[FW-1] checkpoint and domain object

Sat, 23 Jun 2007 14:26:01 -0700 

I just want to share my recent experience regarding Checkpoint and domain 
object with
  everyone.
   
  I have NG Feature Pack 3 Provider-1 managing a single Nokia IP380.  There are 
domain
  objects in the security policy which is working fine.
   
  About 2 weeks ago, a person in our network operations group added a new domain
  object called ".google.com" into a group object called "test".  This group 
object test
  only contains  hosts that are residing behind the Nokia firewall.  Obviously, 
the 
".google.com" is NOT a host behind the nokia firewall.  It is an external host 
residing
  somewhere over the Internet.  We started experiencing intermittent 
connectivity issues
  after that.  Folks on the Internet could not get to some of the hosts 
residing behind
  the firewall and the issue is completely random.  Each time, the issue is 
resolved by
  simply pushing the policy.  We escalated this issue to Nokia PLS but sadly 
they 
  didn't have a solution for us either.  
   
  Finally, by accident, I looked over some of the group object in the security 
policy
  and I noticed that this domain object ".google.com" does not belong to any
  of group object residing behind the firewall.  I removed this domain object 
from
  the group object "test" and repushed the policy.  It's been about 2 weeks and 
we
  have not experienced any intermittent connectivity yet.
   
  Just want to share my experience regarding domain object with the group so
  that hopefully it will save someone time when troubleshooting this issue.  I 
did
  not think that domain object could cause this much trouble. By the way,
  I replicated this with NGx and I see the same thing.  This only happens when
  you have moderate to heavy traffics on the firewall.  Under light traffics, 
it did
  not cause any issues whatsoever.
   
  cisco4ng

       
---------------------------------
Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to