Hi,
There is one Note as below for HFA_R55_10-13 :
Note - (Important) This fix is currently not supported with SecureXL and
Nokia flows.
Therefore, a customer that wants to activate this feature must disable
SecureXL, or Nokia flows.
Br,
Lin Murong
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of ext
Reinhard Stich
Sent: Monday, September 12, 2005 9:30 PM
To: [email protected]
Subject: Re: [FW-1] PPTP support with Hide NAT(PAT)?
At 15:18 12.09.2005, [EMAIL PROTECTED] wrote:
>Hi Reinhard,
>
>Do you have any document to describer that? If yes, would you give me
>one copy?
checkpoint resolution
Solution ID: sk30108
Solution ID: sk30022
HFA_R55_10 should also fix that.
so this should work with NG X and NG R55 with hfa10 or higher.
cheers
reinhard
>Thanks a lot!
>
>Br,
>Lin Murong
>
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[EMAIL PROTECTED] On Behalf Of ext
>Reinhard Stich
>Sent: Monday, September 12, 2005 8:48 PM
>To: [email protected]
>Subject: Re: [FW-1] PPTP support with Hide NAT(PAT)?
>
>hi,
>
>with NG X pptp behind hide-NAT is supported.
>
>cheers
>reinhard
>
>At 14:28 12.09.2005, you wrote:
> >Hi there,
> >
> >It's said you need to DISABLE FLOW&SecureXL to support Hide NAT on
> >PPTP, but this would decrease the throughput performance, So how
> >other Vendor's implementation on HideNAT PPTP? Like
Cisco,Netscreen...
> >
> >Any input are appreciated!
> >
> >Br,
> >Lin Murong
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages, send an email to
> >[EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list, please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your subscription options,
> >email [EMAIL PROTECTED]
> >=================================================
>
>--
>Reinhard Stich ASSIST [EMAIL PROTECTED]
>Internet Security AG, 1150 Wien, Johnstrasse 29
>Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>[EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email [EMAIL PROTECTED]
>=================================================
--
Reinhard Stich ASSIST [EMAIL PROTECTED]
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
R55_10-13
Improved support for Hide and Static NAT operations on the PPTP service. By
default, this
feature is disabled. In order to activate the hide NAT support with PPTP
feature, some
operations have to be performed:
1 Stop the SmartCenter Server by executing cpstop.
2 Access the $FWDIR/lib/ directory.
3 Backup the current base.def file.
4 Rename the base_HFA.def file to base.def. (Make sure that you verify file
permissions)
5 Access the $FWDIR/hash/ directory.
6 Backup the current base.def.hash.
7 Rename the base_HFA.def.hash to base.def.hash.
8 Access the $FWDIR/lib/ directory.
9 Backup the current traps.h file.
Check Point NG with Application Intelligence R55 (H FA_R55_10) Release Notes.
Last Update ¡ª October 20, 2004 45
10Rename the traps_HFA.def file to traps.h. (Make sure that you verify file
permissions)
11Access the $FWDIR/hash/ directory.
12Backup the current traps.h.hash.
13Rename the traps_HFA.h.hash to traps.h.hash.
14Access the $FWDIR/lib/ directory.
15Backup the current fwconn.h file.
16Rename the fwconn_HFA.h file to fwconn.h. (Make sure that you verify file
permissions)
17Access the $FWDIR/hash/ directory.
18Backup the current fwconn.h.hash.
19Rename the fwconn_HFA.h.hash to fwconn.h.hash.
20Do the same for the following files under $FWDIR/lib directory:
? kerntabs.h
? pptp.def
? pptp_defs.def
? security_services.def
? tcpip.def
Note - fwconn.h does not have an assoccated hash file.
21Add the following object to the database (You can use the dbedit tool):
: (PPTP_TCP
:AdminInfo (
:LastModified (
:Time ("Mon Aug 27 14:54:08 2003")
:By (CheckPoint)
:From (CheckPoint)
)
:chkpf_uid ("{3D0471FF-9ED1-4762-B7EC-2F73E2E75D4F}")
:ClassName (tcp_protocol)
:table (protocols)
)
:res_type (none)
:handler (pptp_code)
:match_by_seqack (true)
:type (tcp_protocol)
)
This object should be inserted in the 'protocols' set. For example, below the
existing
object ENC-HTTP.
22Edit the service pptp-tcp via SmartDashboard. In the 'Advanced' properties,
set the
'Protocol Type' to PPTP_TCP.
23Use the service pptp-tcp in the rulebase (or via the 'Any' rule).
Check Point NG with Application Intelligence R55 (H FA_R55_10) Release Notes.
Last Update ¡ª October 20, 2004 46
Note - With the fix enabled, it is no longer required (and not recommended) to
use an explicit rule for
allowing GRE traffic.
24 Start the SmartCenter Server by executing cpstart.
25Install a Security Policy.
26The global parameter fw_pptp_enforce_protocol has to be set to 1 on the
module.
Note - (Important) This fix is currently not supported with SecureXL and Nokia
flows.
