to stay resident in the state table for a long period of time, eventually, memory would be exhausted and no further
connections would be possible to the firewall.
Thinking on this line, it probably is possible to max out the state table, and place the site in a DoS state.
Comments from the group of Checkpoint?
merlin
Robert MacDonald wrote:
Barry,Figuring that CP is in the security related field,
it's probably for security reasons. Why should
a connection be left open, if nothing is going on?Robert
>>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/17/00 1:33:41 PM >>>
>Well that is a good point. According to my working on the problem, there
>is a paramater called tcp keepalive. Unfortunately it has to be built within the
>client
>application. Noticed some threads about and Microsoft has some definitions in
>his Knowledge Base.
>
>The thing that is interesting is why Checkpoint limits the tcp idle time to 7200
>seconds.
>Any suggestions from the group?
>
>merlin
>
>Robert MacDonald wrote:
>
>> This seems awful expensive. Why spend big
>> $$(again) for a problem that can be fixed by
>> having the programmers fix the programs that
>> are running. Anything from a simple NOHUP
>> to actually spending 15 minutes to correct
>> the program to send all output to a file, email
>> or printer for analysis.
>>
>> Heck, why not just cron a ping or something.
>>
>> Robert
>>
>> - -
>> Robert P. MacDonald, Network Engineer
>> e-Business Infrastructure
>> G o r d o n F o o d S e r v i c e
>> Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>
>> >>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/16/00 7:27:46 PM >>>
>> >I have come across this same situation. As far as my experience, research, and
>> >asking of this group
>> >is concerned, the answer is "no".
>> >
>> >My suggestion would be to look into Nortel Extranet Contivity Switch products.
>> >Features:
>> >
>> >IPsec
>> >PPTP
>> >Time outs of 23 hours 59 minutes.
>> >Ability of users to change their own passphrases.
>> >Password aging.
>> >Authentication:
>> > User base
>> > Using pass phrases of at least 16 chars.
>> > Radius
>> > Entrust Certificates
>> > Ldap
>> >
>> >Secure Remote as a product is a nice freebie from Checkpoint, but it has some
>> >severe limitations, one of them
>> >being this tcp time out issue.
>> >
>> >Hope this helps.
>> >
>> >merlin
>> >
>> >Doug Schmidt wrote:
>> >
>> >> Hi,
>> >> I have called CP Support and also searched the Phonyboy FAQ's, but nothing.
>> >> CP Support told me to increase the TCP Session Timeout. Which has a max
>> >> setting of 6500 seconds ( ~2 hours) which is not long enough for our needs.
>> >>
>> >> We have our user LAN behind the FW. Some of our developers on this LAN, need
>> >> to have telnet/ssh connections
>> >> to some servers (outside the FW), While these connections are open, they run
>> >> some jobs, which can last anywhere
>> >> from minutes to many hours. In the case of a job lasting say 4-5 hours, this
>> >> would not be long enough, since the FW
>> >> will drop the TCP Session when it is not active.
>> >>
>> >> Is/are there any workarounds fixes to this problem? Any advise would be
>> >> great.
>> >>
>> >> Firewall Version 4.1 Build 41489 running on Slowaris 2.7
>> >>
>> >> ~D================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
-- Barry W. Kokotailo Senior Unix Systems Administrator 1-780-675-6399 PGP = 71 71 96 A3 C0 C2 23 7A 23 4E D4 04 8C E0 42 6B B0 2D D1 A5
