Edge device had a manual certificate installed, resulting in the VPN-1 Edge being unable to connect to the SmartCenter Server. the vpn has no certificate. any other idea ? Br; Robby ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn1 edge adsl cannot connect
Robby Cauwerts a écrit : On 1/24/07, pkc_mls [EMAIL PROTECTED] wrote: the vpn has no certificate. any other idea ? Br; Robby What the release version of your management server? the smartcenter runs ng r55. how can I get a compatibility matrix between vpn1 edge firmwares and smartcenters version ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn1 edge adsl cannot connect
Robby Cauwerts a écrit : On 1/24/07, pkc_mls [EMAIL PROTECTED] wrote: Product: VPN-1 Edge Version: NG Last Modified: 11-okt-2006 Symptoms [EMAIL PROTECTED], VPN-1 Edge S, X series are unable to connect to the Service Center (SmartCenter Server) after recently preforming an upgrade or a new installation of SmartCenter Server NG with Application Intelligence R55. Error: The Service Center did not respond If smsstart is run within a terminal services session, an error: Cpwd failed to get response from CPwatchdog is displayed. Cause With build number R55, the SMS service is not started by default. Solution Start the SMS service: 1) Open a command prompt or console window in Windows32 or Solaris. Enter expert mode on SecurePlatform. 2) Type smsstart. 3) Attempt to reconnect with the Edge Appliance. Applies To: SofaWare Management Server (SMS) R55 the sms process is running and the server listens on the port 9282. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn1 edge adsl cannot connect
Ted Serreyn a écrit : Check NAT, check that the edge box is defined properly on the management station and you have pushed the policy to any firewall that you talk thru/to. Once that is done make sure the 9280 and 9282 packets are actually getting to the management station. If this is the first one you have done, you may also have to cpstop; cpstart on the management station to kick the edge connector process into starting (watch for it on cpstart). Ted Serreyn Serreyn Network Services, LLC using the same management server, I was able to connect with a standard VPN1 edge. I also saw a post on sofaware forums saying that you need a specific fix from checkpoint. I already opened a case about this issue with checkpoint, and I'm waiting for a feedback from them. I'll give the resolution if I can get one. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn1 edge adsl cannot connect
Alex a écrit : i repeat myself what about: #sk32128 is the edge defined as edge adsl in smartcenter ? sir yes sir ! you have to have the edge x adsl in the dropdown window of the edge object not simply select a edge x!! sir yes sir ! in this sk entry you can find a dbedit script to add the edge adsl properties in the objects file the script produces errors. we had the exactly the same problem, the sk solved it and this is the fix they talk about in sofaware forums ok, thanks for the info. let's wait for checkpoint to fix it. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn1 edge adsl cannot connect
Hugo van der Kooij a écrit : On Fri, 26 Jan 2007, pkc_mls wrote: Remove the empty lines. They should not be there and they will prevent a correct application of the fix. Hugo. I tried to run the script line after line manually. here is the result : dbedit modify sofaware_gw_types VPN-1_Edge_X_ADSL_Series firmware_type generic3_safe@ dbedit modify sofaware_gw_types VPN-1_Edge_X_ADSL_Series hardware_type SBox-200-B failed to get field hardware_type dbedit addelement sofaware_gw_types VPN-1_Edge_X_ADSL_Series hardware_type SBox-200-B failed_to get type hardware_type any idea ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Intel Quad Drivers for SPLAT NGX R62
Corrado Motta a écrit : Hi Gurus, I'm looking for the drivers for a Quad Intel NIC It seems to be supported from Splat R62 but I'm unable to find the right driver. try to find the drivers for tred hat enterprise linux 3. install the rpm, and it should work. you can search the drivers via rpmfind.net or google. Someone can help me? at least I tried :) Thanks Bye Corrado ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] latest infoview
Hi all, I have some troubles to open some cpinfos with the latest infoview I downloaded from checkpoint. here are the details from my version : InfoView Version 3.6.0 Build: 36074 For internal use only Created: 25/Jun/2006 Designed and Written by Shaul Eizikovich [EMAIL PROTECTED] has anyone ever managed to get a more recent version of cpinfo ? thanks ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] latest infoview
Hugo van der Kooij a écrit : On Thu, 1 Feb 2007, pkc_mls wrote: has anyone ever managed to get a more recent version of cpinfo ? Yes. But I suggest you use your Check Point contacts to get it. I will considere request for that versions as SPAM. If you need a working infoview then you need to get it from the source. It's simply that the latest one you can download on checkpoint site doesn't allow you to open correctly the cpinfos. I'll ask someone at checkpoint. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn1 edge adsl cannot connect
pkc_mls a écrit : Hello, I'd like to set up an adsl vpn1 edge and connect it to a smartcenter, but every time I try to connect I have a message that says : cannot connect to smartcenter. the connectivity is fine, ie the vpn1 edge and the smartcenter can ping each other. the traffic between the vpn1 edge and the smartcenter looks fine (udp port 9280 and 9282). the vpn1 edge runs a recent firmware (6.5.48). the smartcenter runs on a host (secureplatform) with smartcenter and gateway installed. has anyone ever run such a config successfully ? what could be the next step in troubleshooting ? just for those who are interested. the issue is specific to R55. the script provided on sk produces errors. here is the resolution : 1) Please make sure all GUI clients (SmartDashboard) are closed 2) Please open GUIDBEdit from a GUI client: C:\Program Files\CheckPoint\SmartConsole\R55\PROGRAM\GuiDBedit.exe 3) Please login with normal admin credentials 4) Expand the Network Objects tree and choose the sofaware_gw_types 5) Right click at the right pane (where all the types are listed) and choose new 6) Under Class it would say: sofaware_product_type as the only option 7) under Object please write: SBox-200-B 8) After this is done, please save the changes and exit 9) Open SmartDashboard and choose the proper type for the Edge object you have (ie SBox-200-B). 10) Install policy 11) Reconnect to the service center from the Edge side ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN-1 Edge site to site issue
Sergio Alvarez a écrit : Hello, I have the following scenario: - VPN-1 Edge (firmware version 7.0.27) - R60 HFA04 SMC (w/ proper libsw files installed and running on Windows 2003) - R60 HFA04 HA cluster (active/standby) running on SPLAT The SMC is managing both the cluster and the Edge and the idea is to have a site to site VPN between them. The Edge is registering with no problems to the SMC and downloading the policy properly. The issue comes when trying to pass traffic throught the VPN tunnel, logs on both the Edge and the SMC show phase I and II are completed but while on the SMC the logs clearly show the IP ranges defined on the VPN domains of both sides, on the Edge the logs only show the public IP of the cluster as the peer ranges. Hi, you should check in the ike traces from edge and HA cluster that the peer ranges are correct. (vpn debug trunc on the cluster, then examine vpnd.elg with text editor and ike.elg with ikeview). how did you define the vpn domain on the edge object and on the ha cluster object ? The result of this is that when ever we try to pass traffic from a test machine behind the Edge to another behind the cluster, the connection fails and the logs of the Edge show it fails to establish the VPN as the peer is not responding. Previously I have seen similar scenarios working but the Edge logs always show the VPN domain of the peer gateway properly when reporting the phase II completition. So far I have not found anything about this in the SK, has anyone seen this issue in the past? Regards ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] ng ai r55 and vpn
Good afternoon, Is there a way to specify on ng ai r55 the ip address that is used by a checkpoint gateway for the vpn communication (ike) ? There is an option in the NGX version, but I guess there was a workaround already in R55. for example, if my gateway is defined with a 10.10.10.1 ip in the general properties, and the vpn should be established with another IP address which is 20.20.20.1, how can I specify the IP to use ? thanks ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] latest infoview
Hugo van der Kooij a écrit : On Thu, 1 Feb 2007, pkc_mls wrote: has anyone ever managed to get a more recent version of cpinfo ? Yes. But I suggest you use your Check Point contacts to get it. I will considere request for that versions as SPAM. If you need a working infoview then you need to get it from the source. Hugo. Hi, could you please give me the version number you have, because I already contacted some guys from checkpoint, and they all claimed that they are not aware of a more recent version of the tool. thanks a lot. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] [LOG-CRIT] kernel: FW-1: Log Buffer is full
No Name Available a écrit : Hi, We find in information on console. hi, just to be sure, your email shows nokia.com, so it means you work for nokia ? if so, you should have proper access to checkpoint support. [LOG-CRIT] kernel: FW-1: Log Buffer is full [LOG-CRIT] kernel: FW-1: lost 500 log/trap messages check your local logs, check also if the logs go to the smartcenter. try to reduce the number of rules that produce logs. We consult Resolution 1693 to revise this question. But cross and qualify for the next round of competitions the same information in the near future. And still many FW-1: fwconn _ chain _ get _ something: fwconn _ chain _ Lookup failed (5) information. Are there other methods to solve? We use ' for IPSO 3.8 of Check Point VPN-1 NG with Application Intelligence (R55 ) '. Br. Yue Chen ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] High availability cluster and manual NAT
good morning, I'd like to set up manual NAT on an high availability cluster. ( running NGX R61 HFA 01). so I need to fill the sysctl.conf, add a static route and also add a static arp entry. as I'm running a splat high availability cluster, I also have to do the same on every member of the cluster. the problem is that it will probably lead to duplicate arp or IP, as I have to setup a static arp entry on gateway A with MAC address from gatewayA_eth0 for example, and the same entry on gateway B with MAC address from gatewayB_eth0. is there a way to tell the cluster to setup the arp only when the node is active ? in other words, is there a way to run a script when the node becomes active, and another when the node becomes standby ? thanks ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] High availability cluster and manual NAT
Paolo Riviello www.paoloriviello.com a écrit : Automatic Proxy ARP When using static NAT, the cluster can be configured to automatically recognize the hosts hidden behind it, and issue ARP replies with the cluster MAC, on their behalf. This process is known as Automatic Proxy ARP. If you use different subnets for the cluster IPs, this mechanism will not work, and you must configure the proxy ARP manually. This is done by creating a file called local.arp, under the firewall's configuration directory ($FWDIR/conf). In SmartDashboard, uncheck Automatic proxy arp. Each entry in this file is a triplet, containing the: • host address to be published • MAC address that needs to be associated with the IP address • unique IP of the interface that responds to the ARP request. The MAC address that should be used is the cluster's multicast MAC defined on the responding interface, when using multicast LS, or this interface's unique IP, for all other modes. For example, if host 172.16.4.3 is to be hidden using the address 172.16.6.25, and the cluster uses Load Sharing Multicast mode, add the following line to the local.arp file of Member 1: 172.16.6.25 00:01:5e:10:06:64 192.168.1.1 The second parameter in this line is the multicast MAC address of cluster IP 172.16.6.100, through which ARP requests for 172.16.6.25 will be received. On Member 2, this line will be: 172.16.6.25 00:01:5e:10:06:64 192.168.1.2 If the cluster is in unicast LS mode, or in HA mode, the entries on Member 1 and 2 will be: 172.16.6.25 00:A0:C9:E8:C7:7F 192.168.1.1 - And - 172.16.6.25 00:A0:C9:E8:CB:3D 192.168.1.2 where the second entry in each line is the unique MAC address of the matching local interface. as is in the manual... thanks for the response. I'll check if this works ,because I had some troubles to have it run properly. on secureplatform, do you need to modify the /etc/sysctl.conf also ? cheers -- Paolo Riviello Home: http://www.paoloriviello.com E-mail: [EMAIL PROTECTED] E-mail: [EMAIL PROTECTED] Skype: pao_rivi Icq: 285354822 If men could get pregnant, abortion would be a sacrament. (H) ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] High availability cluster and manual NAT
Paolo Riviello www.paoloriviello.com a écrit : hi, for my experience this is enough. In which mode do you want to change sysctl.conf ?? add the proxy arp settings like this : net.ipv4.conf.eth0.proxy_arp = 1 I found some infos at this url, and this one talks about sysctl and the old method : http://postnuke.systura.com/modules.php?op=modloadname=Newsfile=articlesid=37 I'll have to check again. cheers -- Paolo Riviello Home: http://www.paoloriviello.com E-mail: [EMAIL PROTECTED] E-mail: [EMAIL PROTECTED] Skype: pao_rivi Icq: 285354822 If men could get pregnant, abortion would be a sacrament. (H) From: pkc_mls [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] High availability cluster and manual NAT Date: Wed, 14 Feb 2007 13:32:26 +0100 Paolo Riviello www.paoloriviello.com a écrit : Automatic Proxy ARP When using static NAT, the cluster can be configured to automatically recognize the hosts hidden behind it, and issue ARP replies with the cluster MAC, on their behalf. This process is known as Automatic Proxy ARP. If you use different subnets for the cluster IPs, this mechanism will not work, and you must configure the proxy ARP manually. This is done by creating a file called local.arp, under the firewall's configuration directory ($FWDIR/conf). In SmartDashboard, uncheck Automatic proxy arp. Each entry in this file is a triplet, containing the: • host address to be published • MAC address that needs to be associated with the IP address • unique IP of the interface that responds to the ARP request. The MAC address that should be used is the cluster's multicast MAC defined on the responding interface, when using multicast LS, or this interface's unique IP, for all other modes. For example, if host 172.16.4.3 is to be hidden using the address 172.16.6.25, and the cluster uses Load Sharing Multicast mode, add the following line to the local.arp file of Member 1: 172.16.6.25 00:01:5e:10:06:64 192.168.1.1 The second parameter in this line is the multicast MAC address of cluster IP 172.16.6.100, through which ARP requests for 172.16.6.25 will be received. On Member 2, this line will be: 172.16.6.25 00:01:5e:10:06:64 192.168.1.2 If the cluster is in unicast LS mode, or in HA mode, the entries on Member 1 and 2 will be: 172.16.6.25 00:A0:C9:E8:C7:7F 192.168.1.1 - And - 172.16.6.25 00:A0:C9:E8:CB:3D 192.168.1.2 where the second entry in each line is the unique MAC address of the matching local interface. as is in the manual... thanks for the response. I'll check if this works ,because I had some troubles to have it run properly. on secureplatform, do you need to modify the /etc/sysctl.conf also ? cheers -- Paolo Riviello Home: http://www.paoloriviello.com E-mail: [EMAIL PROTECTED] E-mail: [EMAIL PROTECTED] Skype: pao_rivi Icq: 285354822 If men could get pregnant, abortion would be a sacrament. (H) ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Windows Live OneCare: tutto per la cura del tuo PC! http://onecare.live.com/standard/it-it/default.htm = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail
Re: [FW-1] IPSO upgrade
Nick Whitworth a écrit : Hi Reinhard, Fw1 is not running. When I run tcpdump I get # tcpdump -ni eth3c0 tcpdump: /dev/bpf100: No such file or directory # Any other ideas? Do you know how I can wipe the config so that I get back to the initial configuration prompts? rm /config/active reboot. could you copy/paste the extract of /var/log/messages or /var/log/boot.log that talks about eth interfaces ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] IPSO upgrade
Nick Whitworth a écrit : I have run rm /config/active and rebooted. During the setup, no interfaces appear to be configurable. Any ideas? How can I view the logs you are talking about? You can configure your system in two ways: 1) configure an interface and use our Web-based Voyager via a remote browser 2) VT100-based Lynx browser Please enter a choice [ 1-2, q ]: 1 Select an interface from the following for configuration: 1) quit this menu Enter choice [1-1]: welcome to incompatibility world !! keep in mind they are some specific ipso versions for flash based nokias. could you switch back to your older ipso ? Thanks, Nick ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] IPSO upgrade
Nick Whitworth a écrit : I can't do this as the company policy is for all firewalls to be running the same version of IPSO and CheckPoint. We have 20+ firewalls on NGX R60 and IPSO 4.0 build 30. and all are the same hardware revision ? all are flash based with the same flash revision ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] pppoe on nokia IPSO
Hi all, I'd like to set up a pppoe connection to connect to internet via an adsl router. I hope the line works fine, but I didn't check with another device. I followed the ipso documentation, but I don't know if I have to setup static (I don't think so), dynamic or unnumbered. could anyone give me some urls or documents rearding this settings ? thanks ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] change cluster XL load sharing mac address
Hugo van der Kooij a écrit : On Tue, 20 Feb 2007, pkc_mls wrote: I'd like to change the default multicast mac address used for checkpoint cluster interface in Load sharing mode, because my network equipment (Nortel) doesn't accept the 01:00:5e mac address. I can change it manually using dbedit, but I'm not sure checkpoint will still support such a configuration. Has anyone ever done nthis before ? No. Are there any hints ? Yes. Considering that the range is defined in accordance to quite an old RFC: RFC 1112 - Host extensions for IP multicasting - August 1989 Is there any reason Nortel could give you why they have chosen not to implement this standard? Or do you need to look into and perhaps change the IGMP settings for the Nortel equipment? I had a deeper look at the multicast doc for the device. it's only the MAC filter (ie restrict the multicast flooding to certain ports) that doesn't accept the multicast address that start with 01:00:5e. thanks for the reply anyway. Hugo. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] branch tunnel VPNs between FW-1 and Cisco and Nortel VPNs
Kim Longenbaugh a écrit : Hi, We have never utilized the VPN portion of the FW-1 product. hi, 1st : check if you have the proper licences to use the VPN. Now, there's a proposal to do that. Is it possible to set up branch tunnels coming from a Nortel Contivity VPN device and the FW-1, and from Cisco Pixs to FW-1? yes. for this you only need to agree on the phase1/phaseII settings, and prepare to debug using the vpn debug trunc, ike.elg and vpnd.elg in case it doesn't work at first try. The branches all have separate /24 subnets. Of course, I will RTFM on this myself, but wanted to get a quick take of everyone's experience with this type of setup. you can also search on any search engine, there are some documents that explain in detail the settings you need to apply on both equipments to have it work. hope this'll help. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] no logs in smartviewtracker
Tauseef Khan a écrit : Hi All I have got a strange problem and wondering is someone there to help me out. I cannot get any log entries in smart view tracker from enforcement module which is a nokia ip 350 ipso 3.9 checkpoint ng r55. I Can telnet management server on any cpmi ports (256, 257, 18191 etc) from enforcement module. I can also push the policy from management server to module. I can also gt the local logs on module (fw log) an its constantly increasing. I have also done cpstop an deleted $fwdir\r55\log\*.log and *.logptr and cpstart but still no logs. I ma getting logs from other modules correctly on the same management server. try to run debug for fwm on smartcenter and gateway. fw debug fwm on TDERROR_ALL_ALL=5 check your fwm.elg logs afterwards. if there is SIC involved, try to reset the SIC between your gateway and your smartcenter. do you have the problem on one gateway only or on several gateways ? Kind regards Tauseef Khan Kind regards Tauseef Khan * For addressee only. No legally binding commitments will be created by this e-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. 3i Investments plc Registered office: 16 Palace St London SW1E 5JD Registered no:3975789 Authorised and Regulated by the Financial Services Authority If you are not the intended recipient it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information in this e-mail. If you are not the intended recipient please contact us immediately. E-mail may be susceptible to data corruption, interception and unauthorised amendment, and we do not accept liability for any such corruption, interception or amendment or the consequences thereof. 3i is committed to following policies which protect your privacy and comply with current international data protection laws and regulations in respect of personal data. Further details of these policies can be found at www.3i.com. * = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1]
Dave Allen a écrit : Hi all, Hi Can anyone thing of any reason why a perfectly good, functioning, primary management server, running NGX R60 on a Windows 2003 Server platform, has the Secondary Management server option de-selected and greyed out, under Checkpoint products, when attempting to create an object to represent the secondary manager in a management HA configuration? The only possible cause offered on SecureKnowledge is that sic has been established prior to generating the object with the secondary management option selected but this is not the case! licence maybe ? Any and all suggestions gratefully received. Regards, Dave Allen CCSE TAC Team Leader Phoenix IT Group * DDI: +44 (0) 1494 460724 * Mobile: +44 (0) 7768 302017 * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Maximum amount of memory in Nokia IP530
Neil Kemp a écrit : Thats the problem ! Just another quick question, does anyone know if memory from any of the other appliances will work - such as memory from an IP650 or IP440 ? I'm quite surprised, because if you buy the same kind of RAM from the same manufacturer (don't forget to use ECC modules), how could the box know which one comes from nokia ? you can even try to get some RAM on ebay if your favourite reseller cannot sell you the correct old one. Thanks. On 26/02/07, Larson, Todd (LNG-DAY) [EMAIL PROTECTED] wrote: ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] CheckPoint to Watchguard VPN
Nick Whitworth a écrit : Hi, hi, I saw once a vpn that magically worked after we deleted the remote gateway on the smartcenter and recreated it with exaclty the same parameters. if the vpn already works fine in one way, the settings should be ok. could you just confirm that you're using the correct ip address for the tunnel ? (in the link selection for ngx). We are attempting to setup a VPN between a VRRP cluster of NGX R60 firewalls and a Watchguard . From behind the Watchguard we can initiate traffic to servers behind the NGX cluster across the tunnel but we cannot send traffic in the opposite direction. The message below appears in our logs: Number:968546 Date: 28Feb2007 Time:15:28:48 Product:VPN-1 Pro/Express Interface: eth2c1 Origin: VPNGATEWAY01 Type:Log Action: Drop Protocol: tcp Service: smtp (25) Source: local server Destination: remote server Rule: 13 Current Rule Number: 13-vpn-cluster01 Rule UID: {BCAA12B0-4322-43CF-989D-5FDE6BBD} Source Port: 45418 Encryption Scheme: IKE VPN Peer Gateway: MAP_FW Encryption Methods: ESP: 3DES + SHA1 Community: Detica_MAP_VPN Subproduct: VPN VPN Feature:VPN Information: service_id: smtp encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information Any ideas/suggestions welcome. Thank you Nick This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies. Detica Limited is registered in England under No: 1337451. Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] telnet timeout : tcp packet out of state
Hi all, If I allow the telnet and let a telnet window open without typing anything within, I have a timeout after some minutes. smartview tracker shows the following : Type: Log Action: Drop Protocol: tcp Service: telnet (23) Information: TCP packet out of state: First packet isn't SYN tcp_flags: PUSH-ACK so the next options should be : - disable stateful inspection on tcp globally (quite dangerous ...) - use a telnet program that sends keep alive - disable stateful inspection only for telnet (if it's possible) does anyone know if there is a option to disable stateful inspection only for specific services or ports ? thanks. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] telnet timeout : tcp packet out of state
Matthias Leu a écrit : Hi, you can adapt the timeout per service. Have a look at the object representing the service and select 'Advanced'. Here you can chose an individual timeout for e.g. telnet. Hope it helps, best regards, Matthias I already tried to modify the timeout for telnet, without success. the issue comes from the push-ack, and I don't think there is a specific timeout for this type of packets. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Generate license key for SecureClient
Chau, P (Paul) a écrit : Hi, I need to generate a license key from a newly purchased secureclient license. In the usercenter should I use the IP address of the enforcement gateway or the management server? checkpoint recommends to use the IP of the smartcenter, because if you decide to change the main ip of your gateway you'll still be able to use the same licence. Thanks for any help. Paul ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Verizon.net and secure client, any known issues??
Ken Cameron a écrit : I'm trying to set up a remote client and what seems to happen is the firewall sees the initial key exchange when the user creates the site. But when they try to do a connect to the site, the firewall sees no traffic from the user pc. Anybody got clues about this?? I'm figuring I need to check on things like the local address given the client pc but things like if the modem/hub that Verizon uses has the right updates to do VPN's, I'm not so sure how to test. If others have found some special things to check please let me know what worked. could you try to run a network trace on the firewall and on your client to check if verizon blocks or modifies some packets ? -ken cameron, CCP. Staff Leasing of CNY Inc 315-641-3600 SkyDiver: Zoo-602, A-8596, D-11839. Skier: down cross. English Hunter Rider. Scuba: wet dry mailto: [EMAIL PROTECTED] Home DZ: FingerLakes Skydivers, Ovid NY ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] R60 with HFA or upgrade to NGX R62?
Thiago Formagi a écrit : Hello guys. Thank you for the replies. I'll tell my costumer about avaliable features in HFA_05 package. But if I need to ugrade to R62 how could I automatically do it? I just need to put the R62 CD in driver and will it automatically upgrade to R62? autorun on secureplatform could be nice :) :) Are there any documents from CheckPoint that I can use to upgrade? there is an upgrade guide with every version of checkpoint. all the documentations can be downloaded from checkpoint site. rdgs, Thiago ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] no valid licenses after upgrade to ngx r62
felipe gonzales a écrit : hi all i installed splat ngx r62 (power) for testing in a lab environment. after installing my ngx licenses i got different error messages on the smartcenter: no valid license found on smartcenter server on the firewall modules: failed to load security policy: no valid license Hi, there are some troubles with the cp.macro files. you should just check that the SKUs that comes with your licences (like CPXP-...) are in the cp.macro file. otherwise, you need to download a more recent cp.macro from checkpoint. hope this'll help. is it not possible to use my older ngx cpmp-vfe-u-ngx licenses within r62? i think this should be possible even though the licenses are not utm/power licenses regards, felipe - TV dinner still cooling? Check out Tonight's Picks on Yahoo! TV. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] failed to save object : invalid reference
Hi all, when I try to save a group of users, I have the following message : Failed to save object VPNNG-group server error is : the referenced object at field groups is invalid reference. has anyone ever seen this ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Advice on backing up SPLAT system.
sin a écrit : sure it runs, just run it like this: echo y | $FWDIR/upgrade_tools/upgrade_export fw1-`date +%d%m%Y` there is even a -n option to avoid the echo y. this option is described in checkpoint sk but upgrade_export -h doens't mention it. and inside $PWD you should get an archive named fw1-10032007.tgz ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] FW-1 list is moving
sin a écrit : Gil Sudai wrote: For this reason and after several years of operation, the FW-1 mailing list will be closed in the next days and its content will be placed in the Miscellaneous forum. Hi, If any of the subscribers of the mailing list is interested in continuing using a fw-1 like list, I can setup one where people can continue to talk about check point products. Hi, as it already happened in the past, it could pe sometimes interesting to still be able to exchange infos about checkpoint when checkpoint site is unavailable. please drop a line and if enough of you gather, the list can be operational very soon. thanks, sin = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] ipso 4.1b25 with R55P not performing full sync
Ronny Vaningh a écrit : Hi I'm in progress of upgrading some firewalls to IPSO 4.1B25 (in combo with R55P HFA08) in preparation of a move to NGX I thought that the r55p was only designed for ipso 3.8. I have a compatibility matrix from nokia somewhere, so I can send it by email. I never understood why nokia kept this public. This seems to work fine but I noticed that the secondary firewall does not perform a full sync with the master at boot. According to cphaprob the node stays initializing for sync and problem notification for about 2 minutes. The fwd.elg logfile has an entry: Full snyc not performed probably the only member. New connections however are synced out. When I run cprestart the full sync is performed ... Nokia has made some suggestions but nothing substantial ... Checkpoint claims this is a nokia issue ... Guys, do you have an idea, do you run similar combo ? Thanks Ronny = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] FW-1 list is moving
Verhille Nicolas a écrit : What is the email to subscribe to it ? [EMAIL PROTECTED] and Phoneboy posted this recently : There was some concern, and even questions in my own mind, about whether or not I should shut down this mailing list. With the word out now that Check Point is closing their mailing list down and going web-based, it's clear that we need to keep this mailing list going. I suspect that as a result of that list closing, we are going to get an influx of new subscribers to this list, making our lives just a bit busier. While we certainly will welcome the newcomers with open arms, rest assured we are not going to be changing our policies in any way. The list has always been, and will remain, moderated according to the guidelines listed on http://fw1-gurus.phoneboy.com. The only thing that is being planned for the near future is to move the mailing list over to a new server with new mailing list software. It's one of those projects I haven't gotten around to doing yet, though rest assured, it will happen sooner or later. Maybe after this Daylight Saving Time thing dies down a bit more... -- PhoneBoy ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] scp to secureplatform : lost connection
Hi all, I'd like to run a scp from a debian running openssh 4.3 to a secureplatform ngx r62. the ssh works fine, but the scp alwas answers : lost connection there is no drop, I can only see when I had some debug to the ssh client that he tries to run a scp -v -t /dir; has anyone ever managed to run a scp from a unix box to a splatngx r62 ? the same scp command works fine to a solaris 9 box. the scpusers on the splat is already filled with the username. there is no sftp-server binary, so I cannot try to uncomment this parameter in the sshd_config. any idea ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =