If you have met with success in implementing a solution using OPSEC between ISS Network Sensor and Checkpoint NG, why have you not presented this as a written solution to Checkpoint or ISS ? Under the circumstances that so many individuals have been seeking for a working solution and that ISS and Checkpoint are both aware of the "non-working" issues of this particular environment, it would almost be imperative or compulsary that an individual would wish to share this information with the public community as well as the vendors. Perhaps it would grace your day with a overwhelming sense of philanthropy to enlighten the members of this mailing list by providing details about what exactly you did, how and what in this following quoted line ??
"Nota: Long time ago, I have personnaly reconfigure Firewall NG with RealSecure 6.x on customer site with any trouble. " Thanks and any disclosure would be greatly appreciated by the general public -----Original Message----- From: Falck, Axel (ISS Paris) [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 5:35 AM To: Jeroen Veeren; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Slighter, Tim; Brooks, Darrell W.; Nelson Fernando Aranzazu Subject: RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireW all-1 Jeroen, The best way now, is to contact the ISS technical support at [EMAIL PROTECTED] and probably Check Point support to investigate the issue I cannot do tech support on the ISSforum, which is not really the best way to do that. We can sharing our ideas to try to solve your issue. Hope this helps Nota: Long time ago, I have personnaly reconfigure Firewall NG with RealSecure 6.x on customer site with any trouble. Regards Axel FALCK -----Message d'origine----- De : Jeroen Veeren [mailto:[EMAIL PROTECTED]] Envoy� : lundi 7 octobre 2002 10:37 � : Falck, Axel (ISS Paris); [EMAIL PROTECTED] Cc : '[EMAIL PROTECTED]'; 'Slighter, Tim'; Brooks, Darrell W.; Nelson Fernando Aranzazu Objet : RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireW all-1 Axel, I think the big question is here: Do you have a working solution out there or not? Then we simply get things to buisiness; 1. If you have it working, please share your config so we can duplicate it. 2. If you don't get it to work, please contact checkpoint (don't let your customers do that!) and mail the list as soon as there is a solution. I sadly have to admit I share kevin's conclusions about just settling for the kills instead of the -IMHO- much more powerfull/desirable OPSEC mechanism. On a site note: Can I start asking about my options when I implement my second fw management server for redundancy. I don't see any options in the response settings, but I guess if it is not working wih one management server, it'll certainly be a dead end with two management servers...:o) Cheers, Jeroen. -----Oorspronkelijk bericht----- Van: Slighter, Tim [mailto:[EMAIL PROTECTED]] Verzonden: vrijdag 4 oktober 2002 18:02 Aan: 'Falck, Axel (ISS Paris)'; Brooks, Darrell W.; Nelson Fernando Aranzazu; [EMAIL PROTECTED] Onderwerp: RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireW all-1 Aside from your recommendations. Did you meet with any success getting the network sensor to successfully generate an OPSEC command to the NG firewall ? We setup the entire design using the -ssl to ensure the OPSEC channel was being used as "Authenticated" and NOT "Authenticated with encryption". Actually, we tried it every possible way following word for word every step and instruction from all documents from Checkpoint and ISS and Phoneboy and the OPSEC still does NOT work. If you have been able to get this to work successfully and witnessing actual OPSEC events in the logs as well as actual OPSEC changes to the rules in the firewall, please share this information with the mailing list. Thank you -----Original Message----- From: Falck, Axel (ISS Paris) [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 1:02 AM To: Brooks, Darrell W.; Nelson Fernando Aranzazu; [EMAIL PROTECTED] Subject: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireWall-1 Did you tried http://www.phoneboy.com And so, use the -ssl option into your fwopsec putkey command on NG. Be aware that in any case the fwopsec putkey commanbd MUST be done in FIRST on Check Point, and after on RealSecure Hope this helps Axel FALCK -----Message d'origine----- De : Brooks, Darrell W. [mailto:[EMAIL PROTECTED]] Envoy� : jeudi 3 octobre 2002 23:42 � : Falck, Axel (ISS Paris); 'Nelson Fernando Aranzazu'; '[EMAIL PROTECTED]' Objet : RE: Configuring RealSecure to use OPSEC with FireWall-1 I have had the same issue, and Checkpoint is no help. The doc for this from the ISS page has not been very helpful either. I have had to issue the command from my management server to the gateway in this order: Fw sam -v -I src <IP Address> Modifying the fwopsec.conf file worked well on 4.1 but not on NG. Two calls to ISS support yielded little help. I hope someone has a real fix for this...it's a feature I really miss now that we have upgraded to NG. Thanks, Darrell -----Original Message----- From: Falck, Axel (ISS Paris) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 12:19 PM To: Nelson Fernando Aranzazu; [EMAIL PROTECTED] Subject: RE: Configuring RealSecure to use OPSEC with FireWall-1 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hello, if the command fw sam -i src "any_ip_address" -t60 doesn't works, the issue is from CheckPoint software. This command is very usefull to check the OPSEC implementation on FW. it does works event no RealSecure Installed Hope this Helps Axel FALCK -----Message d'origine----- De : Nelson Fernando Aranzazu [mailto:[EMAIL PROTECTED]] Envoy� : mardi 1 octobre 2002 16:10 � : [EMAIL PROTECTED] Objet : Configuring RealSecure to use OPSEC with FireWall-1 Hello, I'm trying to implement OPSEC between Network Sensor 6.5 and CheckPoint Firewall-1 NG FP2 (installed with backward compatibility) but it doesn't work. I have already configured the "fwopsec.conf" file in the firewall, applied the keys and configured the network sensor to use OPSEC. But when I'm trying to test the SAM response executing "fw sam -t 60 -i any_ip_address" the firewall shows the follow message: "sam: Unexpected end of session. It is possible that the SAM request for 'Inhibit src ip any_ip_address on All' was not enforced." Had anybody had this kind of situation? Thanks. ________________________ Nelson Fernando Aranzazu Administrador LAN-WAN Equant - Data Center Bogot�, Colombia. - JENKENS & GILCHRIST E-MAIL NOTICE - This transmission may be: (1) subject to the Attorney-Client Privilege, (2) an attorney work product, or (3) strictly confidential. If you are not the intended recipient of this message, you may not disclose, print, copy or disseminate this information. If you have received this in error, please reply and notify the sender (only) and delete the message. Unauthorized interception of this e-mail is a violation of federal criminal law. This communication does not reflect an intention by the sender or the sender's client or principal to conduct a transaction or make any agreement by electronic means. Nothing contained in this message or in any attachment shall satisfy the requirements for a writing, and nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. _______________________________________________ ISSforum mailing list [EMAIL PROTECTED] _______________________________________________ ISSforum mailing list [EMAIL PROTECTED] _______________________________________________ ISSforum mailing list [EMAIL PROTECTED]
