Precisely. That's why I skipped HFA05 and 06, because nothing applied to us. HFA07 fixed a boatload of problems regarding Edge devices which we had just begun testing, so I applied it. And I hit that "VPN Error Code 03" "tunnel test failed" SecureClient problem that actually was introduced in HFA05 and carried over through 06, 07 and 08.
Fortunately I could roll the gateway back from HFA07 and make SecureClient work reliably again.
Unfortunately I had to apply HFA08 because of the ASN.1 security problem and I got my "tunnel test failed" problem back again.
Fortunately Check Point was responsive in getting me a fix I could apply on top of HFA08. So now I'm all up to date and then some. :-)
HFA05, 06 and 07 weren't publicly released as HFA04 and 08 were. If you're not using VPN at all, then you're probably safe at HFA04. But if an auditor (or post-incident team) reads the release notes for HFA08 and sees the recommendation about staying up to date, can you defend your decision effectively and reasonably? You probably don't have any proof or inkling of proof that applying the patch incurs more risk than staying unpatched. If you do, great!
Kind of a pity we have to practice CYA so much.
Ray
From: Shane Presley <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] Approach to hot fixes? Date: Tue, 10 Aug 2004 20:15:07 -0400
Agreed, I tend to take the "ain't broken, don't fix it" approach to a lot of things, but security patches aren't that simple. And the release notes often make general statements like "improved stability". Well who doesn't want that? :-)
Specifically HFA-06 talks a lot about ClusterXL stability/performance improvements, and Solaris stability fixes. I am running ClusterXL on Solaris, with no specific problems at the moment, but those general statements make me think I should apply the HF.
Thanks alll... Shane
On Tue, 10 Aug 2004 14:02:52 -0400, Ray <[EMAIL PROTECTED]> wrote: > This is my approach as well but I don't let things get too far behind. We > all know how things get slipstreamed in without making it to the release > notes. > > As fas as "if it ain't broke, don't fix it", this is the reason I have done > assessments on companies where their routers are on the original IOS, > workstations and servers are on Windows Service Pack nothing, SQL Server > likewise, etc. The one admin said point blank that she never patches > anything that's working. > > Kind of the reason why they got taken down by Slammer and why they had to > set up weekly reboots on all servers to keep them stable. > > Ray > > > > >Well maybe it's just me, but I follow the "if it ain't broke > >don't fix it" approach. But always watch the release notes > >on fixes in case something serious may come up that may effect > >your stability or security. > > > >just my $.02 > > > >Hal > > > > > -----Original Message----- > > > From: Shane Presley [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, August 10, 2004 8:20 AM > > > To: [EMAIL PROTECTED] > > > Subject: [FW-1] Approach to hot fixes? > > > > > > > > > Just curious... > > > > > > Do you regularly keep your firewalls up to date with the Check Point > > > hot fixes? Or do you wait for the need? For example I'm currently on > > > HFA-04, but HFA-08 is out. I've read the release notes on HFA-08 and > > > don't see anything that would immediately impact me, so I don't think > > > there's a pressing need to put HFA-08 on it. > > > > > > But is it a "best practice" to always apply the latest HFA? > > > > > > Shane > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - it's FREE! > hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= >
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
