My apologies, but if you have been following this thread closely, ISS and Checkpoint have provided little to no support whatsoever. The best I could get out of either of them is an outdated document for Checkpoint Firewall-1 Version 4.1 and ISS Network Sensor 6.5. I did manage to dig up some additional source from Phoneboy and other sites that provided more details on how to setup the OPSEC with NG and ISS Network Sensor 6.5. This should not be about the unwillingness to share ideas but instead about the willingness to share findings and discoveries about discrepancies and unusual configurations pertaining specifically to ISS related products. Furthermore, if you were to take it upon yourself and contact ISS support directly yourself about this issue, you would find that the assistance you require would not be met satisfactorily. If you are an integral part of this mailing list and in some shape or form a subsidiary of ISS, then why have you not presented your findings to ISS so that they would have this useful information available for their userbase ? Perhaps I am wrong, but it seems apparent that posting this type of material to this mailing list would be very appropriate and beneficial to the userbase. Failure to offer this information could be construed asdetrimental. Let's say for example you discovered some strange anomaly with ISS Network Sensor 7.0 where certain alerts caused the ISSED database to crash. And Let's say that I had discovered an unusual workaround or fix for this strange issue and had tested this and managed to get everything to work and function on a highly acceptable basis. Allow us to further say that you posted your issue to the ISS mailing list and asked about this. Would it be ethical and reasonable for me to say that I am unwilling to share this information with you and even more, refuse to present my findings to ISS ???
-----Original Message----- From: Falck, Axel (ISS Paris) [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 5:35 AM To: Jeroen Veeren; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Slighter, Tim; Brooks, Darrell W.; Nelson Fernando Aranzazu Subject: RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireW all-1 Jeroen, The best way now, is to contact the ISS technical support at [EMAIL PROTECTED] and probably Check Point support to investigate the issue I cannot do tech support on the ISSforum, which is not really the best way to do that. We can sharing our ideas to try to solve your issue. Hope this helps Nota: Long time ago, I have personnaly reconfigure Firewall NG with RealSecure 6.x on customer site with any trouble. Regards Axel FALCK -----Message d'origine----- De : Jeroen Veeren [mailto:[EMAIL PROTECTED]] Envoy� : lundi 7 octobre 2002 10:37 � : Falck, Axel (ISS Paris); [EMAIL PROTECTED] Cc : '[EMAIL PROTECTED]'; 'Slighter, Tim'; Brooks, Darrell W.; Nelson Fernando Aranzazu Objet : RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireW all-1 Axel, I think the big question is here: Do you have a working solution out there or not? Then we simply get things to buisiness; 1. If you have it working, please share your config so we can duplicate it. 2. If you don't get it to work, please contact checkpoint (don't let your customers do that!) and mail the list as soon as there is a solution. I sadly have to admit I share kevin's conclusions about just settling for the kills instead of the -IMHO- much more powerfull/desirable OPSEC mechanism. On a site note: Can I start asking about my options when I implement my second fw management server for redundancy. I don't see any options in the response settings, but I guess if it is not working wih one management server, it'll certainly be a dead end with two management servers...:o) Cheers, Jeroen. -----Oorspronkelijk bericht----- Van: Slighter, Tim [mailto:[EMAIL PROTECTED]] Verzonden: vrijdag 4 oktober 2002 18:02 Aan: 'Falck, Axel (ISS Paris)'; Brooks, Darrell W.; Nelson Fernando Aranzazu; [EMAIL PROTECTED] Onderwerp: RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireW all-1 Aside from your recommendations. Did you meet with any success getting the network sensor to successfully generate an OPSEC command to the NG firewall ? We setup the entire design using the -ssl to ensure the OPSEC channel was being used as "Authenticated" and NOT "Authenticated with encryption". Actually, we tried it every possible way following word for word every step and instruction from all documents from Checkpoint and ISS and Phoneboy and the OPSEC still does NOT work. If you have been able to get this to work successfully and witnessing actual OPSEC events in the logs as well as actual OPSEC changes to the rules in the firewall, please share this information with the mailing list. Thank you -----Original Message----- From: Falck, Axel (ISS Paris) [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 1:02 AM To: Brooks, Darrell W.; Nelson Fernando Aranzazu; [EMAIL PROTECTED] Subject: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireWall-1 Did you tried http://www.phoneboy.com And so, use the -ssl option into your fwopsec putkey command on NG. Be aware that in any case the fwopsec putkey commanbd MUST be done in FIRST on Check Point, and after on RealSecure Hope this helps Axel FALCK -----Message d'origine----- De : Brooks, Darrell W. [mailto:[EMAIL PROTECTED]] Envoy� : jeudi 3 octobre 2002 23:42 � : Falck, Axel (ISS Paris); 'Nelson Fernando Aranzazu'; '[EMAIL PROTECTED]' Objet : RE: Configuring RealSecure to use OPSEC with FireWall-1 I have had the same issue, and Checkpoint is no help. The doc for this from the ISS page has not been very helpful either. I have had to issue the command from my management server to the gateway in this order: Fw sam -v -I src <IP Address> Modifying the fwopsec.conf file worked well on 4.1 but not on NG. Two calls to ISS support yielded little help. I hope someone has a real fix for this...it's a feature I really miss now that we have upgraded to NG. Thanks, Darrell -----Original Message----- From: Falck, Axel (ISS Paris) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 12:19 PM To: Nelson Fernando Aranzazu; [EMAIL PROTECTED] Subject: RE: Configuring RealSecure to use OPSEC with FireWall-1 TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hello, if the command fw sam -i src "any_ip_address" -t60 doesn't works, the issue is from CheckPoint software. This command is very usefull to check the OPSEC implementation on FW. it does works event no RealSecure Installed Hope this Helps Axel FALCK -----Message d'origine----- De : Nelson Fernando Aranzazu [mailto:[EMAIL PROTECTED]] Envoy� : mardi 1 octobre 2002 16:10 � : [EMAIL PROTECTED] Objet : Configuring RealSecure to use OPSEC with FireWall-1 Hello, I'm trying to implement OPSEC between Network Sensor 6.5 and CheckPoint Firewall-1 NG FP2 (installed with backward compatibility) but it doesn't work. I have already configured the "fwopsec.conf" file in the firewall, applied the keys and configured the network sensor to use OPSEC. But when I'm trying to test the SAM response executing "fw sam -t 60 -i any_ip_address" the firewall shows the follow message: "sam: Unexpected end of session. It is possible that the SAM request for 'Inhibit src ip any_ip_address on All' was not enforced." Had anybody had this kind of situation? Thanks. ________________________ Nelson Fernando Aranzazu Administrador LAN-WAN Equant - Data Center Bogot�, Colombia. - JENKENS & GILCHRIST E-MAIL NOTICE - This transmission may be: (1) subject to the Attorney-Client Privilege, (2) an attorney work product, or (3) strictly confidential. If you are not the intended recipient of this message, you may not disclose, print, copy or disseminate this information. If you have received this in error, please reply and notify the sender (only) and delete the message. Unauthorized interception of this e-mail is a violation of federal criminal law. This communication does not reflect an intention by the sender or the sender's client or principal to conduct a transaction or make any agreement by electronic means. Nothing contained in this message or in any attachment shall satisfy the requirements for a writing, and nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act, any version of the Uniform Electronic Transactions Act or any other statute governing electronic transactions. _______________________________________________ ISSforum mailing list [EMAIL PROTECTED] _______________________________________________ ISSforum mailing list [EMAIL PROTECTED] _______________________________________________ ISSforum mailing list [EMAIL PROTECTED] _______________________________________________ ISSforum mailing list [EMAIL PROTECTED]
