Re: [FW-1] Basic Licensing Question
No, do not license the internal IP of the gateway. You want to apply all licenses to the management station, as you noted, using central licensing. This enables you to change the external IP of the gateway without having to relicense it. This article skI2574 explains how to remotely install a module license using SmartUpdate. SmartUpdate is available to everyone to handle licensing even if you haven't paid for the license for its remote upgrade capabilities. Briefly, you will set up SIC between the SmartCenter server and the remote gateway as explained in the article. SIC is an SSL certificate-authenticated connection. The remote gateway will have to accept control connections (which are in its implied rules). The connection will be between the SmartCenter server on the private range out through its local gateway over the Internet to the external IP of the remote gateway. Hopefully I understood your concern. Ray From: Piri McMullan [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Basic Licensing Question Date: Sat, 12 Jun 2004 13:33:46 -0700 This is my first post to this list and am somewhat new to CP. I have taken over CP admin from a previous employee who used to only set up integrated mgmt/fw systems. I am setting up a first distributed config, separate mgmt and fw systems and have a basic license question. I was under the impression that licensing had to be done according to the external interface which is giving me problems as my mgmt is behind the fw inside a private range. Can I license against the private range without issue? I will be adding a few more fw modules external to the mgmt site. I am familiar enough with the product itself however haven't had any real experience outside of integrated mgmt/fw systems so centralized licenses are new to me. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.click-url.com/go/onm00200362ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Complicated remote access problem using an internal firewall
Hi Joachim, Since we've always used Office Mode, I never have understood or used IP Pool NAT and I'm not really sure what it does. There's no way I can have the IP Pool NAT behind the gateway route because it's at totally different network than we use. Can SR users getting an IP Pool NAT hide behind the gateway IP address? That would work. Thanks, Ray From: Joachim Bassmann [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Complicated remote access problem using an internal firewall Date: Tue, 15 Jun 2004 12:13:23 +0200 Hi Ray, --On Samstag, 12. Juni 2004 17:26 -0400 Ray Pesek [EMAIL PROTECTED] wrote: We would like to let them still use SecuRemote to connect to B and get authenticated. We would have to add the new subnet X to the encryption domain of B but it's actually considered as external to B. you might get away using a NAT pool for the SR clients on B. Define the NAT pool as internal to B and make a rule on B which allows the NAT pool access to X. Then take care that the NAT pool is being routed from X to B. good luck Joachim Bassmann, DELOS AG, STuttgart, Germany Erst wenn das letzte Counterstrike indiziert, der letzte Videofilm verboten, und das Internet geschlossen ist, werdet Ihr merken, daß Ihr Eure Kinder doch erziehen müsst. - [EMAIL PROTECTED] = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Complicated remote access problem using an internal firewall
Well, it's partially working but I don't think it's going to work as I want. Adding the IP Pool NAT changed it so that when I tracert to X from SecuRemote, my first hop is now B's external interface whereas it timed out before. It now times out after this hop. If I'm reading this right, the network I'm using for IP Pool NAT must be able to be routed on its own between the B gateway and the X network. That's not going to happen because our internal routers are managed and it takes an act of the Almighty to get those things changed. Also, B is not the internal network's gateway out of the network, it's a host on that network. Is there any way to add a NAT rule so that the IP Pool NAT network on B can use Hide NAT so that it appears to be B's external IP address to our internal network? Thanks, Ray From: Joachim Bassmann [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Complicated remote access problem using an internal firewall Date: Tue, 15 Jun 2004 12:13:23 +0200 Hi Ray, --On Samstag, 12. Juni 2004 17:26 -0400 Ray Pesek [EMAIL PROTECTED] wrote: We would like to let them still use SecuRemote to connect to B and get authenticated. We would have to add the new subnet X to the encryption domain of B but it's actually considered as external to B. you might get away using a NAT pool for the SR clients on B. Define the NAT pool as internal to B and make a rule on B which allows the NAT pool access to X. Then take care that the NAT pool is being routed from X to B. good luck Joachim Bassmann, DELOS AG, STuttgart, Germany Erst wenn das letzte Counterstrike indiziert, der letzte Videofilm verboten, und das Internet geschlossen ist, werdet Ihr merken, daß Ihr Eure Kinder doch erziehen müsst. - [EMAIL PROTECTED] = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn licence question
Mine are central licenses on the management station so I can use them with any gateway. Ray From: Schiavetta, Massimo [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] vpn licence question Date: Wed, 16 Jun 2004 12:31:03 +0200 hello all! i have an R55/stonebeat cluster, and I'd like to add a vpn licence to this cluster the question is: on which address the vpn licence should be set on? the cluster external (public) virtual-IP or one licence per real-IP? or even somewhere else than the public address? thank a lot cheers Massimo --- Massimo Schiavetta System Administrator Direct Line Insurance S.p.A. Piazza Monte Titano, 10 20132 Milano Italy tel. +39.02.2172.5280 fax +39.02.2172.5240 http://www.directline.it Il Gruppo Direct Line è di proprietà del Gruppo Royal Bank of Scotland, il secondo gruppo bancario in Europa e il quinto al mondo. Oggi il Gruppo Direct Line conta più di 5 milioni di clienti auto, più di 10 milioni di polizze nel Regno Unito e in Giappone e oltre 10.000 dipendenti. Nota per il famoso marchio con il telefono rosso, Direct Line è stata il pioniere nella vendita diretta di polizze assicurative nel Regno Unito. Direct Line è operativa in Italia dal gennaio 2002. This e-mail is intended for the addressee only and may contain confidential, proprietary or legally privileged information. If you are not the intended recipient of this e-mail, you should notify us immediately and delete it. You should not copy, print, distribute, disclose or use any part of it. We reserve the right to monitor and record all electronic communications through our networks. We cannot accept any liability for viruses transmitted via this e-mail once it has left our networks. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get fast, reliable Internet access with MSN 9 Dial-up now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN-1 Edge device
Hi Tom, What sort of issues are you having? I'm getting my first Edge box on Friday to mess around with. If you check Nokia's KB and search on HFA you'll see they have the release notes posted for HFA 05 06. I think there were a few Edge fixes in HFA05 as well. Based solely on my reading, you need to be using a Simplified policy and msut use certificate authentication. I've got SmartCenter Pro and just got SmartLSM fired up today. Are you using LSM? Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] VPN-1 Edge device Date: Wed, 16 Jun 2004 18:35:51 -0400 I have been trying to get a VPN edge device to work in our lab with little to no success. I am wondering if there is any white papers out there that might help me get this working. I have a Provider-1 install R-55 HP4 Nokia IP-530 R55 HP4 edge-x Thank You for any help in this. Tom = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] encryption failure: decrypted methods didn't match rule (VPN Error code 03)
Some of my SecureClient users is suddenly getting this error: Encryption Scheme: IKE Encryption Methods: ESP: AES-128 + SHA1 + DEFLATE Information:encryption failure: decrypted methods didn't match rule (VPN Error code 03) I can't find it in the SecureKnowledge KB. I applied HFA06 to R55 a few days ago. Any thoughts are greatly appreciated! Ray _ Check out the coupons and bargains on MSN Offers! http://youroffers.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] DNS Zone Transfers
What software are the DNS servers running? NT, 2000, BIND ? If BIND 9, go into SmartDefense and try unchecking its DNS protection. Looks like your masters are running BIND 9, at least the external ones. Unless you've spoofed the version check, that is. http://www.dnsreport.com/tools/dnsreport.ch?domain=howcogroup.com Ray From: Devanney, Mark [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] DNS Zone Transfers Date: Thu, 17 Jun 2004 17:08:38 +0100 Hi All, Have problem with secondary dns servers trying to do zone transfers with primary dns servers, sites not connected via checkpoint transfer ok, sites connected via vpn do not. Have enabled accept domain name over udp/tcp with no changes. dont see any drops in logs. anyone any thoughts Rgds Mark ** Internet Sites: Technical Guide:www.howcogroup.com DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. Opinions, conclusions and other information in this message that do not relate to the official business of Howco Group shall be understood as neither given nor endorsed by it. ** = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.click-url.com/go/onm00200362ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] new HFA for R55 - HFA06
Hi Simon, It looks like Check Point is posting them on their web site only if they contain security-related fixes. I suspect that is why they did not post HFA05 HFA06. If you have a Check Point support contract, contact them and ask for it. We have our support through Nokia and that's where I picked it up. We're getting our first Edge box tomorrow and these fixes corrected some Edge-related issues. CSP might be some kind of Check Point partner/dealer program. I guess if we have to ask, we don't have a need to know. :-) Take care, Ray From: Simon Curtiss [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] new HFA for R55 - HFA06 Date: Fri, 18 Jun 2004 14:13:12 +1200 How soon do these appear for non-CSP's? (what is a CSP?) - I can only see HFA04 for R55 on Windows on my login. Cheers Simon Simon Curtiss IT Systems Administrator ABN AMRO Craigs Limited P.O. Box 13155 Tauranga New Zealand Tel +64 7 577 4708 www.abnamrocraigs.com -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Reinhard Stich Sent: Thursday, 17 June 2004 3:52 a.m. To: [EMAIL PROTECTED] Subject: [FW-1] new HFA for R55 - HFA06 hi, for CSPs this HFA is available in CSP download... cheers reinhard -- Reinhard Stich ASSIST [EMAIL PROTECTED] Internet Security AG, 1150 Wien, Johnstrasse 29 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = # Notice of Confidential information The information contained in this electronic mail is CONFIDENTIAL INFORMATION and may be LEGALLY PRIVILEGED, intended only for the individual or entity named above. If you are not the intended recipient, you are hereby notified that the use, dissemination, distribution, or copying of this document is strictly prohibited. If you have received this electronic message in error, please immediately notify us by return or telephone call collect to 07 577 6049) and destroy the original message. Thank you, ABN AMRO Craigs Limited. This e-mail message has been scanned and cleared by MailMarshal www.marshalsoftware.com # = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN-1 Edge device
I did'nt know about the backwards compatibility requirement, either. Our Check Point SE is supposed to be at our local user group meeting this morning. If I remember I'll ask him. Thanks for reporting what worked, Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN-1 Edge device Date: Fri, 18 Jun 2004 00:42:58 -0400 No Problem but the lack of documentation, I fiunally got this working today with LSM. I did not realize that you need backwards compatability runing for the SOFAWARE. I am going to go through the whole setup again tomorrow, our management is on UNIX Provider-1 But we will be using LSM to manage the VPN Edge. It seems to be simple enough to setup now but if oyu go by the very few docs it does not work well. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get fast, reliable Internet access with MSN 9 Dial-up now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] DNS Zone Transfers
Hi Mark, Did you push the policy after unchecking it? Are there any event log errors? Ray From: Devanney, Mark [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] DNS Zone Transfers Date: Fri, 18 Jun 2004 15:02:31 +0100 using 2000, have unchecked the udp protocol enforcement but still cant transfer zones. i am just using internal dns between subnets, all are ok apart for sites via fw's all other traffic is normal between sites Rgds Mark -Original Message- From: Ray [mailto:[EMAIL PROTECTED] Sent: 17 June 2004 20:11 To: [EMAIL PROTECTED] Subject: Re: [FW-1] DNS Zone Transfers What software are the DNS servers running? NT, 2000, BIND ? If BIND 9, go into SmartDefense and try unchecking its DNS protection. Looks like your masters are running BIND 9, at least the external ones. Unless you've spoofed the version check, that is. http://www.dnsreport.com/tools/dnsreport.ch?domain=howcogroup.com Ray From: Devanney, Mark [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] DNS Zone Transfers Date: Thu, 17 Jun 2004 17:08:38 +0100 Hi All, Have problem with secondary dns servers trying to do zone transfers with primary dns servers, sites not connected via checkpoint transfer ok, sites connected via vpn do not. Have enabled accept domain name over udp/tcp with no changes. dont see any drops in logs. anyone any thoughts Rgds Mark ** Internet Sites: Technical Guide:www.howcogroup.com DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. Opinions, conclusions and other information in this message that do not relate to the official business of Howco Group shall be understood as neither given nor endorsed by it. ** = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.click-url.com/go/onm00200362ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = ** Internet Sites: Technical Guide:www.howcogroup.com DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. Opinions, conclusions and other information in this message that do not relate to the official business of Howco Group shall be understood as neither given nor endorsed by it. ** = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get fast, reliable Internet access with MSN 9 Dial-up now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
Re: [FW-1] encryption failure: decrypted methods didn't match rule (VPN Error code 03)
Thanks Russell. I found a similar KB article that suggested we had partially overlapping encryption domains. Only a few SecureClient people, all Windows XP, were experiencing this issue, though. They also were seeing a tunnel test failed message on login. However, since we had just reconfigured the encryption domain on one of the two gateways a day earlier, it was worth looking into. I ran vpn overlap_encdom on the controlling SmartCenter server per SK21541 and it reported that none of the encryption domains overlapped. I put the encryption domain on the one gateway back to where it was and the problem stopped. Go figure. Ray From: Russell Aspinwall [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] encryption failure: decrypted methods didn't match rule (VPN Error code 03) Date: Fri, 18 Jun 2004 13:31:38 +0100 Hi Ray, I had a similar problem the solution was to change PFS from 1024 bit back to 768 bit (originally 768bit). Ray wrote: Some of my SecureClient users is suddenly getting this error: Encryption Scheme: IKE Encryption Methods: ESP: AES-128 + SHA1 + DEFLATE Information:encryption failure: decrypted methods didn't match rule (VPN Error code 03) I can't find it in the SecureKnowledge KB. I applied HFA06 to R55 a few days ago. Any thoughts are greatly appreciated! Ray _ Check out the coupons and bargains on MSN Offers! http://youroffers.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- Regards Russell = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN 9 Dial-up Internet Access fights spam and pop-ups now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] Management High Availablilty licensing question
We have a SmartCenter Pro unlimited IP license on R55. It also has a SmartDefense license and 500 SecureClient licenses. It uses central licensing and manages an IP530 primarily. SmartCenter Pro does come with a Management HA license. We also have an IP120 that was purchased about a year earlier that has a 5 IP license, no SmartDefense and no SecureClient licenses. It used to have its own management server. We moved the IP120 management on to the SmartCenter Pro a few months ago to free up the Windows 2000 server license it used. The IP120 had its license moved to the SmartCenter Pro central licensing. If I'm reading the KB articles correctly, we only need the one HA license on the SmartCenter Pro to implement management high availability. Since we have a license for SmartCenter for the management server that used to manage the IP120, it appears we can use its license as a secondary management station to the main SmartCenter Pro. Is this correct? The part that concerns me is where the articles say that the secondary management server must have the same feature set licenses. Does this mean we have to buy another SmartDefense license and another 500 SecureClient licenses to put on the secondary management station? Any clarification would be greatly appreciated. Thanks, Ray _ MSN 9 Dial-up Internet Access fights spam and pop-ups now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN-1 Edge device
I'd appreciate a copy. Our Check Point SE in the Cleveland area has been super-helpful. I got the demo box last Friday and we've been exchanging emails and phone calls so I can get it figured out. They did get me the latest beta firmware to test with as well. Since I'm on R55, the Sofaware connector is already installed but only partially activated. You have to run smsstart.bat to get the rest of it running. I haven't tried LSM yet although I do have the Edge X working as a remote gateway. I also haven't gotten the part about getting it to talk to SmartCenter figured out yet either. :-) I will admit that I prefer to read and experiment, though. One issue is that it's dropping some service as being in a different community ID. I think it's SWTP_SMS. There's supposed to be a new implied rule in R55 so you don't have to manually exclude it from the VPN community. I even manually excluded it but it's still getting dropped. The main issues I've run into has to do with how we have our main gateway set up with regard to routing and its encryption domain set up. We've got about 22 subnets behind the gateway and will be moving most of them to VPNs hopefully. This, of course, means I can no longer use my gateway static route of 192.168.0.0/17 - internal router and I have to add individual static routes for each internal network. Otherwise when I throw a packet at the Edge gateway's internal network from the main internal network, it comes right back. And to think I never could make a boomerang work... I have to do the same thing with the encryption domain, otherwise packets coming from the test Edge box get dropped as being decrypted when the policy says they don't have to be. The issue I'm working on now is that I can ping everything on the internal network from a laptop behind the Edge box, but when I try to ping the Edge box from some of the subnets, but not all, I get a no valid SA error. I now have a one-and-a-half VPN! Ray From: Stala [EMAIL PROTECTED] To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN-1 Edge device Date: Tue, 22 Jun 2004 16:54:27 -0400 Well I finally have the VPN edge device working with LSM. It works pretty slick but there was very limited help from CheckPoint on getting this setup and working correctly, I am actually going to be giving it a live test tomorrow. I am working on a doc with the steps needed, when I am absolutely sure I have it all correct I will be glad to share it out. - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 6:35 AM Subject: Re: [FW-1] VPN-1 Edge device I did'nt know about the backwards compatibility requirement, either. Our Check Point SE is supposed to be at our local user group meeting this morning. If I remember I'll ask him. Thanks for reporting what worked, Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN-1 Edge device Date: Fri, 18 Jun 2004 00:42:58 -0400 No Problem but the lack of documentation, I fiunally got this working today with LSM. I did not realize that you need backwards compatability runing for the SOFAWARE. I am going to go through the whole setup again tomorrow, our management is on UNIX Provider-1 But we will be using LSM to manage the VPN Edge. It seems to be simple enough to setup now but if oyu go by the very few docs it does not work well. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get fast, reliable Internet access with MSN 9 Dial-up - now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click
Re: [FW-1] NG FP3 Upgrade suggestions
Hi Rick, What made you decide to go to 3.8? I didn't see anything compelling in it as iread the release notes. Thanks, Ray From: Rick Centner [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] NG FP3 Upgrade suggestions Date: Tue, 22 Jun 2004 16:05:51 -0400 I've deployed 3.8 to about 15 firewalls and havent had any problems except the authentication failures in a clustered configuration. Its also about 12MB smaller than 3.7.1-010. Grabowski, David wrote: Management station: NG FP3 HFA_322 on W2K Modules (4): NG FP3 HFA_322 on IPSO 3.6 FCS 13 on IP440 Considering an upgrade to R55. Planning to install the latest HFA. The big question: IPSO 3.7 or IPSO 3.8? --- David Grabowski Mizuho Securities USA, Equity Division (212) 209-9349 # CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). # = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- Rick Centner Global Security Engineer = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ From will you? to I do, MSN Life Events is your resource for Getting Married. http://lifeevents.msn.com/category.aspx?cid=married = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] NG FP3 Upgrade suggestions
Thanks, that's interesting news. I'll have to go re-read the release notes. Ray From: Rick Centner [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] NG FP3 Upgrade suggestions Date: Tue, 22 Jun 2004 23:36:48 -0400 Hi, There was acutually a few things that it fixed for us, its in the pdf release notes. It also helped with some of the out of state packets we have been seeing wiht certain tcp connections in the logs. We tested it in our lab for a week before rolling it out and noticed a significant peformance increase as well, even with installing policies. Rick Ray wrote: Hi Rick, What made you decide to go to 3.8? I didn't see anything compelling in it as iread the release notes. Thanks, Ray From: Rick Centner [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] NG FP3 Upgrade suggestions Date: Tue, 22 Jun 2004 16:05:51 -0400 I've deployed 3.8 to about 15 firewalls and havent had any problems except the authentication failures in a clustered configuration. Its also about 12MB smaller than 3.7.1-010. Grabowski, David wrote: Management station: NG FP3 HFA_322 on W2K Modules (4): NG FP3 HFA_322 on IPSO 3.6 FCS 13 on IP440 Considering an upgrade to R55. Planning to install the latest HFA.. The big question: IPSO 3.7 or IPSO 3.8? --- David Grabowski Mizuho Securities USA, Equity Division (212) 209-9349 # CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). # = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- Rick Centner Global Security Engineer = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ From will you? to I do, MSN Life Events is your resource for Getting Married. http://lifeevents.msn.com/category.aspx?cid=married = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email
Re: [FW-1] Rule 998: DCE-RPC Problems
Hi Phillip, - How can we turn this SmartDefense stuff off for the DCE-RPC It may not be a SmartDefense drop. We had several DCERPC problems after changing from SecureClient R54 to R55 and had a case with Check Point Nokia. The gateway and SmartCenter were on R55 base already. Our problems were related to using DCERPC via SecureClient (Outlook to Exchange) , but that's the only way we allow that protocol through the gateway. - Did we something wrong (see steps above or in the link) Probably not. - Did anyone else experience similar problems??? Never used R54. Went from FP3 to R55. - If we upgrade to R55 is it enought to upgrade the management server or do we need to upgrade also all the nodes? That's a good question. According to the release notes, no, you don't need to upgrade the gateways to get the DCERPC fixes. HFA03 for R55 fixed almost all of of the issues we were having with DCERPC SecureClient. Oddly, the fixes didn't work until after we upgraded the gateway. We have a distributed environment. Maybe it was because we were experiencing it with SecureClient. Don't know... Any help would be highly appreciated. I don't know your setup, but if possible you should take the management station to R55 HFA06 and see what happens. You can still manage the R54 gateways with it. If that doesn't help, take the gateways to R55 HFA06 as well. The Check Point people we were working with indicated DCERPC handling had an extensive overhaul in the later HFAs of R55. FWIW, Ray _ MSN Movies - Trailers, showtimes, DVD's, and the latest news from Hollywood! http://movies.msn.click-url.com/go/onm00200509ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN-1 Edge device
You cannot use vpn community object in the rulebase if you have an edge device . You have to use implicit vpn rule (checkbox in the community object). Having fought this battle yesterday, I can assure you that you can use a community object in the rule base. The way to get it to work is to change the Install On column from * Policy Targets to the actual gateway that the rule applies to. When I had it as * Policy Targets, I got an error on Verify for every rule that had a VPN Community specified in the if via column, even though they were different communities. Ray _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Anti-Virus through SecureClient NG
Set block on unverified to true in the local.scv file. It's a global setting, meaning that if any of the SCV checks are unverified, the connection is blocked. They can connect to the gateway and get authenticated, but they can't go anywhere. Ray From: Chontzopoulos Dimitris [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Anti-Virus through SecureClient NG Date: Wed, 23 Jun 2004 13:08:33 +0300 I don't understand exactly what is it that you want to do, but, McAfee has released VirusScan v7.1.0 which includes a plug-in for Secure Client. ::Quote:: (ReadMe.txt from VirusScan v7.1.0) - Check Point(TM) VPN-1/Firewall-1R SCV integration. The VirusScan Enterprise software has been updated to integrate with Check Point VPN-1/Firewall-1 SCV. When installed and enabled, the Check Point product can be configured to prevent clients without up-to-date anti-virus protection from accessing the corporate network through the VPN. I don't know though how on earth the Check Point product can be configured to prevent...!!! Maybe your client's McAfee retailer is a good place to start asking questions or McAfee knowledge base (though you'll need a username/password to access that). Hope this helps. Cheers, Dimitris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Brett, Gary Sent: Wednesday, June 23, 2004 12:17 PM To: [EMAIL PROTECTED] Subject: [FW-1] Anti-Virus through SecureClient NG Hi there My client is using secureclient through NG FP3 HF2 using IP pool, I have a Mcafee anti virus server sitting inside the lan and i am looking for a way to get it talking to the secure clients when they are connected. I just wanted to find out whether any of you guys have an internal LAN AV server (not in DMZ) pushing updates to secure client boxes when they log in. Any advice on how to configure this or what products you have been able to get working would be greatly appreciated cheers Gary - This electronic message contains information from Cetelem UK Credit Ltd which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN-1 Edge device
Hmmm, that's a very good idea! Thanks! Ray From: Tom Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN-1 Edge device Date: Wed, 23 Jun 2004 09:22:35 -0400 I just created a new rule base and called it Edge-profiles, changed the install target to the profile object this way I keep my rules separate. - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 9:02 AM Subject: Re: [FW-1] VPN-1 Edge device You cannot use vpn community object in the rulebase if you have an edge device . You have to use implicit vpn rule (checkbox in the community object). Having fought this battle yesterday, I can assure you that you can use a community object in the rule base. The way to get it to work is to change the Install On column from * Policy Targets to the actual gateway that the rule applies to. When I had it as * Policy Targets, I got an error on Verify for every rule that had a VPN Community specified in the if via column, even though they were different communities. Ray _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] Edge setup - getting close!
I have the Edge X box set in a VPN Mesh community and it is talking back and forth to the primary gateway's encryption domain. These are the only two objects in the community so far. First problem: We need all traffic from the Edge box routed down the VPN, even Internet traffic. When setting up an Edge box manually, there is a setup dialog do to just this. With it part of the community, I can't figure out how to route non-VPN Domain traffic down the VPN to the main gateway. This non-VPN Domain traffic isn't even getting logged anywhere that I can find. It seems to be getting dropped by the Edge firewall. A traceroute from the Edge internal network to an Internet address ends at the internal interface of the Edge box. Second problem: How do I get the Edge box to send its logs to the SmartCenter server? I can't see that it's doing that. Question: Some docs I got from Check Point show a sample Edge rule of Source: Dynamic Object InternalNet, Dynamic Object DMZ Net, and whaetever that third default dynamic object is. Destination: Any Accept Install on EdgeProfile Since I am using different internal IP ranges for each Edge box, why would I need these? I have to confess that the only dynamic object I really understand is using a DHCP external interface. We're trying to replace frame connections with Edge boxes and not re-IP anything. Thanks for any help and guidance you can lend, Ray _ MSN 9 Dial-up Internet Access fights spam and pop-ups now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] Office Mode from inside anti-spoofing - is there a cure?
We need to be able to initiate a SecureClient Office Mode connection from within the VPN Domain for a couple of reasons. The first is initial setup of a computer. A second is allowing access to the firewall from an unknown IP address. I have the ipassignment.conf file in R55 HFA06 set up to always assign the firewall administrators a particular Office Mode address and these addresses are allowed access to the firewall and management server. When I'm travelling at a remote company location, I can fire up SecureClient from within the VPN Domain and gain access to the firewall and management station. It works perfectly. Almost. When the topology of the internal interface is set and anti-spoofing is checked, Office Mode IPs originating from the VPN Domain get dropped as message_info: Address spoofing. The tunnel test fails and the logon to the policy server fails. Check Point's sk25656 article titled Office Mode functionality when connecting from internal DMZ says the problem is that the Policy Server only listens on external interfaces and that the workaround is to redefine the DMZ interface as an external interface. While this does work, turning off anti-spoofing on the DMZ interface also works, apparently showing that the Policy Server does listen on other interfaces. Unfortunately, redefining the primary internal interface as an external interface probably isn't a real good idea. :-) Even more unfortunately, I can't push a policy to an Edge box if anti-spoofing is turned off on any interface, because the policy push whines about it and fails. So, I'm now having to quickly enable anti-spoofing on the internal interface, push the policy to the Edge box and main gateway, turn off anti-spoofing on the internal interface ad re-push the policy to just the main gateway again. And I can't do this from a remote company location because enabling anti-spoofing on the internal interface drops me as a spoof. If anybody knows how to make R55 not drop Office Mode IP addresses from other than external interfaces, it would be greatly appreciated if you could let me in on the secret. Thanks, Ray _ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Edge setup - getting close!
Turns out it is, although not as fast as I thought it would. It's not logging traffic coming in via the VPN, just stuff trying to go to targets outside of the primary gateway VPN Dmain, which it is showing as accept and not encrypt. So I'm back to my original quandry of how to make it route eveything down the VPN. Is this just not possible in a mesh VPN or could it be done with a static route somehow? I dunno... Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Edge setup - getting close! Date: Wed, 23 Jun 2004 19:49:29 -0400 Second problem: How do I get the Edge box to send its logs to the SmartCenter server? I can't see that it's doing that. _ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Edge setup - getting close!
Nothing personal, Chris, but I hope that's wrong... :-) Although I was leaning as to that being the answer. sigh Ray From: Chris Hoff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 10:51:59 -0500 In order to route all traffic through the vpn, you have to be using a star community and check the radio button to route all traffic through the hub. Regards, Chris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Wednesday, June 23, 2004 10:05 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Turns out it is, although not as fast as I thought it would. It's not logging traffic coming in via the VPN, just stuff trying to go to targets outside of the primary gateway VPN Dmain, which it is showing as accept and not encrypt. So I'm back to my original quandry of how to make it route eveything down the VPN. Is this just not possible in a mesh VPN or could it be done with a static route somehow? I dunno... Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Edge setup - getting close! Date: Wed, 23 Jun 2004 19:49:29 -0400 Second problem: How do I get the Edge box to send its logs to the SmartCenter server? I can't see that it's doing that. _ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Edge setup - getting close!
Yeah, I saw some of that also until I got it managed by the SmartCenter server. I'm going to add its encryption domain to our network monitoring system and ping it every minute to get a better feel for what's going on. I was seeing continuous traffic flow from the Edge encryption domain but the reverse was what was intermittent. Oddly, one of my internal subnets could ping it all the time but a couple others couldn't do it and I was seeing a no valid SA message in the log from those subnets. In other words, some subnets were two-way and others were one-way,, from the Edge to them but not back. What firmware version are you on? Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 20:57:44 -0400 I keep getting a problem with the encryption domain going away, the tunnel is still up but no traffic will flow and then for no reason at all the traffic starts flowing again, Lots more testing will need to be done - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 4:50 PM Subject: Re: [FW-1] Edge setup - getting close! Nothing personal, Chris, but I hope that's wrong... :-) Although I was leaning as to that being the answer. sigh Ray From: Chris Hoff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 10:51:59 -0500 In order to route all traffic through the vpn, you have to be using a star community and check the radio button to route all traffic through the hub. Regards, Chris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Wednesday, June 23, 2004 10:05 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Turns out it is, although not as fast as I thought it would. It's not logging traffic coming in via the VPN, just stuff trying to go to targets outside of the primary gateway VPN Dmain, which it is showing as accept and not encrypt. So I'm back to my original quandry of how to make it route eveything down the VPN. Is this just not possible in a mesh VPN or could it be done with a static route somehow? I dunno... Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Edge setup - getting close! Date: Wed, 23 Jun 2004 19:49:29 -0400 Second problem: How do I get the Edge box to send its logs to the SmartCenter server? I can't see that it's doing that. _ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail
Re: [FW-1] VPN/SecureRemote problem during key exchange
Check out sk23166. It says the VPN certificate on the firewall object is corrupt. Is this affecting just one client or all of them? If all of them, this might be the answer. Ray From: Michael Halligan [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] VPN/SecureRemote problem during key exchange Date: Thu, 24 Jun 2004 16:24:48 -0700 I'm getting an odd error message during IKE key exchange when trying to do a client-site VPN. The error I'm getting is : Negotiation with gateway IP at site IP hast failed. Received notification: invalid cookie. I'm not finding information about this on cp's site or in any of the various manuals I have access to. Has anybody run into this before? On the client end I'm running SecuRemote R55 On the server, R55 NG with AI _ MSN Movies - Trailers, showtimes, DVD's, and the latest news from Hollywood! http://movies.msn.click-url.com/go/onm00200509ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Problems with SecureClient and Internet Explorer?
No. What kind of problems? Ray From: Michael Schwartzkopff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Problems with SecureClient and Internet Explorer? Date: Fri, 25 Jun 2004 08:51:16 +0200 Hi, Did anyone experience problems with the Internet Explorer after installation of the SecureClient? Are there any documentation about problems in the internet? Thanks for feedback. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN 9 Dial-up Internet Access fights spam and pop-ups now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Problems with SecureClient and Internet Explorer?
No, but we run all IE usage through a proxy. We occasionally see this in IE when you try to go to an invalid URL and the proxy keeps trying. This causes IE to appear to freeze while the proxy is doing its thing. This is with or without SecureClient, though. We never see it on intranet sites that bypass the proxy, whether using SecureClient or not. Ray From: Michael Schwartzkopff To: Ray [EMAIL PROTECTED] Subject: Re: [FW-1] Problems with SecureClient and Internet Explorer? Date: Fri, 25 Jun 2004 14:18:30 +0200 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 25. Juni 2004 14:04 schrieb Ray: No. What kind of problems? Ray Freezing on IE if you enter a URL manually. - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA3BgWqndXpO3Yl5sRAhL8AKCSdZ8OACZBLMKjHr0TvC3WukHYNQCbBZ6a v9L5U+/AOKqVrp7QfvVTrZw= =SmGa -END PGP SIGNATURE- _ MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Monitoring Throughput (Kbps of an interface)
In SmartviewMonitor, look near the upper right corner of the display. There's a little numeric dsplay that gives you the total. Ray From: Shane Presley [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Monitoring Throughput (Kbps of an interface) Date: Tue, 29 Jun 2004 11:40:10 -0400 I've been wondering two questions relating to throughput -How much traffic (in Kbps) is my firewall processing -How much traffic (in Kbps) is going to/from the Internet I am running NG AI R55 on Solaris 8. I have SmartView Monitor. Can I get this data from any CheckPoint tools or do I have to use something OS Specific, like MRTG? SmartView Monitor seems to get close, but it wants to break it down by service or host, I just want an overall number. TIA, Shane = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Edge setup - getting close!
Thanks for the update, Chris. We currently have a kind of modified Star for our WAN and we want to build redundancy in so if the corporate office goes down, at least the rest of the company can stay up (think Aug. 14 blackout). In a Star topology, if the central gateway goes nova, the rest of the planets go cold. We currently have everyone behind Hide NAT. Ray From: Chris Hoff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Fri, 25 Jun 2004 08:59:37 -0500 I just got off the phone with Check Point for the same problem (except we are using IP40s). This is a known issue with all the sofaboxes, and there is supposed to be a new version of the firmware coming out on Monday to address it. The issue I am going to have is the firmware will have to go through Nokia's QA before being released, so I will not be able to apply it until who knows when. Ray - is there a reason that the Star community presents a problem for you? I do know for a fact that is the answer if you are wanting to route all internet traffic through the Corporate Office (CO). The one thing you are going to have to make sure you address is routing issues once the packet leaves the CO headed to the internet (probably have to NAT outgoing connections from the remote offices). Chris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Thursday, June 24, 2004 10:07 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Yeah, I saw some of that also until I got it managed by the SmartCenter server. I'm going to add its encryption domain to our network monitoring system and ping it every minute to get a better feel for what's going on. I was seeing continuous traffic flow from the Edge encryption domain but the reverse was what was intermittent. Oddly, one of my internal subnets could ping it all the time but a couple others couldn't do it and I was seeing a no valid SA message in the log from those subnets. In other words, some subnets were two-way and others were one-way,, from the Edge to them but not back. What firmware version are you on? Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 20:57:44 -0400 I keep getting a problem with the encryption domain going away, the tunnel is still up but no traffic will flow and then for no reason at all the traffic starts flowing again, Lots more testing will need to be done - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 4:50 PM Subject: Re: [FW-1] Edge setup - getting close! Nothing personal, Chris, but I hope that's wrong... :-) Although I was leaning as to that being the answer. sigh Ray From: Chris Hoff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 10:51:59 -0500 In order to route all traffic through the vpn, you have to be using a star community and check the radio button to route all traffic through the hub. Regards, Chris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Wednesday, June 23, 2004 10:05 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Turns out it is, although not as fast as I thought it would. It's not logging traffic coming in via the VPN, just stuff trying to go to targets outside of the primary gateway VPN Dmain, which it is showing as accept and not encrypt. So I'm back to my original quandry of how to make it route eveything down the VPN. Is this just not possible in a mesh VPN or could it be done with a static route somehow? I dunno... Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Edge setup - getting close! Date: Wed, 23 Jun 2004 19:49:29 -0400 Second problem: How do I get the Edge box to send its logs to the SmartCenter server? I can't see that it's doing that. _ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions
[FW-1] SofaWare SMS process exits when logging off SmartCenter
In order to manage an Edge box from an R55 SmartCenter Server, you have to manually execute a batch file named smsstart.bat nominally found in C:\WINNT\FW1\R55\bin. Once this is done, the Edge X box can connect to the SmartCenter server and be managed by it. Unfortunately, as soon as you logoff the SmartCenter server, an event is generated that the SMS process has exited normally. And the Edge box can no longer talk to the SmartCenter server. This same issue was posted over on the Sofaware discussion forum back in April and I'm kind of surporised it's still there in R55 HFA06. Does anyone know of a fix? Outside of putting it in the registry manually, of course. :-) Thanks, Ray _ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] User database installation on remote modules
sk18666 has a change you may need to make. I'm reluctant to post its details because it's not in the public SecureKnowledge database. The article references FP3. We upgraded from FP3 directly to R55 and still had to make this change. After making it, it works as advertised. Ray From: Christian ALT [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] User database installation on remote modules Date: Wed, 30 Jun 2004 16:56:38 +0200 In the NG AI R55 we have an issue with installing user database on remote modules. In the SmartDashboard we go under policy- install database, we only see the smart center as possibility. We do not see our remote modules, although we can load complete policies on the remote systems. The Checkpoint documentation states that this should be possible, so what is the solution. Christian ALT Telecom and Logistics Associates Network and Secuirty Company http://www.tla.ch --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.712 / Virus Database: 468 - Release Date: 27.06.2004 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] User database installation on remote modules
Gees, that's an article with pretty ugly ramifications! severe problems and unable to load rulebase?? Thanks for pointing it out, Chris. Hopefully Check Point will yank one or the other article. I guess I better go undo that previous article. Ray From: Chris Hoff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] User database installation on remote modules Date: Wed, 30 Jun 2004 12:09:49 -0500 According to Knowledgebase article sk15270, this functionality was taken out of FP3 and above because of security considerations. Like Ray, I am reluctant to put the details in due to it not being in the public Knowledgebase. I would suggest contacting your Support Vendor in order to get this Knowledgebase article. Chris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Kathy Warner Sent: Wednesday, June 30, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] User database installation on remote modules We are having the same issue. Checkpoint support was unable to answer my question. My mgmt station is NG AI R55 and my remote modules are still NG FP2. CP support said that is the reason. Not sure if I believe that or not. [EMAIL PROTECTED] 6/30/2004 10:56:38 AM In the NG AI R55 we have an issue with installing user database on remote modules. In the SmartDashboard we go under policy- install database, we only see the smart center as possibility. We do not see our remote modules, although we can load complete policies on the remote systems. The Checkpoint documentation states that this should be possible, so what is the solution. Christian ALT Telecom and Logistics Associates Network and Secuirty Company http://www.tla.ch --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.712 / Virus Database: 468 - Release Date: 27.06.2004 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN 9 Dial-up Internet Access fights spam and pop-ups now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Edge setup - getting close!
Are these in production yet? If not, ask your Check Point SE to see if they can get you a copy of the latest beta firmware. Another resource is the discussion forums at www.sofaware.com Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Tue, 29 Jun 2004 23:06:05 -0400 I am running version 4.0.85x hardware version is 1.0 I am getting a 1 way encryption domain, I have the encryption domain set to a network object in the firewall, In the LSM I have the vpnedge object with an encryption range set in it. I can get traffic to encrypt from the edge box to the Nokia but not back to the edge box, I get an error that there is a translation error. and it is dropping it. - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 11:06 PM Subject: Re: [FW-1] Edge setup - getting close! Yeah, I saw some of that also until I got it managed by the SmartCenter server. I'm going to add its encryption domain to our network monitoring system and ping it every minute to get a better feel for what's going on. I was seeing continuous traffic flow from the Edge encryption domain but the reverse was what was intermittent. Oddly, one of my internal subnets could ping it all the time but a couple others couldn't do it and I was seeing a no valid SA message in the log from those subnets. In other words, some subnets were two-way and others were one-way,, from the Edge to them but not back. What firmware version are you on? Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 20:57:44 -0400 I keep getting a problem with the encryption domain going away, the tunnel is still up but no traffic will flow and then for no reason at all the traffic starts flowing again, Lots more testing will need to be done - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 4:50 PM Subject: Re: [FW-1] Edge setup - getting close! Nothing personal, Chris, but I hope that's wrong... :-) Although I was leaning as to that being the answer. sigh Ray From: Chris Hoff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 10:51:59 -0500 In order to route all traffic through the vpn, you have to be using a star community and check the radio button to route all traffic through the hub. Regards, Chris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Wednesday, June 23, 2004 10:05 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Turns out it is, although not as fast as I thought it would. It's not logging traffic coming in via the VPN, just stuff trying to go to targets outside of the primary gateway VPN Dmain, which it is showing as accept and not encrypt. So I'm back to my original quandry of how to make it route eveything down the VPN. Is this just not possible in a mesh VPN or could it be done with a static route somehow? I dunno... Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Edge setup - getting close! Date: Wed, 23 Jun 2004 19:49:29 -0400 Second problem: How do I get the Edge box to send its logs to the SmartCenter server? I can't see that it's doing that. _ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED
Re: [FW-1] Problem in Hide Nating
Do you have a static route in the firewall that says to send packets bound for the internal network to the next hop inbound router? Ray From: NAVTEJ KOHLI [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Problem in Hide Nating Date: Thu, 1 Jul 2004 02:06:52 +0500 Hello Lists, I stuck once again in Firewall configuration; I am able to connect GUI to Firewall Box. Now I want create hide NAT for my internal clients to access internet. I am able to browser internet from firewall BOX. I install checkpoint on win2k BOX. But in Checkpoint Smart Tracker, I can see the accept Packet. Number: 11 Date: 30 JUN 2004 Time: 15:18:49 Product:VPN-1 FireWall-1 Interface: eth1 Origin: Local_Firewall Type: Log Action: Accept Protocol: tcp Service:http (80) Source: TEST (10.0.0.35) Destination:218.232.109.212 Rule: 4 NAT rule number:2 NAT additional rule number: 0 Source Port:4193 XlateSrc: Local_Firewall XlateSPort: 17172 But I am unable to reach internet from Clients machine. Pls help me out to find the solutions. I am waiting for your valuable reply. Thanks TEJ KOHLI _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Edge setup - getting close!
I'm not using LSM but rather a community. I disabled NAT in the community and on the Edge box. I also set up the Edge box so its Service Center is my SmartCenter server. Once I pushed the policy to the main gateway and the Edge box, a policy which did not have any Edge-specific rules, it went two-way. I've got the beta 4.5 software running on it. Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Wed, 30 Jun 2004 19:03:01 -0400 naw not even close to production yet. I am still having the issue with the one way traffic, I don't remember any translation rules that are affecting it but I will check tomorrow. Thanks for the info... - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 30, 2004 3:21 PM Subject: Re: [FW-1] Edge setup - getting close! Are these in production yet? If not, ask your Check Point SE to see if they can get you a copy of the latest beta firmware. Another resource is the discussion forums at www.sofaware.com Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Tue, 29 Jun 2004 23:06:05 -0400 I am running version 4.0.85x hardware version is 1.0 I am getting a 1 way encryption domain, I have the encryption domain set to a network object in the firewall, In the LSM I have the vpnedge object with an encryption range set in it. I can get traffic to encrypt from the edge box to the Nokia but not back to the edge box, I get an error that there is a translation error. and it is dropping it. - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 11:06 PM Subject: Re: [FW-1] Edge setup - getting close! Yeah, I saw some of that also until I got it managed by the SmartCenter server. I'm going to add its encryption domain to our network monitoring system and ping it every minute to get a better feel for what's going on. I was seeing continuous traffic flow from the Edge encryption domain but the reverse was what was intermittent. Oddly, one of my internal subnets could ping it all the time but a couple others couldn't do it and I was seeing a no valid SA message in the log from those subnets. In other words, some subnets were two-way and others were one-way,, from the Edge to them but not back. What firmware version are you on? Ray From: Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 20:57:44 -0400 I keep getting a problem with the encryption domain going away, the tunnel is still up but no traffic will flow and then for no reason at all the traffic starts flowing again, Lots more testing will need to be done - Original Message - From: Ray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 4:50 PM Subject: Re: [FW-1] Edge setup - getting close! Nothing personal, Chris, but I hope that's wrong... :-) Although I was leaning as to that being the answer. sigh Ray From: Chris Hoff [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Date: Thu, 24 Jun 2004 10:51:59 -0500 In order to route all traffic through the vpn, you have to be using a star community and check the radio button to route all traffic through the hub. Regards, Chris -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Wednesday, June 23, 2004 10:05 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge setup - getting close! Turns out it is, although not as fast as I thought it would. It's not logging traffic coming in via the VPN, just stuff trying to go to targets outside of the primary gateway VPN Dmain, which it is showing as accept and not encrypt. So I'm back to my original quandry of how to make it route eveything down the VPN. Is this just not possible in a mesh VPN or could it be done with a static route somehow? I dunno... Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Edge setup - getting close! Date: Wed, 23 Jun 2004 19:49:29 -0400 Second problem: How do I get the Edge box to send its logs to the SmartCenter server? I can't see that it's doing that. _ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com = To set vacation, Out
[FW-1] R55W SSL Network Extender released
Both are now available from the Check Point download site. From a presentation I saw on the SSL Extender, it looks pretty nice and is supposed to be priced the same as a SecureClient license although it seems to lack the client-side firewall. Oddly, neither the license agreement nor the release notes say how it's priced at all. Or at least not that I could find. No mention of license keys or anything, just that you have to have a valid license and are subject to a license audit. Unfortunately, the user guide says the client must have administrator rights to install, uninstall or upgrade the SSL Extender control. Even more unfortunate, this release specifically requires R55 HFA04, which leaves those of us on a later HFA due to Edge usage out of luck for now. No Nokia packages yet either. R55W's new web defense features do require a separate license, but all existing SmartDefense features are supposed to still be available and have been enhanced in various ways. In addition, peer-to-peer protection now works regardless of the port the P2P application is trying to use. Unfortunately, Floodgate is not supported in R55W, which probably means I won't be able to use it. Neither is UserAuthority. No Nokia packages yet. Ray _ MSN Movies - Trailers, showtimes, DVD's, and the latest news from Hollywood! http://movies.msn.click-url.com/go/onm00200509ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] R55W SSL Network Extender released
I found an FAQ that says the SSL Extender will not work if you use SCV, and we use it extensively. Maybe the next release of VPN-1 will allow more granularity on whether SCV is enforced, such as allowing multiple remote access communities and enforcing SCV by community instead of globally. Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] R55W SSL Network Extender released Date: Wed, 30 Jun 2004 23:04:32 -0400 Both are now available from the Check Point download site. From a presentation I saw on the SSL Extender, it looks pretty nice and is supposed to be priced the same as a SecureClient license although it seems to lack the client-side firewall. Oddly, neither the license agreement nor the release notes say how it's priced at all. Or at least not that I could find. No mention of license keys or anything, just that you have to have a valid license and are subject to a license audit. Unfortunately, the user guide says the client must have administrator rights to install, uninstall or upgrade the SSL Extender control. Even more unfortunate, this release specifically requires R55 HFA04, which leaves those of us on a later HFA due to Edge usage out of luck for now. No Nokia packages yet either. R55W's new web defense features do require a separate license, but all existing SmartDefense features are supposed to still be available and have been enhanced in various ways. In addition, peer-to-peer protection now works regardless of the port the P2P application is trying to use. Unfortunately, Floodgate is not supported in R55W, which probably means I won't be able to use it. Neither is UserAuthority. No Nokia packages yet. Ray _ MSN Movies - Trailers, showtimes, DVD's, and the latest news from Hollywood! http://movies.msn.click-url.com/go/onm00200509ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] schedule powerdown of nokia firewall
I can't answer this question, but the last two times we had a power failure and the IP530 went down hard, it didn't come back up. Seems to me we were on IPSO v3.7 build 32 at the time. When the power came on, it only partially came up. I had to connect a console cable and a df showed just the boot partition, no other partitions. I had to run fsck and answer Y to each question about fixing things (I didn't want to use fsck -y because I wanted to see what was going on). After fsck finished and I rebooted, it came up normally both times. This problem didn't happen when we were on IPSO 3.6 build 7 and I haven't had a power failure since we went to 3.7.1 Ray From: Raymond Jacob [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] schedule powerdown of nokia firewall Date: Thu, 1 Jul 2004 18:45:16 + We have a power outage comming up and I don't want to be there. Can I put an entry in the crontab of the nokia below? 00 23 3 * * (fwstop;sleep 5; poweroff) Alternatively, I could figure out the shutdown.tcl in voyager but I am a little pressed for time. thank raymond PS: when power comes back on will the firewall start backup automatically or do I need some one there to flip the switch? _ From will you? to I do, MSN Life Events is your resource for Getting Married. http://lifeevents.msn.com/category.aspx?cid=married = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] Open ports on an Edge?
If someone has an Edge box set up, would you please check and see if ports 80 443 are open on the internal interface? We've got a demo unit running the 4.5.29 beta firmware and have remote admin access allowed over the VPN. I was quite surprised to see that going to it via http://internalIP brings up the login interface replete with the firmware version and everything. Going to https://internalIP brings up a generic login box without any of the detail. The administrative inrerface is supposed to be (and is) on http://internalIP:981. I'm wondering why I'm seeing the administrative interface on 80 443 as well, and why 80 has such a huge amount of detail available before a login occurs. Thanks, Ray _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] NG FP2 --- NG AI_R55 HFA_02
For whatever it's worth, I went directly from FP3 to R55 and then applied the hotfixes. The current hotfix for R55 is HFA06. I would say HFA04 is the minimum HFA for R55 due to security fixes. If you're on IPSO, you'll have to make sure you're on a 3.7 version of IPSO before you can install R55. That will probably require an intermedate install of FP3 since I think IPSO v3.7 requires FP3 HF2 as a minimum before it can be installed. Ray From: [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] NG FP2 --- NG AI_R55 HFA_02 Date: Thu, 1 Jul 2004 18:03:31 +0300 Hi, Is it possible to jump directly to NG AI_R55 HFA_02 from FP2 ? And what should I keep in mind when doing this? Thanks *** Cihan SUBASI Garanti Technology Internet ve Yazilim Hizmetleri Tel:(90)(212)4783426 GSM:(90)(533)(2750353) Fax:(90)(212)6576150 http://www.garantitechnology.com http://www.garantitechnology.com/ mailto:[EMAIL PROTECTED] Success is a wonderful thing, but never underestimate the value of failure. Failure teaches many more things than success ever can. *** This message and attachments are confidential and intended solely for the individual(s) stated in this message.If you received this message although you are not the addressee you are responsible to keep the message confidential .The sender has no responsibility for the accuracy or correctness of the information in the message and its attachments.Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system. Bu mesaj ve ekleri mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve gizlidir.Bu mesajin muhatabi olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi zorunlulugu tarafiniz icin de soz konusudur.Mesaj ve eklerinde yer alan bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu bulunmamaktadir.Sirketimiz mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get tips for maintaining your PC, notebook accessories and reviews in Technology 101. http://special.msn.com/tech/technology101.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] Open ports on an Edge?
If someone has an Edge box set up, would you please check and see if ports 80 443 are open on the internal interface? We've got a demo unit running the 4.5.29 beta firmware and have remote admin access allowed over the VPN. I was quite surprised to see that going to it via http://internalIP brings up the login interface replete with the firmware version and everything. Going to https://internalIP brings up a generic login box without any of the detail. The administrative inrerface is supposed to be (and is) on http://internalIP:981. I'm wondering why I'm seeing the administrative interface on 80 443 as well, and why 80 has such a huge amount of detail available before a login occurs. Thanks, Ray _ Get tips for maintaining your PC, notebook accessories and reviews in Technology 101. http://special.msn.com/tech/technology101.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Blocking of port 264 and 18264 on Checkpoint
Yes, we set everyone to UDP encapsulation and IKE over TCP and have no NAT issues. Ray From: Raymond Jacob [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Blocking of port 264 and 18264 on Checkpoint Date: Thu, 1 Jul 2004 19:07:40 + Can the Secure Remote/Client VPN clients be Nat'ed behind a firewall? I know NAT-T(udp encapsulation) will work but I was not sure if ports 264 and 18264 would work if the source ip address of the client was nat'd? thank you, Raymond _ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Help, SecureClient SCV configuration
You can use the SecureClient Packaging Tool to customize your installation executable. One of the customizations is to disable the end user's ability to disable the policy. Ray From: yang ya bin [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Help, SecureClient SCV configuration Date: Fri, 2 Jul 2004 14:40:38 +0800 Hi, all, i met some problem when implement SecureClient. Here's the Env: Management Server: NG AI R54 Desktop: windows 98, windows 2000 SecureClient: R54, R55 for windows 98 R54, R56 for windows 2000 in SecureClient, there a menu item named disable policy, when a desktop connect to the enterprise LAN, a policy is loaded at desktop, then he can select the menu item to disable the policy, and VPN tunnel is still open. i can edit Userc.C's manual_slan_control to make the menu item unaccessable. but IT manager was afraid that some guys will edit the Userc.c by themselves. I think SCV may do the check. Does anyone know which Checkpoint buildin SCVcheck can be used to check whether SecureClient's Policy is enforced? thanks ! another question, Checkpoint R55's Doc VPN1.pdf charpter 15 said manual_slan_control is a Global property. but i can't find the related item under SmartDashboard Global Properties. Does anyone know where is it? thanks ! b, rgds yang yabin = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Check out the latest news, polls and tools in the MSN 2004 Election Guide! http://special.msn.com/msn/election2004.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] The file fwnetcfg.dll on Check Point Firewall-1 Disk is needed.
For those of you experiencing this during a SecureClient installation, Check Point has posted resolution sk24348. It only happens if one of two particular builds were previously installed. Ray _ Check out the latest news, polls and tools in the MSN 2004 Election Guide! http://special.msn.com/msn/election2004.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] SPLATvs Nokia
Hi Utsav, If you have access to the HFA07 release notes, do they say anything about problems with User Monitor not syncing anymore or with VPN Error Code 03 on SecureClient usage? I've been having both of these issues since going to HFA06, but can't say positively that that is what caused it. Thanks, Ray Updates: Check Point releases updates for SPLAT quite frequently. My gripes in this area are that they don't keep User Center up-to-date (they're up to HFA 07 on NG AI R55 but still only show HFA 04 on User Center; I go through my SE for all support issues). Their documentation for non-major releases is awful, and I maintain a development lab to test everything I'm considering for production-wide deployment because as with any software vendor, a fix for one issue could introduce a host of other problems. Online support: for me, it's a mish mash of CP's knowledge base, Google searches, newsgroups and online mailing lists. More often than not, this gets me the answers I need. If there's anything else you'd like to know, just ask. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN 9 Dial-up Internet Access helps fight spam and pop-ups now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] management trhough VPN woes
Do you have it set to rematch connections after a policy install? I push policy to R55 via SecureClient all the time and never get kicked off. Ray From: Sascha Picchiantano [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] management trhough VPN woes Date: Tue, 6 Jul 2004 12:48:54 +0200 Hi, | Personally I would expect it to knock you off everytime due | to the VPN being | broken when a policy is installed. that would not explain why I do NOT get kicked out on subsequent installs Sascha = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN 9 Dial-up Internet Access helps fight spam and pop-ups now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] management trhough VPN woes
Don't sell your knowledge short, Neil. This may be a red herring. Gateway Properties Advanced Connection Persistence I don't know if it works with remote access connections as well, I just know I have rematch selected and I never get booted out. Ray From: Neil Kemp [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] management trhough VPN woes Date: Tue, 6 Jul 2004 21:18:54 +0100 Shows how much I know !! This should work with standard SecuRemote connections also ? I always thought the VPN's were re keyed at that point when a policy is pushed. Where is the setting to set it to rematch connections ? Thanks. Ray wrote: Do you have it set to rematch connections after a policy install? I push policy to R55 via SecureClient all the time and never get kicked off. Ray From: Sascha Picchiantano [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] management trhough VPN woes Date: Tue, 6 Jul 2004 12:48:54 +0200 Hi, | Personally I would expect it to knock you off everytime due | to the VPN being | broken when a policy is installed. that would not explain why I do NOT get kicked out on subsequent installs Sascha = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN 9 Dial-up Internet Access helps fight spam and pop-ups now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Backing Up FW-1 Management on w2k
I create an image of it using DriveImage Pro every couple of weeks or so for disaster recovery. Ray From: Juan Andrés Galavís [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Backing Up FW-1 Management on w2k Date: Wed, 7 Jul 2004 12:11:46 -0400 Hello list! Any ideas/procedures in backing up a Management Module on a W2k server? Which is the best approach? Thank you. Cheers/Saludos! Juan Andrés Galavís = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN 9 Dial-up Internet Access helps fight spam and pop-ups now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Debug options for sms edge (Intern)
The SMS process allows the Edge box to talk to the SmartCenter server. There's a known bug where logging OFF of the Windows 2000 SmartCenter server will kill the SMS process. If you lock the server instead of logging off, the SMS process keeps running. If you need to restart it, you can execute smsstart.bat from a command prompt. I've got a case open on this with Nokia now but the ball is now in Check Point's lap. I've not seen cpstart kill it, though, but I'm on HFA06, which has some Edge fixes built in. Ray From: Kristen Thorsen NOMIME [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Debug options for sms edge (Intern) Date: Wed, 7 Jul 2004 14:30:09 +0200 Hi, After applying the HFA04 patch the SMS process dies upon cpstart. Where can I find log/debug information about why this happened? Which binary is the smsprocess anyway? anyone? Kristen Thorsen GSM + 47 99536503 [EMAIL PROTECTED] = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Check out the latest news, polls and tools in the MSN 2004 Election Guide! http://special.msn.com/msn/election2004.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] User Database Management
Hi Alan, There was just a discussion on this a few days ago. It seems that starting with FP3, Check Point removed that option by default, no longer listing the gateways. They have a KB article that gives a dbedit change you can make to restore this functionaility. However there seems to be a catch: Due to some security enhancements in FP3 and later, it's apparently possible to get a mismatch between the rulebase and the user database if you use install database. If you have a user listed in a rule and install the database only after having deleted that user for whatever reason, it's apparently possible that the the firewall won't start. Ray From: Alan Baker [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] User Database Management Date: Thu, 8 Jul 2004 12:29:12 +0100 We've just upgraded from 4.1 to NG AI (R55) HFA_04. Management and Firewall are on separate Solaris boxes. Previously I'm fairly certain we were able to modify User Accounts (for VPN) and just (re-)install the user database. Now it seems like we have to (re-)install/push the policy as well. Has there been a change here somewhere? I ask, because the User Admin is normally done by another administrator who doesn't normally need full write access to the rule base etc. So I give him a customised permissions profile that only allow access to the User database. Alan ___ The information in this email is confidential. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution is prohibited and may be unlawful. If you have received this email in error please delete it immediately and contact [EMAIL PROTECTED] _ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Nokia log error. : FW-1: fwconn_chain_get_something: fwconn_chain_lookup failed (5)
Yeah, there's a Nokia KB article on it that says it's benign and ignore it. It was supposed to be fixed in a later version of IPSO. I don't see it any more on 3.7.1 build 10. Ray From: Tom Stala [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Nokia log error. : FW-1: fwconn_chain_get_something: fwconn_chain_lookup failed (5) Date: Thu, 8 Jul 2004 14:33:21 -0400 [LOG_CRIT] kernel: FW-1: fwconn_chain_get_something: fwconn_chain_lookup failed (5) Any one ever see this? I was just browsing around the logs on the Nokia and I see this pop up every now and then in the logs. well it is only every three days so not too important just curious as to what it is. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Tunnel Test Fails for VPN-1 Edge
You need to go talk to them again. I got the 4.5.29 firmware beta and the www.sofaware.com site had a note a few days ago that an even newer beta version is available. They also have this message in their discussion forums: -- posted July 09, 2004 01:01 AM We are happy to announce that SmartCenter R55 HFA7 (Hot Fix Accumulator 7)has been released. This release includes significant enhancements for managing VPN-1 Edge and Nokia IP40 devices. The new release is available from the Check Point download center -- Ray From: Stewart Williams [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Tunnel Test Fails for VPN-1 Edge Date: Fri, 9 Jul 2004 10:53:05 -0400 I called checkpoint, and they said that the firmware they gave me a couple of months ago is newer than the one released. I guess I got this one ahead of schedule. He said it takes a while for the releases to come down from Israel. I am also having a problem with the certs disappearing every so often. There is no rhyme or reason to it. I'm forced to re-upload the cert to get the vpn back up. Strange and frustrating. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Stewart Williams Sent: Friday, July 09, 2004 8:34 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Tunnel Test Fails for VPN-1 Edge Huh, OK I see it on the site, the problem is I am using a firmware that CheckPoint sent to me a couple of months ago to fix a problem, the firmware release number for the one they sent me was 4.5.21. Did anyone else get the 4.5.21 release? It added different icons and network views, as well as dial-up options and traffic shaper? stew -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Michael Curtin Sent: Thursday, July 08, 2004 10:16 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Tunnel Test Fails for VPN-1 Edge I was speaking to a SE from Check Point last night. He did mention that there is a new version of VPN-1 Edge X OS that fixes VPN issues between an Edge device and a VPN-1 firewall module. It is available for download from the Check Point site, a valid software subscription is required to get the download. Version 4.0.93 HTH Mike -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Stewart Williams Sent: Friday, 9 July 2004 5:04 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Tunnel Test Fails for VPN-1 Edge Yeah, I thought that might be an issue, but the time matches up with the rest of the devices. Just doesn't make sense. Thanks for responding! -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Robert Plaenk Sent: Thursday, July 08, 2004 10:38 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Tunnel Test Fails for VPN-1 Edge Check to make sure that the time on the Edge box matches up with the time on the other server. If it's out by too much, it will have problems with the tunnel as well. I ran into this issue myself. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Stewart Williams Sent: Thursday, July 08, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: [FW-1] Tunnel Test Fails for VPN-1 Edge I have a setup that has several VPN-1 Edges at remote offices. For whatever reason the tunnel tests from one of these devices is being dropped by the firewall cluster (R55) cleanup rule. The others are working fine they are being decrypted by rule 0. There are also problems with the vpn with this device, perhaps caused by the tunnel test failures? I periodically have to disable and re-enable the site to get traffic to flow. Has anyone heard of this? Stew = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED
Re: [FW-1] Outlook Web Access
Does a simplw telnet owaserver 80 and telnet owaserver 443 produce a connection? Ray From: theG man [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Outlook Web Access Date: Fri, 9 Jul 2004 19:28:26 -0700 Hi everyone, anyone experiencing problem with accessing OWA (Exchange 2003) over the internet? What ports need to be opened on firewall except HTTP and HTTPS? from inside the network, OWA works fine, but from outside, THIS PAGE CAN NOT BE DISPLAYED would come on our environment is a distributed env, and I should add, we have smart defense enabled too. Please help Sam thanks - Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] Have any of you pioneers tried R55 HFA07 yet?
If so, any difficulty reports would be appreciated, particularly on Windows 2000 managament stations and Nokia IPSO gateways. Thanks, Ray _ MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Checkpoint Licensing
Don't forget to count outbound mail servers, anti-virus servers clients looking for updates, DNS servers, etc. as IP addreses crossing the firewall. We've also seen backup software and other products looking for automatic updates going out quite a bit. You may have far more than the 100 you think you do. As I recall, at least when we licensed, 251 and above is considered unlimited. Ray From: Subhasis Gupta [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Checkpoint Licensing Date: Mon, 12 Jul 2004 00:13:42 -0700 Hi All ! We are currently having 59 locations, with each location being on a LAN. All the locations are connected in a WAN. Only 100 users across the WAN are having access to internt Mails and Internet Browsing access. The number of PCs in the WAN across 59 locations is 900. However, all the locationa can access the Internet and transact mails if we allow the same on the Firewall. My question is, 1) Should I take Firewall Licenses only for 100 users who can actually transact mails and browse the internet? 2) Or should I take Firewall licenses for all the 903 users? We have contacted two vendors. One of them is saying that we need to take 100 licenses, while the other is saying that we need to take 903 licenses. Can someone please let me know which would be correct? Also is there any document which gives a correct licensing details of Checkpoint Fw-1 in clear layman's terms, (Of course, if I take 903 licenses, there would be no violation, but if only 100 are taken when I should take 903, I would land in trouble). Subhasis __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get fast, reliable Internet access with MSN 9 Dial-up now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Hangups with Sysprep using SecureClient
Hi David, We handle this issue by keeping SecureClient in a folder on the hard drive and not installing it until the image is restored. This keeps us from having to recreate an image just because SecureClient changed. Since last June, we've had the R54 client, the R55 client, the R56 client and now the R55 HFA02 client. Also note that there is an issue with having SecureClient installed in the image. The first time it is installed on a computer, it creates an unchanging virtual MAC address in the registry. If you don't delete that registry key before creating the image, you will have multiple computers trying to get the same Office Mode IP address. Ray From: Bakin David [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Hangups with Sysprep using SecureClient Date: Mon, 12 Jul 2004 16:30:01 -0400 All, Has anyone else experienced a long pause (20 minutes or more) during pre-OS utilities such as sysprep when the machine has been preloaded with SecureClient? Our desktop images have SecureClient installed but do not have any policies installed or anything when sysprep is ran. I've google'd for this problem and have found other people experiencing the same problems but no one has responded with any insight. Any ideas? Thanks, David = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get fast, reliable Internet access with MSN 9 Dial-up now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Double NATing, Securemote
I'll bet they fix this in the next release. SecuRemote used to work with Office Mode and then that ability was taken away. Their KB articles say SecureClient is required for Office Mode and that piece of software requires a paid-for license. Ray From: Brian Granier [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Double NATing, Securemote Date: Tue, 13 Jul 2004 11:01:06 -0500 Use office mode. According to my Checkpoint rep, it is permissible to install SecureClient to use office mode without having a SecureClient license. You just don't get to have a policy server and push down rules. This will solve the issue that you're facing. T. Brian Granier GCIA, GCFW, GCIH, GCUX, CCSE, CHP, MCSE (NT4,W2kW2k3), et al. Information Security Architect Zebec Data Systems, Inc. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Alaric Turner Sent: Tuesday, July 13, 2004 10:35 AM To: [EMAIL PROTECTED] Subject: [FW-1] Double NATing, Securemote All, A (hopefully) simple question, We have a number of internal networks all using 192.168.x.x I have a number of securemote users who end up in hotels using wifi to access the net, many of these hotels also use the 192.168.1.x range for wifi then NAT. I need to get connectivity back to our internal systems. I'm struggling to see how we can do this with out re-numbering our internal network such that there is no conflict with the Hotel wifi networks, which I don't really want to do. Can anyone suggest a simpler solution? I guess I could multihome the machines which need to be accessable to another subnet. Alaric Turner, Albourne Partners = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Double NATing, Securemote
I would think that IP NAT Pools would work as long as the default route on all of your internal routers point back to the gateway. You could assign an IP Pool of 192.168.204.0 and try it, as it's extremely unlikely someone will be using that high a range in their home or hotel network. A simple tracert 192.168.204.1 from your various internal networks would tell you the routing. Office Mode creates a virtual NIC complete with its own virtual MAC address. It's main advantage for us is that I can assign internal-only DNS and WINS servers to remote clients. I use an IP Pool for Office Mode as well. Ray From: Alaric Turner [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Double NATing, Securemote Date: Wed, 14 Jul 2004 01:45:45 +0100 Having spoken with my Checkpoint rep an additional licence is required for SecureClient :-( I have to admit to not quite understanding how office mode would work anyway, we are already using an IP pool on the Checkpoint firewall which works, as long as the nated cleint adress does not apear to be within the Firewalls encryptin domain. - Hopefully my diagram below clarifiys this.. Client ip address range x | ---|--- | NAT Device | ---|--- | ---|--- | internet| --- | ---|--- | Firewall (NAT)| ---|--- | Internal IP range y As long as x is not a subset of y then everything works, as soon as x is a subset of y then I think securemote assumes that it is inside the encrypion domain therefore doesn't atempt to connect to the firewall it all falls apart. Does office mode fix this? when I tried the eval versions I don't remember it doing so but I'm not certain that I tried with a duplicate IP range.. Alaric -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: 13 July 2004 22:00 To: [EMAIL PROTECTED] Subject: Re: [FW-1] Double NATing, Securemote I'll bet they fix this in the next release. SecuRemote used to work with Office Mode and then that ability was taken away. Their KB articles say SecureClient is required for Office Mode and that piece of software requires a paid-for license. Ray From: Brian Granier [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Double NATing, Securemote Date: Tue, 13 Jul 2004 11:01:06 -0500 Use office mode. According to my Checkpoint rep, it is permissible to install SecureClient to use office mode without having a SecureClient license. You just don't get to have a policy server and push down rules. This will solve the issue that you're facing. T. Brian Granier GCIA, GCFW, GCIH, GCUX, CCSE, CHP, MCSE (NT4,W2kW2k3), et al. Information Security Architect Zebec Data Systems, Inc. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Alaric Turner Sent: Tuesday, July 13, 2004 10:35 AM To: [EMAIL PROTECTED] Subject: [FW-1] Double NATing, Securemote All, A (hopefully) simple question, We have a number of internal networks all using 192.168.x.x I have a number of securemote users who end up in hotels using wifi to access the net, many of these hotels also use the 192.168.1.x range for wifi then NAT. I need to get connectivity back to our internal systems. I'm struggling to see how we can do this with out re-numbering our internal network such that there is no conflict with the Hotel wifi networks, which I don't really want to do. Can anyone suggest a simpler solution? I guess I could multihome the machines which need to be accessable to another subnet. Alaric Turner, Albourne Partners = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED
[FW-1] Am I the only one seeing VPN Error Code 03 tunnel test failures?
For about a month about ten percent of my R55 HFA07 SecureClient connections have suddenly start getting dropped. They will see tunnel test failed and unable to logon to the policy server. Looking at the logs shows this error: Information: message_info: Implied rule encryption failure: decrypted methods didn't match rule (VPN Error code 03) Looking at sequential log entries, I see that the VPN Peer Gateway as recorded in the logs suddenly seems to be changing its IP address. The initial login and key exchange is done under one IP and all of a sudden the IP seems to change and that's when the drops occur. Yes, that fast. Once a drop occurs, they're done. They have to wait a few hours before they can call back in and get working again. A reboot of the laptop won't even clear it. In one case, the IP address was A and then switched to B after the key exchange and then back to A again, all within a matter of a few seconds. I opened a case with Check Point but they haven't been any help at all. I can't even get a response as to what the error code means. If anyone even has any wild guesses, I'd sure appreciate hearing them. It happened to me and nothing I could do, including deleting and recreating the site, would help. I've even seen it happen when connecting from within the WAN to the gateway to perform an initial installation and site update on a brand new SecureClient installation. One computer will work and another one won't. All of a sudden the one that won't work starts working. This tells me that it definitely is a Check Point problem. Thanks, Ray _ Get fast, reliable Internet access with MSN 9 Dial-up now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] SecureClient Licencing
As I recall, the number of people in the User Group that are authorized to logon to the policy server is how it enforces the license count. Ray From: Jochen Vogel [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] SecureClient Licencing Date: Thu, 15 Jul 2004 10:02:35 +0200 Hi, How das the secureclient licencing mechanism work? Thx for infos jo = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] SecureClient VPN Error Code 03 caused by R55 HFA05 and later
We have been having intermittent Help Desk calls from remote users complaining about tunnel test failure messages when dialing in for the last couple of weeks or so. It seemed to be affecting maybe 1 out of 20 users daily, and not every day, and would fix itself after a few hours without us doing anything. Since we didn't know if it was a firewall problem because it affected only a few users and they were OK later in the day, but it had never happened before, I opened a case with Check Point just in case. They had no record of it from any other companies. The logs showed it only affected people who either got timed out on their dial-in connection or kicked off, and only occurred if they dialed right back in. Sometimes it would clear itself if they dialed a different access number. Tonight Check Point was able to duplicate the problem by connecting into their systems on their LAN and using a static IP. The tech changed his LAN IP in the middle of the session, which always causes the connection to drop, as it should. However, when he tried to connect back in with the new IP address, he got a tunnel test failure. Since dial-in users always get a new IP address, this was why it didn't affect broadband users. He back-traced the problem to HotFix Accumulator 05 which has been out for a few months. The problem carried over into HFA06 and HFA07. We had the 06 and 07 hotfixes installed as they contain enhancements for the Edge boxes we're testing. We never were on HFA05. Since we know know the problem is a firewall issue, Check Point recommended we back the Nokia back to our previous HFA level and leave the management station on HFA07. If you filter on SmartView Tracker, VPN-1, Information, Contains decrypted methods (without the double quotes), you'll see if you also have this issue. Thanks again to all of you who helped me wrestle with this problem, Ray _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] vpn keepalive
What are you seeing this with, Chris? A later version of the Edge firmware changes its keepalive from one minute to 15 seconds. I have VPNs up with WatchGuard boxes and they just stay up. We do ping the endpoint every two minutes with GFI's Network Server Monitor system just to get availability reports. This product is a real value at $700 for unlimited servers. Ray From: Covington, Chris [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] vpn keepalive Date: Fri, 23 Jul 2004 11:32:16 -0400 Hi all, Does anyone know if there is a way to configure some sort of keepalive for a site-to-site Ipsec VPN? Some applications are sensitive to the way that a tunnel takes a few seconds to rebuild if it hasn't been used for awhile so they time out / disconnect. Chris = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN Secureremote routing problem
Are the operating systems all the same on each computer? Are you trying to tracert by IP address or DNS name? Which version of SecuRemote: the original R55 release or the R55 HFA02 release? Does an nslookup on the internal host return the correct IP address? The reason I'm asking is that XP has this dumb feature where it caches negative DNS responses for 15 minutes, whereas Windows 2000 and earlier did not. This was worked around in the R55 HFA02 release of SecuRemote/SecureClient as long as certain userc.c changes were made. Obviously if you are using tracert to an IP address, this is not the issue. Is there any chance this user is behind a home router and the IP address he/she receives from thier home router is on the same subnet as the internal host? If so, you'll have to reconfigure thir home router to deliver an IP address in a different subnet. Ray From: SIBEL MEREY [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] VPN Secureremote routing problem Date: Mon, 26 Jul 2004 14:13:49 +0300 ** High Priority ** Hello, We have got an interesting problem. We are using CP FW-1/VPN NG R55. secureremote R55 is installed for VPN users. We have formed a group, which is composed of 8 users and these users are connecting to the hosts that exist in 3 different subnets, separately. One of these 8 users can connect 2 hosts but he/she cannot connect the other one. When running traceroute command in the direction of this host, connection goes no further than ISP router and destination net unreachable message returns. Connection from another machine can be done with free of problems with the same user account and same ISP. Is there anybody who has an opinion about this matter? Thanks Sibel Merey Telekomünikasyon Mühendisi Bilgisayar Destek Hizmetleri Müdürlüðü Tel : 0 212 350 30 42 Fax : 0 212 350 40 42 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Overwhelmed by debt? Find out how to Dig Yourself Out of Debt from MSN Money. http://special.msn.com/money/0407debt.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] SCV questions
Hi Gary, It is odd because you have :block_connections_on_unverified (false) which should allow computers with failed SCVchecks to continue to connect. The topology update issue is a valid one. I have mine set for an hour just so I can make local.scv changes and have them propogated no more than an hour later. Search your laptop for the local copy of local.scv and see if it matches the one you put on the management station. Here's an appropriately sanitized local.scv file. The checks are that the Norton/Symantec rtvscan.exe anti-virus process is running (or that any program named rtvscan.exe is running) and that the screen saver is set, password-protected and not set longer than 15 minutes. Ray (SCVObject :SCVNames ( : (user_policy_scv :type (plugin) :parameters ( :dont_enforce_while_connecting (true) ) ) : (BrowserMonitor :type (plugin) :parameters ( :browser_major_version (5) :browser_minor_version (5) :browser_version_operand (=) :browser_version_mismatchmassage (A newer Internet Explorer version is required. Please contact the Corporate Help Desk at xxx-xxx-.) :intranet_download_signed_activex (disable) :intranet_run_activex (disable) :intranet_download_files (disable) :intranet_jave_permissions (disable) :trusted_download_signed_activex (disable) :trusted_run_activex (disable) :trusted_download_files (disable) :trusted_jave_permissions (disable) :internet_download_signed_activex (disable) :internet_run_activex (disable) :internet_download_files (disable) :intranet_jave_permissions (disable) :restricted_download_signed_activex (disable) :restricted_run_activex (disable) :restricted_download_files (disable) :restricted_jave_permissions (disable) :securely_configured_no_active_user (false) :send_log (alert) :internet_options_mismatch_message (Your Internet browser configuration does not match the organization policy. Proceed as follows:\n1. In the browser, go to Tools Internet Options Security.\n2. For each Web content zone select custom level security and disable the following items: DownLoad signed ActiveX, Run Activex Controls, Download Files and Java Permissions.) ) ) : (OsMonitor :type (plugin) :parameters ( :os_version_mismatchmessage (A newer operating system version is required. Upgrade your operating system.) :enforce_screen_saver_minutes_to_activate (15) :screen_saver_mismatchmessage (This computer's screen saver configuration does not match our Remote Access policy. It has been automatically blocked from connecting to our network using Remote Access until the screen saver is reconfigured.\n\n If you need to disable the screen saver for a presentation, you can do so as long as you are not using Remote Access at the same time.\n\n In order to restore your Remote Access capability, please set your screen saver as follows:\n\n1. If you are dialed in, disconnect now.\n\n2. Click Start, Settings, Control Panel. Double click the Display icon and select the Screen Saver tab. Pick a screen saver if it is currently set to (None). The Employee News Network screen saver is required by company policy if it is available.\n\n3. Under Wait choose 15 minutes and check Password Protection.\n\n4. Click OK) :send_log (log) :major_os_version_number_9x (4) :minor_os_version_number_9x (10) :os_version_operand_9x (=) :service_pack_major_version_number_9x (0) :service_pack_minor_version_number_9x (0) :service_pack_version_operand_9x (=) :major_os_version_number_nt (4) :minor_os_version_number_nt (0) :service_pack_major_version_number_nt (5) :service_pack_minor_version_number_nt (0
Re: [FW-1] VPN Secureremote routing problem
Yes, NT does the same thing. If there is a NIC installed in the computer, it holds the DHCP IP address somewhere in the registry through a reboot or power cycle even if the NIC is now at home and no longer in the office. I don't think it shows up in WNTIPCFG or ipconfig /all, though. We worked around this by installing the AutoExNT service, which allows an autoexec.bat type of operation. At bootup, we had the batch file run ipconfig /release ipconfig /renew all the time. If there was a DHCP server, it didn't hurt anything. If there wasn't, it didn't generate any error messages. I don't remember how we worked around it on Windows 98. I think it was a similar approach using a command line option of winipcfg If that thing has a built-in NIC or PC NIC, try removing or disabling it. Ray From: SIBEL MEREY [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN Secureremote routing problem Date: Tue, 27 Jul 2004 13:19:28 +0300 ** High Priority ** Unfurnately thic pc has no IP address (standalone pc), i have looked at ipconfig /all and with route print command. But there is no clue about this problem. [EMAIL PROTECTED] 27.07.2004 11:54:50 I saw a similar case where the Win98 laptop formerly was in the same subnet with the desired target host. the Win98 box still had an IP (which it has got formerly via dhcp) on the nic, so it tried to route all pakets unencryted to this host. Have a look at winipcfg on the appropriate adapter and if so a release should bring things back to work. HTH Steffen = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Overwhelmed by debt? Find out how to Dig Yourself Out of Debt from MSN Money. http://special.msn.com/money/0407debt.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN Secureremote routing problem
Glad you got it working! Ray From: SIBEL MEREY [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN Secureremote routing problem Date: Wed, 28 Jul 2004 11:00:04 +0300 ** High Priority ** Ray, thank you very much, after your mail i unistalled tcp/ip protocol and than reinstalled it. So now it works:) Thanks again.. [EMAIL PROTECTED] 28.07.2004 04:41:40 Yes, NT does the same thing. If there is a NIC installed in the computer, it holds the DHCP IP address somewhere in the registry through a reboot or power cycle even if the NIC is now at home and no longer in the office. I don't think it shows up in WNTIPCFG or ipconfig /all, though. We worked around this by installing the AutoExNT service, which allows an autoexec.bat type of operation. At bootup, we had the batch file run ipconfig /release ipconfig /renew all the time. If there was a DHCP server, it didn't hurt anything. If there wasn't, it didn't generate any error messages. I don't remember how we worked around it on Windows 98. I think it was a similar approach using a command line option of winipcfg If that thing has a built-in NIC or PC NIC, try removing or disabling it. Ray From: SIBEL MEREY [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN Secureremote routing problem Date: Tue, 27 Jul 2004 13:19:28 +0300 ** High Priority ** Unfurnately thic pc has no IP address (standalone pc), i have looked at ipconfig /all and with route print command. But there is no clue about this problem. [EMAIL PROTECTED] 27.07.2004 11:54:50 I saw a similar case where the Win98 laptop formerly was in the same subnet with the desired target host. the Win98 box still had an IP (which it has got formerly via dhcp) on the nic, so it tried to route all pakets unencryted to this host. Have a look at winipcfg on the appropriate adapter and if so a release should bring things back to work. HTH Steffen = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Overwhelmed by debt? Find out how to 'Dig Yourself Out of Debt' from MSN Money. http://special.msn.com/money/0407debt.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Planning a family vacation? Check out the MSN Family Travel guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html
[FW-1] New HFA's posted + a new ASN.1 Alert
http://www.checkpoint.com/techsupport/hfa.html HFA08 for NG R55 HFA412 for NG R54 An ASN.1 hotfix for NG FP3 Here's the Alert for the ASN.1 patch that's applicable to all versions if aggressive mode is implemented: http://www.checkpoint.com/techsupport/alerts/asn1.html Ray _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] New HFA's posted + a new ASN.1 Alert
In rereading it, it appears it may be applicable even if aggressive mode isn't enabled. Ray From: Ray [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] New HFA's posted + a new ASN.1 Alert Date: Wed, 28 Jul 2004 16:59:54 -0400 http://www.checkpoint.com/techsupport/hfa.html HFA08 for NG R55 HFA412 for NG R54 An ASN.1 hotfix for NG FP3 Here's the Alert for the ASN.1 patch that's applicable to all versions if aggressive mode is implemented: http://www.checkpoint.com/techsupport/alerts/asn1.html Ray _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Planning a family vacation? Check out the MSN Family Travel guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Encryption NOT Wanted
I'm confused. The purpose of a VPN is to encrypt things. If you don't want the traffic encrypted, why use a VPN? If there are specific services you don't want to pass through the VPN, add them to Excluded Services. Ray From: [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Encryption NOT Wanted Date: Thu, 29 Jul 2004 17:55:54 -0400 One of the side effects of Simplified VPN's are that it tried to encrypt EVERYTHING between two firewalls in when the hosts are part of the encryption domain. Is there any way to change this undesired result? Is there any way I can specify a rule that only allows unencrypted items? Is anyone else experiencing similar problems, and how are you handling them? Cheers, Jamie MMS capitalfactors.com made the following annotations on 07/29/2004 05:56:06 PM -- The information transmitted by the following E-Mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use, or taking any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 954-660-7400 and delete the communication from any computer or network system. == = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Office mode
Office Mode IP Pools CANNOT be part of the subnet of your internal networks, however with the later versions of AI, they can be part of the encryption domain. Your internal routers must know to send all Office Mode IPs tothe firewall. Assume you have assigned 192.168.100.0 255.255.255.0 to the Office Mode IP Pool and this is outside of your internal subnet. From your work computer, without using SecureClient, a tracert 192.168.100.5 should end up back at the firewall internal interface. If not, you'll have to adjust your internal routers appropriately. Note that Office Mode is a SecureClient feature and does not work with SecuRemote. If you change the Office Mode IP Pool range, I believe you have to reboot thegateway as well. Ray From: Fabian Tuender [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Office mode Date: Mon, 2 Aug 2004 19:34:51 +0200 Goodevening, I hope someone can clear a problem for me. We need to use office mode to assign ip address to clients. Without office mode everything works fine, I can get a connection with a secureremote client to our firewall and ping any address behind it and all trafic passes trough without problems. When I enable office mode I get authorised by the firewall but afterwards there is no traffic possible trough the tunnel. When I setup office mode to use a ip pool outside the subnet of our internal side of the firewall the connection fails. In the log I only see that I am authenticated successfull and I get a ip address assigned but then it ends. When I setup office mode to use a ip pool inside the subnet of our internal side of the firewall I get a connection but there is no traffic possible trough that tunnel. I have a new network adapter with a ip address from the pool but nothing happens. On the firewall I see no traffic but only sometimes a broadcast from that client on the subnet. On the clients log viewer I get the message: encryption fail reason::Packet if from physical ip address but office mode is active. I have read the office mode documents on and on but cannot find why its not working. Anyone with an idea is welcome, thanx in advance. With kind regards, Fabian = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Securemote/securclient virtual adapter problem
Are you talking about seeing it disabled in Device Manager? If so, I don't know what's up with that because we see it all the time with the R55 version of SecureClient but it never affects the operation of SecureClient. I don't know if it's a false indication or what. Ray From: Alaric Turner [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Securemote/securclient virtual adapter problem Date: Tue, 3 Aug 2004 10:23:27 +0100 All, I have a number of roaming users using securemote to connect in to the corporate LAN. Most of these work fine but I have a small number where the Securemote virtual adapter is disabled it isn't possible to re-enable it. I've tried uninstalling reinstalling, previous versions (normally we use 56), I've seen the problem on both XP win2k. Most machines are ghosted the others that have the same image normally work fine. The only solution I've found is to re-install from absolute scratch (OS etc etc) which is more than a little extreme. Anyone got any sugestions? Alaric Turner = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Office mode
Hi Fabian, The gateway will only see the Office Mode address and route it appropriately if a user is connected and assigned that address. For example, I'm the only user connected by Office Mode and I am assigned an Office Mode address of 192.168.100.4. A traceroute from your internal network to my 192.168.100.4 address will succeed, but a traceroute to any other 192.168.100.xxx address will go through the firewall to your ISP. That's just the way it works. Are you trying the SecureClient connection from the internal network or the Internet? If you're trying it from the internal network, the Office Mode IP address will get dropped as a spoof. Check Point claims this is a feature and not a bug. :-) Ray From: Fabian Tuender [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Office mode Date: Tue, 3 Aug 2004 18:46:07 +0200 First of all thanx for your answer. I still have a question remaining. The internal subnet will forward its office mode ip address range to the firewall but strange enough when I do a tracert the route goes trough our internal router, to our firewall and then also to our internet router who blocks the trafic. The firewall doesn't seem to pickup the trafic. Why could it be that the firewall doesn't seem to reconsize it as being its own address space ? On the client side when I connect using a secureclient I see the following message: Checking network connectivity... Preparing connection... Connecting to gateway... User xx authenticated by FireWall-1 authentication Gateway not responding Connection failed Once the authentication is established it cannot complete the tunnel setup and in the logs I don't see anything anymore. With kind regards, Fabian -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Monday, August 02, 2004 8:43 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Office mode Office Mode IP Pools CANNOT be part of the subnet of your internal networks, however with the later versions of AI, they can be part of the encryption domain. Your internal routers must know to send all Office Mode IPs tothe firewall. Assume you have assigned 192.168.100.0 255.255.255.0 to the Office Mode IP Pool and this is outside of your internal subnet. From your work computer, without using SecureClient, a tracert 192.168.100.5 should end up back at the firewall internal interface. If not, you'll have to adjust your internal routers appropriately. Note that Office Mode is a SecureClient feature and does not work with SecuRemote. If you change the Office Mode IP Pool range, I believe you have to reboot thegateway as well. Ray From: Fabian Tuender [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Office mode Date: Mon, 2 Aug 2004 19:34:51 +0200 Goodevening, I hope someone can clear a problem for me. We need to use office mode to assign ip address to clients. Without office mode everything works fine, I can get a connection with a secureremote client to our firewall and ping any address behind it and all trafic passes trough without problems. When I enable office mode I get authorised by the firewall but afterwards there is no traffic possible trough the tunnel. When I setup office mode to use a ip pool outside the subnet of our internal side of the firewall the connection fails. In the log I only see that I am authenticated successfull and I get a ip address assigned but then it ends. When I setup office mode to use a ip pool inside the subnet of our internal side of the firewall I get a connection but there is no traffic possible trough that tunnel. I have a new network adapter with a ip address from the pool but nothing happens. On the firewall I see no traffic but only sometimes a broadcast from that client on the subnet. On the clients log viewer I get the message: encryption fail reason::Packet if from physical ip address but office mode is active. I have read the office mode documents on and on but cannot find why its not working. Anyone with an idea is welcome, thanx in advance. With kind regards, Fabian = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01
Re: [FW-1] Edge 4.5 firmware released - v4.5.37
I didn't try the one from the CP site but I did try the one they released on the Early Availability site two days ago (same version). I inadvertently grabbed the s version instead of the x version/S200 version and got the same error. Looks like all they have on the CP site is the x version. When I tried it, I did it from the WAN side via the web GUI and it went fine after I got the correct version. You did extract it from the archive first, didn't you? Unlike CP hotfixes, you have to extract these from the download package. Ray From: Russell Aspinwall [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Edge 4.5 firmware released - v4.5.37 Date: Wed, 4 Aug 2004 08:56:39 +0100 Hi, I have downloaded the latest firmware release for an Edge X, however when I attempt to install it, the download completes but I get a message to check the version is correct. So I tried the previous version and got the same error. Do you have to log in via the private network in order to perform a firmware upgrade? Ray wrote: http://www.sofaware.com/supportDownloads.aspx?boneId=266 for the new features. Check Point has it in their software subscription downloads. Ray _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- Regards Russell Email: russell dot aspinwall at flomerics dot co dot uk Network and Systems Administrator Flomerics Ltd Telephone: 020-8941-8810 x3116 81 Bridge Road Facsimile: 020-8941-8730Hampton Court Surrey, KT8 9HH United Kingdom = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Discover the best of the best at MSN Luxury Living. http://lexus.msn.com/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] BSOD whilst installing Securemote R56 on Win2k
Which version of SR are you using? You should be using R55 HFA03 or R56 HFA01, not the FP3 version. They're backward compatible with the FP3 gateway. Ray From: Alan Choyna [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] BSOD whilst installing Securemote R56 on Win2k Date: Tue, 3 Aug 2004 13:32:39 -0500 Hey people, Upgrading our firewall to NG FP3 (no AI) from 4.1 SP6, and of course we have to install new securemote clients as a result. l installed in on one win2k PC with no problem, however 2 subsequent win2k installs went ugly upon reboot after installing Alan C. Choyna Senior Consultant Pathfinder Associates, LLC http://www.pathfinderassoc.com/http://www.pathfinderassoc.com Internet Strategy Business Consultants mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED].com Business telephone (312) 372-1058. Mobile (773) 255-6662 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Planning a family vacation? Check out the MSN Family Travel guide! http://dollar.msn.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Asn.1 vulnerabilty without aggresive mode
My reading says yes. Aggressive mode allows a single packet attack, meaning a single packet with a spoofed source IP could be used to compromise your gateway and you wouldn't have any way of tracking it to the source IP. The attack if aggressive mode is disabled means the source IP could not be spoofed, so you would still lose your job but you would know the source IP, which probably is some consumer broadband connection infected by a bot or from a non-friendly country. Ray From: Carric Dooley [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Asn.1 vulnerabilty without aggresive mode Date: Wed, 4 Aug 2004 11:46:40 -0400 This is apparenty a subject for debate. On Thu, 29 Jul 2004, Jochen Vogel wrote: Hi, Is there any vulnerability if i doesn´t use aggresive mode? = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- Carric Dooley COM2:Interactive Media http://www.com2usa.com = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Overwhelmed by debt? Find out how to Dig Yourself Out of Debt from MSN Money. http://special.msn.com/money/0407debt.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] HFA 412 and VPN...
Not yet. We have them to WatchGuard 7 Firebox IIIs and to a SofaWare box, which I believe is based on the 4.1 architecture. Using R55, though. Ray From: [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] HFA 412 and VPN... Date: Thu, 5 Aug 2004 16:22:18 +0300 We applied the patch (HFA 412) to our NG-R54 firewall and we lost our DES vpns to FW-1 4.1 firewalls. Up to now we had no chance to bring them up again...We had to switch the peer on our other VPN gateway (which is a PIX firewall) in order to establish vpn to FW-1 4.1 firewalls on remote locations. Anybody had any problem after applying this particular patch with existing VPNs...? thanks *** Cihan SUBASI Garanti Technology Internet ve Yazilim Hizmetleri Tel:(90)(212)4783426 GSM:(90)(533)(2750353) Fax:(90)(212)6576150 http://www.garantitechnology.com http://www.garantitechnology.com/ mailto:[EMAIL PROTECTED] Success is a wonderful thing, but never underestimate the value of failure. Failure teaches many more things than success ever can. *** This message and attachments are confidential and intended solely for the individual(s) stated in this message.If you received this message although you are not the addressee you are responsible to keep the message confidential .The sender has no responsibility for the accuracy or correctness of the information in the message and its attachments.Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system. Bu mesaj ve ekleri mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve gizlidir.Bu mesajin muhatabi olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi zorunlulugu tarafiniz icin de soz konusudur.Mesaj ve eklerinde yer alan bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu bulunmamaktadir.Sirketimiz mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve gizliliginin korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] VPN Edge 1 Device no Site -2 Site VPN after Update to new Firmwar e... 4.5...
This issue was reported on the SofaWare discussion groups a long time ago: http://sofaware.infopop.cc/eve/ubb.x?a=tpcs=5006072361f=6406072361m=2521092001 They seem to be ignoring it although they did up the limit from 5 to 20 per the messages there. Ray From: Petry Roman, ITS-IT [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] VPN Edge 1 Device no Site -2 Site VPN after Update to new Firmwar e... 4.5... Date: Thu, 5 Aug 2004 16:26:34 +0200 Hello, I just upgrade a edge x box from 4.0.87 to 4.5.37x and the vpn is no more.. We get the follwijng errors.. But the BOX said: Error: Failed to parse VPN topology Error: too many Gateway interfaces found in topology of gateway MAx allowed = 20 We have 8 interfaces per FW Module in one HA environment.. Any help ?? bye Roman = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Overwhelmed by debt? Find out how to Dig Yourself Out of Debt from MSN Money. http://special.msn.com/money/0407debt.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] BSOD whilst installing Securemote R56 on Win2k
In Windows 2000 just uninstall SR, reboot and then uninstall the TCP/IP protocol and reinstall it after another reboot. XP doesn't let you uninstall the TCP/IP protocol, hence the reset is needed. Ray From: Alan Choyna [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] BSOD whilst installing Securemote R56 on Win2k Date: Thu, 5 Aug 2004 10:45:09 -0500 Hey people, We have just upgraded our firewall to NG FP3 (no AI) from 4.1 SP6, and are in the process of installing the NG R56 securemote clients on our laptops and home office PC's. l installed the R56 secureremote in on one win2k PC with no problem, however 2 subsequent win2k installs went ugly upon reboot after installing VPN securemote, the dreaded Blue screen of death. l have identified the cause of this issue. Both of the PC's that crashed run Zone Alarm. People who un-install it before installing the VPN have no issues. Even after un installing Zone alarm, l get the BSOD when l install securemote, as l think the TCP/IP protocol has been messed up. l have to go into safe mode andf uninstall securemote to be able to boot. l see that Ray Pesak mentioned running netsh int ip reset c:\tcpipresetlog.txt on XP to reset it, however the rest parm is not available in Win2k. What can l do to reset it? Thanks in advance, Alan. PS Sorry, for my 1st email on this matter, somehow l sent it before l had finished with it. Alan C. Choyna Senior Consultant Pathfinder Associates, LLC http://www.pathfinderassoc.com/http://www.pathfinderassoc.com Internet Strategy Business Consultants mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED].com Business telephone (312) 372-1058. Mobile (773) 255-6662 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Discover the best of the best at MSN Luxury Living. http://lexus.msn.com/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] BSOD whilst installing Securemote R56 on Win2k
Great! Thanks for the feedback. Ray From: Alan Choyna [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] BSOD whilst installing Securemote R56 on Win2k Date: Thu, 5 Aug 2004 21:27:08 -0500 Thanks Ray, it's all cool now. As an FYI for those who may be interested, the VPN works fine, even when installed on VMWare virtual machines. Alan. At 01:39 PM 8/5/2004, you wrote: In Windows 2000 just uninstall SR, reboot and then uninstall the TCP/IP protocol and reinstall it after another reboot. XP doesn't let you uninstall the TCP/IP protocol, hence the reset is needed. Ray From: Alan Choyna [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] BSOD whilst installing Securemote R56 on Win2k Date: Thu, 5 Aug 2004 10:45:09 -0500 Hey people, We have just upgraded our firewall to NG FP3 (no AI) from 4.1 SP6, and are in the process of installing the NG R56 securemote clients on our laptops and home office PC's. l installed the R56 secureremote in on one win2k PC with no problem, however 2 subsequent win2k installs went ugly upon reboot after installing VPN securemote, the dreaded Blue screen of death. l have identified the cause of this issue. Both of the PC's that crashed run Zone Alarm. People who un-install it before installing the VPN have no issues. Even after un installing Zone alarm, l get the BSOD when l install securemote, as l think the TCP/IP protocol has been messed up. l have to go into safe mode andf uninstall securemote to be able to boot. l see that Ray Pesak mentioned running netsh int ip reset c:\tcpipresetlog.txt on XP to reset it, however the rest parm is not available in Win2k. What can l do to reset it? Thanks in advance, Alan. PS Sorry, for my 1st email on this matter, somehow l sent it before l had finished with it. Alan C. Choyna Senior Consultant Pathfinder Associates, LLC http://www.pathfinderassoc.com/http://www.pathfinderassoc.com Internet Strategy Business Consultants mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED].com Business telephone (312) 372-1058. Mobile (773) 255-6662 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Discover the best of the best at MSN Luxury Living. http://lexus.msn.com/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] RES: [FW-1] SYMANTEC VPN CLIENT
Ummm... This isn't a Raptor limitation. Solution: If you're using Symantec Enterprise Firewall (aka Raptor) up to 7.0.4 you'll have to use the static NAT. If you have Symantec Enterprise Firewall 8.0 you can use UDP encapsulation and resolve this. I haven't tried this but I have discussed this solution before with other people who have. Sounds like Raptor limitation to me! :-) Thanks for the information, Ray _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Which one need to upgrade first?
The Management Server MUST always be upgraded first. The steps are Management Server, push the policy, enforcement module, push the policy again. Ray From: Alexander Simbun [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Which one need to upgrade first? Date: Fri, 6 Aug 2004 18:25:31 +0800 Dear all, When performing an upgrade on Check Point FW-1/VPN-1 Pro, which part that I should or recommended to upgrade first, Management Server or Enforcement Module/Server ? Thanks for your help. Regards, Alex Simbun = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Approach to hot fixes?
Precisely. That's why I skipped HFA05 and 06, because nothing applied to us. HFA07 fixed a boatload of problems regarding Edge devices which we had just begun testing, so I applied it. And I hit that VPN Error Code 03 tunnel test failed SecureClient problem that actually was introduced in HFA05 and carried over through 06, 07 and 08. Fortunately I could roll the gateway back from HFA07 and make SecureClient work reliably again. Unfortunately I had to apply HFA08 because of the ASN.1 security problem and I got my tunnel test failed problem back again. Fortunately Check Point was responsive in getting me a fix I could apply on top of HFA08. So now I'm all up to date and then some. :-) HFA05, 06 and 07 weren't publicly released as HFA04 and 08 were. If you're not using VPN at all, then you're probably safe at HFA04. But if an auditor (or post-incident team) reads the release notes for HFA08 and sees the recommendation about staying up to date, can you defend your decision effectively and reasonably? You probably don't have any proof or inkling of proof that applying the patch incurs more risk than staying unpatched. If you do, great! Kind of a pity we have to practice CYA so much. Ray From: Shane Presley [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Approach to hot fixes? Date: Tue, 10 Aug 2004 20:15:07 -0400 Agreed, I tend to take the ain't broken, don't fix it approach to a lot of things, but security patches aren't that simple. And the release notes often make general statements like improved stability. Well who doesn't want that? :-) Specifically HFA-06 talks a lot about ClusterXL stability/performance improvements, and Solaris stability fixes. I am running ClusterXL on Solaris, with no specific problems at the moment, but those general statements make me think I should apply the HF. Thanks alll... Shane On Tue, 10 Aug 2004 14:02:52 -0400, Ray [EMAIL PROTECTED] wrote: This is my approach as well but I don't let things get too far behind. We all know how things get slipstreamed in without making it to the release notes. As fas as if it ain't broke, don't fix it, this is the reason I have done assessments on companies where their routers are on the original IOS, workstations and servers are on Windows Service Pack nothing, SQL Server likewise, etc. The one admin said point blank that she never patches anything that's working. Kind of the reason why they got taken down by Slammer and why they had to set up weekly reboots on all servers to keep them stable. Ray Well maybe it's just me, but I follow the if it ain't broke don't fix it approach. But always watch the release notes on fixes in case something serious may come up that may effect your stability or security. just my $.02 Hal -Original Message- From: Shane Presley [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 8:20 AM To: [EMAIL PROTECTED] Subject: [FW-1] Approach to hot fixes? Just curious... Do you regularly keep your firewalls up to date with the Check Point hot fixes? Or do you wait for the need? For example I'm currently on HFA-04, but HFA-08 is out. I've read the release notes on HFA-08 and don't see anything that would immediately impact me, so I don't think there's a pressing need to put HFA-08 on it. But is it a best practice to always apply the latest HFA? Shane = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL
Re: [FW-1] Request for comments on appliance platform selection
The Safe@ and Edge boxes don't have a rackmount available yet, but they're pretty small. We use a couple of Safe@ boxes in site-to-site VPNs with the main firewall and they just stay up. You can get mirrored drives in a Nokia IP530 or you could use SPLAT. I personally wouldn't feel comfortable running my whole company on anything less than a real firewall box. We've got almost twenty times more local and remote users than you and we just went to a pair of T-1's on an IP530. We did add a caching proxy server a couple of years ago for web access (Microsoft ISA 2000) and that dropped our Internet line usage from 90%+ to about 60%. The cost of the ISA hardware and software paid for itself in less than a year because we didn't have to add a second T-1. Ray From: Hal Dorsman [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Request for comments on appliance platform selection Date: Wed, 11 Aug 2004 08:47:09 -0600 Greetings firewallers, I have been running FW-1 on Solaris for years, but recently have been having concerns about support from the rest of the local IT team without experience in Solaris. I am thinking an appliance with VPN-1 would be a more user friendly solution and easier for general support in the group. Checkpoint has a nice platform selection guide which provides a good overview and good product information, but I was interested in comments from the group on satisfaction and good/bad experiences with the various products. If anyone can provide any links to any recent comparitive product evaluation articles that would be appreciated. We have about 100 users locally on a T-1 and may upgrade to dual T-1's eventually. Have only 5-10 remote VPN users, and about 50 remote users accessing a secure intranet site, and maybe hosting our own low use website later, so traffic is not high, but a DMZ interface required. I am thinking one of the SafeOffice, Nokia, or VPN Edge appliances would be most practical. I would like something rackable so I am also interested in one of the basic OS installs that I could put on a 1U rack server. Any comments greatly appreciated. thanks, Hal = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Rules for backup firewall
How would the second box be licensed? A better arrangement would be to split the management part to its own server and then you could simply push it to either gateway. Or set up the second gateway in a high-availability fail-over configuration. Ray From: Moon, Curtis [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Rules for backup firewall Date: Wed, 11 Aug 2004 15:05:28 -0500 We are running Windows 2003 server and FW1 R55 with HFA 04. This is our main firewall. If we setup another Windows 2003 server and put FW1 R55 with HFA 04 and keep it off line could we then export the rules from the running firewall and import them into the backup firewall periodically. The backup would only be used if the main firewall went down. Curtis Moon = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Beware R55 HFA08!
Hi Joe, The correct answer is for you to call Check Point and tell them you want hotfix SHF_FW1_R55_0123 for your gateway platform and you want it TODAY. It will install on top of HFA08. It does require a reboot of the gateway but it fixes the problem. Tell them you cannot believe they just told you to roll back to a version and make yourself susceptible to the ASN.1 security problem. If the end user's real IP changes over a short period of time, the problem occurs, such as dialing in, disconnecting and then dialing back in. Ray From: Joe Pope [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Beware R55 HFA08! Date: Thu, 12 Aug 2004 11:47:30 -0400 Warning if use VPN with R55, especially SecuRemote/SecureClient! After upgrading from HFA04 to HFA08 we started having decryption errors (VPN error code 03) with our SecureClient users. Somehow the logged IP address of the VPN Peer Gateway is getting changed (by the firewall) and then decryption fails. It does not affect all SecureClient users at the same time, and after a few hours the problem goes away! I checked my SecureClient while monitoring my firewall logs, and my SecureClient IP address was not being reported in the firewall logs correctly. I submitted a trouble ticket with Check Point and they know about this problem, and they suggested I roll back to HFA04. They said HFA09 is suppose to fix this problem, but no word on when to expect this fix. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Beware R55 HFA08!
When we hit this problem with HFA07 six weeks ago, I waited ten days for the CP tech to do anything other than ask for a cpinfo. I then got an email from the tech that he was going on vacation. Meanwhile the calls from employees were piling up and we still weren't sure if it was a firewall problem or not. I called and talked to a supervisor who put someone good on the case. This person took only a few hours to validate and duplicate what we were seeing (as opposed to 10 days) and to figure out it was a problem from HFA05 and later. We were advised the same day I talked to the supervisor to roll back the gateway to the previous HFA, which was done. We had gone to HFA07 solely because we were testing Edge boxes, so this wasn't a big deal. Then the ASN.1 problem came out and this problem wasn't fixed yet. We were forced to apply HFA08 and re-introduce the problem into our system. We suffered with it for another ten days before the interim hotfix was released. We never were told to rollback from HFA08. It astounds me that Check Point doesn't think disrupting remote access is a big concern and that customers should discover the problem on their own after hours of trying to sort through logs after irate employees have been calling the Help Desk. How hard would it have been to put a link to this interim hotfix on the ASN.1 Alert page, or just a note saying if yo have experienced this problem, open a support case? Ray From: [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Beware R55 HFA08! Date: Fri, 13 Aug 2004 08:18:18 -0500 True, but the point of if it isn't broke don't fix it really shouldn't apply to security. Anything that could be a vulnerability, such as a legacy code on a firewall, should be assessed, audited, and acted on appropriately. The thing that baffles me the most is that Check Point told one customer to roll back to a previous version, yet provided another customer with a fix above HFA08. The emails did provide all the information, such as the OS, but I would think that with the architecture of FW-1 that it wouldn't matter. This gives me worries about communication within CP support. -Matt |-+ | | Hal Dorsman [EMAIL PROTECTED] | | | Sent by: Mailing list for| | | discussion of Firewall-1 | | | [EMAIL PROTECTED]| | | KPOINT.COM | | || | || | | 08/12/2004 03:58 PM | | | Please respond to Mailing list | | | for discussion of Firewall-1 | | || |-+ --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Re: [FW-1] Beware R55 HFA08! | --| An interesting footnote to the 'approach to hotfixes' discussion. Hal -Original Message- From: Joe Pope [mailto:[EMAIL PROTECTED] Sent: Thursday, August 12, 2004 9:48 AM To: [EMAIL PROTECTED] Subject: [FW-1] Beware R55 HFA08! Warning if use VPN with R55, especially SecuRemote/SecureClient! After upgrading from HFA04 to HFA08 we started having decryption errors (VPN error code 03) with our SecureClient users. Somehow the logged IP address of the VPN Peer Gateway is getting changed (by the firewall) and then decryption fails. It does not affect all SecureClient users at the same time, and after a few hours the problem goes away! I checked my SecureClient while monitoring my firewall logs, and my SecureClient IP address was not being reported in the firewall logs correctly. I submitted a trouble ticket with Check Point and they know about this problem, and they suggested I roll back to HFA04. They said HFA09 is suppose to fix this problem, but no word on when to expect this fix. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set
Re: [FW-1] Whitelisting URIs
We're not and you hit the reason on the head: Akamai. Our ISP has one of their edge of the Internet caching boxes and although the URLthey're going to is to the big site, FW-1 shows the IP they're actually going to is on our ISPs network, the Akamai cache device. We stuck in a Microsoft ISA2000 box behind FW-1 and are running it as a caching proxy. It dropped our T-1 usage from 90%+ during the day to barely 60%. It's tied to our domain system and it eaither allows people out based on their NT ID or it restricts them to a certain subset. All setup is done with URLs so we don't have to worry about changing or distributed IPs. The bandwidth reduction allowed us to defer a second T-1 for over two years, so the whole deployment paid for itself inside of a year. Ray From: Crist Clark [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Whitelisting URIs Date: Tue, 17 Aug 2004 15:20:03 -0700 We have been handed down a new policy that a certain set of computers will only be allowed HTTP access to a specific set of blessed web sites. We have been supplied with a set of URLs. I am trying to figure out the best way to do this within FW-1. I have been looking through the HTTP Security Server documentation and have done some playing with URI resources, but it's not looking too good. How have other people out there done something like this short of going to a more full featured external HTTP proxy or third-party OPSEC tools? Some of the websites listed are big Akamai'ed or otherwise distributed where trying to list IPs will be an unmanageable pain. I've never had much success with Domain Objects either. Anyone doing this completely within FW-1? -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] NAT Traversal and IPSec Pass Through
Yes, Visitor Mode encapsulates all of the IPSec traffic in a TCP port 443 SSL connection to fake out firewalls that only allow 80 443. It doesn't have anything to do with UDP encapsulation. Your response sounds like Nortel does have UDP encapsulation, so all you have to do is allow that UDP port outbound in FW-1. Is my understanding correct? Ray From: Bergin, Rob [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] NAT Traversal and IPSec Pass Through Date: Wed, 18 Aug 2004 11:06:42 -0400 Hi All, Nortel says one possible fix is to turn on NAT-Travesal for the IPSEC group. This uses a UDP port that you can set to allow VPN clients behind a Checkpoint Firewall to work. Is Visitor Mode a part of the VPN from Checkpoint? Thanks, Rob -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Wednesday, August 18, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] NAT Traversal and IPSec Pass Through Doesn't some version of Nortel have UDP encapsulation? With all of the broadband access available from hotels and other facilities, you're going to hit this problem a lot. We routinely have to use Visitor Mode from major hotel chains because the only traffic they allow out is 80 and 443. Ray From: Mike Feetham [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] NAT Traversal and IPSec Pass Through Date: Wed, 18 Aug 2004 09:01:05 -0400 It is not possible to turn on IPSec passthrough on Checkpoint firewalls for hide NATs. If they did, the passthrough would only work for the first IP that used the passthrough (So CP tells me, anyway). This is why Checkpoint suggests using UDP encapsulation, which other posters have stated is not possible. The other possibility is to set up static NATs for users that require VPN access, but this can be an administrative nightmare, depending on the number of users. Mike F. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Bergin, Rob Sent: Tuesday, August 17, 2004 4:27 PM To: [EMAIL PROTECTED] Subject: [FW-1] NAT Traversal and IPSec Pass Through Hi All, Anyone working with a Nortel Contivity VPN and Checkpoint NG AI? We put an additional adapter in our Checkpoint and have terminated a small wireless LAN into it. It's been great, users jump on the wireless, get assigned a DHCP IP from a DHCP appliance and then can surf the web. Now the issue is when they try and launch our VPN client, they could not logon. We asked Nortel and they said - NAT Traversal (NAT-T) - because the Checkpoint was NATting the IP address (WIFI LAN is 172.20.0.0) and the Interface facing the Contivity is 204.238.109.60 in order for the VPN to work we have to enable NAT-T. My question is - at my house, I use a NAT box (Linksys router) and I don't require NAT-T but I think that's because my Linksys supports IPSec Passthrough and what I am wondering is if I can enable IPSec Passthrough on the Checkpoint and/or are there any negative implications. Thanks, Rob = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription
Re: [FW-1] Remote extranet access over SecuRemote/SecureClient
Gees, did you ever have one of those days? :-) The only need we have for traditional policies is that we need multiple remote access user groups, one that SCV applies to and one that SCV doesn't apply to. If Check Point ever offers multiple remote access communities and the ability to select whether SCV applies to a particular community, the traditional policies can go. Ray From: David A Muscat [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Remote extranet access over SecuRemote/SecureClient Date: Fri, 20 Aug 2004 10:46:40 +1000 Thanks Ray. It seems that vpn routing is only possible when using simplied mode so that you can work with VPN communities. This is rather unfortunate as our policies are currently in traditional mode :( Will have to look at re-writing the policies to make this work. Appreciate the tips! David Ray [EMAIL PROTECTED] IL.COMTo Sent by: Mailing [EMAIL PROTECTED] list for INT.COM discussion of cc Firewall-1 FW-1-MAILINGLIST Subject @AMADEUS.US.CHECK Re: [FW-1] Remote extranet access POINT.COMover SecuRemote/SecureClient 19/08/2004 10:52 PM Please respond to Mailing list for discussion of Firewall-1 Hi David, Search the KB for vpn routing. I think it's available before AI and it may help you out. You also might want to download the Check Point documentation for VPN-1 and search or print out the PDF. I've found this whole series of documents from Check Point to be as good as any third-party book. Ray From: David A Muscat [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Remote extranet access over SecuRemote/SecureClient Date: Thu, 19 Aug 2004 10:35:34 +1000 The solution id for that document I posted the link for is sk19524. David A Muscat Hal Dorsman [EMAIL PROTECTED] G To Sent by: Mailing [EMAIL PROTECTED] list for INT.COM discussion of cc Firewall-1 FW-1-MAILINGLIST Subject @AMADEUS.US.CHECK Re: [FW-1] Remote extranet access POINT.COMover SecuRemote/SecureClient 19/08/2004 03:09 AM Please respond to Mailing list for discussion of Firewall-1 I was a little confused by your question so didn't answer at first, hoping someone else understood better. Since no one did, here goes my guess. This is a routing issue handled by the firewall. The firewall knows about the routing requirements for your extranet tunnel based on topology. You connect to your gateway as defined by your SC client setup, then your gateway knows to route (and re- encrypt packets) packets destined for your extranet based on topology. So yes, it is possible, and pretty much default setup once you have your topology defined. Hal -Original Message- From: David A Muscat [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 7:10 PM To: [EMAIL PROTECTED] Subject: [FW-1] Remote extranet access over SecuRemote/SecureClient Hi all, I'm running a CheckPoint NG FP2 gateway with vpn on a solaris server. This firewall serves as the gateway for SecureClient users and it's also a VPN termination point for an extranet tunnel. There's a requirement to allow SecureClient users to access this tunnel. Ie, a SecureClient user sends packets to destinations which are at the remote extranet site. I've managed to configure the userc.C file to correctly encrypt the packets and send them to the gateway. The gateway then decrypts these packets but then I need them re-encrypted to send back out across the extranet tunnel to their final destination. Is this kind of setup/connectivity actually possible without having to route the packets anywhere else beyond the firewall? Any ideas or suggestions would be greatly appreciated. Thanks! David A Muscat IBM Global Services Email: [EMAIL PROTECTED] = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have
Re: [FW-1] Syncronization problems
Does it mean you installed HFA08 for R55? If so, go download the latest version of the release notes a I believe they address this. Ray From: Salomé Reíllo [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Syncronization problems Date: Fri, 20 Aug 2004 10:53:25 +0200 Does anyone what this error means? joining multicasts failed (3) on ce1 - will use link layer broadcasts for multicast and ifconfig -a of ce1 shows: ce1: flags=1001843UP,BROADCAST,RUNNING,MULTICAST,MULTI_BCAST,IPv4 mtu 1500 in3 inet 172.27.51.6 netmask fff8 broadcast 172.27.51.7 What does the parameter MULTI_BCAST appear? Thanks in advance. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] Upgrade from NG FP3 to NG with AI easy?
We took an FP3 HF2 gateway straight from IPSO 3.6 FCS 3 to IPSO 3.7.1 build 10 with absolutely no issues. The IPSO release notes say you have to be on FP3 HF2 or later to use IPSO 3.7x. It was an IP120, though, not an IP440, if that makes a difference. Ray From: Grabowski, David [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] Upgrade from NG FP3 to NG with AI easy? Date: Fri, 20 Aug 2004 14:35:12 -0400 The FW-1 documentation seems to indicate that you can do an in-place upgrade of NG FP3 to R55. So I figured that I could do this on our IP440's. Not quite. R55 required a new version of IPSO, but FP3 won't run on it (well, maybe it does, but I decided not to try it). Here's the procedure that I followed -- which I made up as I went along. YMMV, but it worked for me. - Copy all binaries to IP440. - Look at your environment variables and note the values for CPDIR, FWDIR, and LD_LIBRARY_PATH - Upgrade IPSO. Reboot. This will *disable* NG FP3. - In voyager, re-enable NG FP3. DO NOT REBOOT. - At the IPSO command line, set CPDIR, FWDIR, and LD_LIBRARY_PATH to the values you listed above. - Upgrade to R55 On one of our four modules, this procedure did not work because we were missing a symbolic link for /opt/CPShared. Recreating the symlink made it work fine. Watch the output of the upgrade scripts carefully, and take all warnings seriously. -Original Message- From: Alan Choyna [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 9:34 PM To: [EMAIL PROTECTED] Subject: [FW-1] Upgrade from NG FP3 to NG with AI easy? We've upgraded one of our Nokia IP440's to NG FP3 from 4.1 SP6, and all is well now after the usual post upgrade tweaking. Now it's time to ponder the upgrade of our backup IP440, and wonder if we can go to NG with AI. l'm wondering about 3 things: 1) Ease of upgrade 2) stability 3) performance hit Is it an easy upgrade from NG FP3? (l will have upgraded to NG FP3 before proceeding). Which is the most stable release to install? (l have heard of issues with certain releases and patches) Is there a big performance hit compared to NG FP3? Our ip440 seems to run fine with NG FP3, but from what l understand AI can add a lot of overhead to a system. Can any of you comment on that?, especially any IP440 users. My client has many popular news web sites and get over 40 million page views a month, so performance degradation would be a big issue. Thanks in advance, Alan. Alan C. Choyna Senior Consultant Pathfinder Associates, LLC http://www.pathfinderassoc.com/http://www.pathfinderassoc.com Internet Strategy Business Consultants mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]mailt o:[EMAIL PROTECTED].com Business telephone (312) 372-1058. Mobile (773) 255-6662 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = # CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). # = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED
Re: [FW-1] Secure remote 'pool' issue
I don't know if it's available in SecuRemote, but R55 has a feature named ipassignment.conf which is a file where you can set a user ID and the IP address they always will get. Kind of a DHCP reservation thing. I do know it works in SecureClient and Office Mode. Ray From: Tom Brown [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] Secure remote 'pool' issue Date: Mon, 23 Aug 2004 17:49:22 +0100 Hi We run R55 on Linux at 2 locations, one was an upgrade from FP3 and the other is a clean install. When we use secure remote we assign IP's from a pool specifically for secure remote users. I'm finding that the users are 'seen' to be coming from their real nat'd IP on the fresh R55 installation when they hit our network rather than from the pool. On the upgraded R55 install they appear to be coming from the correct IP pool. Has anyone experienced this or know of any gotchas on what i can check? On another note i'd like our IP pool users to be able to administer the firewall as GUI clients. So i can administer it from home etc over secure remote. However even after specifiing the IP range of the pool in the GUI clients list i can't connect. Does anyone know if a secure remote connection can be used to administer the firewall as a GUI client? I'm guessing that the firewall is 'seeing' me as coming from my real IP (not nat'd) rather than from the secure remote IP thanks Tom = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] MESSENGER FILE TRANSFER BLOCK
Unless you go to R55W or block all outbound ports except for specific sources, you probably can't do it. Many of these IM clients negotiate random high ports if the standard ones won't work, so unless you're very closely controlling outbound traffic, they'll just slip on through. R55W works regardless of what port is used, a major difference from R55. Ray From: Mateo Cabrera [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [FW-1] MESSENGER FILE TRANSFER BLOCK Date: Fri, 27 Aug 2004 14:20:23 -0300 NO...NO...NO...you don´t understand to me!!! IN A R55 ENVIRONMENT: I need to block FILE_TRANSFERs between two MSN clients client A and client B (with hotmail.com accounts) ok? Both clients are located in differents locations...ok? The client A are located behind a firewall. In the Firewall i want to block the FILE_TRANSFER functionality for client A. I tried to configure a rule base that to permit HTTP, and MSN_Services_group except File_Transfer service. Later, i to check the P2P--MSN option in the SmartDefense and check the Perform strict protocol enforcement BUT...BUT...the clients A and B does continue to transfer the files. Resuming even if i remove the FILE_TRANSFER service from the rule base the file transference does continue. In the log i saw that all connections to use the MSNP service. And if remove MSNP service from the rule the client A can´t iniziate the session. ?¿?¿?¿?¿? Remember in a R55 environment. Saludos, Mateo Cabrera - Soporte Técnico Security Advisor www.sadvisor.com -Mensaje original- De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] nombre de Girard Moussa Enviado el: viernes, 27 de agosto de 2004 4:16 Para: [EMAIL PROTECTED] Asunto: Re: [FW-1] MESSENGER FILE TRANSFER BLOCK Well, To answer your question, if there are on the same LAN segment and do not pass through a firewall as their gateway, then file transfer cannot be blocked. Why would you want to block file transfer internally between users? They can easily share files over the network or via email. Now as for being able to transfer files with outside users, well, the new versions of MSN don't even need MSN transfer protocols or any proprietary protocols. They now tunnel over http and even if you have a proxy in place, MSN will pick up the settings from IE and tunnel over the proxy. The only way to block MSN Messenger is at the proxy level if it is aware of MSN Messenger or at the firewall level via Smartdefense. However, Smartdefense will stop all MSN related traffic altogether and users would not be even able to log on to MSN, let alone transfer files. Girard Moussa -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Mihai Lupu Sent: Friday, 27 August 2004 3:12 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] MESSENGER FILE TRANSFER BLOCK Hello, Now when I read your message I think that I remember something like the MSN files transfer don't involve MSN servers, but only the two PC (sender and destination); when they are in the same network it is obvious that this doesn't pass through your FW. Mihai -Original Message- From: Mateo Cabrera [mailto:[EMAIL PROTECTED] Sent: Thursday, August 26, 2004 22:27 To: [EMAIL PROTECTED] Subject: Re: [FW-1] MESSENGER FILE TRANSFER BLOCK ok, thanks to all. But my question was because i did try to send a file from one MSN client to other. I did configure a rule permitting all services except MSN_File_Transfer and the transferense did continue work fine. The problem was that both MSN clients was in a same internal network, and somebody told me that the communication between 2 MSN clients in a same LAN is bypassed by the FW in a second instance. (I don´t know if it´s real) Saludos, Mateo Cabrera - Soporte Técnico Security Advisor www.sadvisor.com -Mensaje original- De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] nombre de Mihai Lupu Enviado el: jueves, 26 de agosto de 2004 15:22 Para: [EMAIL PROTECTED] Asunto: Re: [FW-1] MESSENGER FILE TRANSFER BLOCK Hi! The NG-AI version of FW-1 knows well the different protocols of MSN, Yahoo and ICQ (video, file transfer and chat) so you can allow only the protocol that you want. I use myself this and is OK, I want to allow only chat but anything else not (like file transfer or video); this stuff could be dangerous (file transfer) or resources consuming (video) Mihai -Original Message- From: Mateo Cabrera [mailto:[EMAIL PROTECTED] Sent: Thu 26-Aug-04 19:19 To: [EMAIL PROTECTED] Cc: Subject: [FW-1] MESSENGER FILE TRANSFER BLOCK HEY GUYs!!! Me and other companion on this forum (jon Allingham) we have a problem to block the IM File Transfer using SmartDefense. Somebody know how to configure the FW-1 or SmartDefense to use the MSN but do not to block the File
[FW-1] New Edge 4.5.44 firmware posted
On the Check Point software subscription site. No release notes on the changes that I could find. Ray _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] CheckPoint Visitor Mode
We're not getting any complaints about Visitor Mode disconnects, but we discourage it unless needed. The double encryption-decryption puts a definite strain on lower end computers, like those below 1 GHz. On a 500 MHz P-III, Visitor Mode has a response that's only slightly better that dial-up. Yes, we are using compression, but straight IPSec doesn't have the issue. Ray From: Jeanne MAILLARD [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: CheckPoint Visitor Mode Date: Tue, 31 Aug 2004 15:27:45 +0200 Hello ! Maybe can you help me too... It's about disconnections when using Visitor Mode. Have you heard about this problem ? Thanks for your help, Jeanne - Réacheminé par Jeanne MAILLARD/France/Transiciel le 31/08/2004 15:22 - Jeanne MAILLARD Pour : [EMAIL PROTECTED] cc : 31/08/2004 Objet : CheckPoint Visitor Mode 15:09 Hello, I try to contact you thanks to the fw-1 mailing list. I've seen the message you've posted few months ago concerning Visitor Mode (see the copy of the text at the end of the mail). If you have a free moment, would you help me please ? I installed a SecureClient which can connect my VPN gateway (SecurePlateform) without any problem : everything goes well. I use Visitor Mode. As you have already noticed, there are frequent deconnections. I asked my ISP whether there is a transparent proxy and the ISP answered yes. Did you have time to think about the problem ? Are the deconnections induced by the transparent proxy ? I can't find informations on the knowledge base (SecureKnowledge)... I hope you will have time to answer my question. Thank you in advance. Sincerely, Jeanne. http://www.mail-archive.com/[EMAIL PROTECTED]/msg05886.html Re: [FW-1] Office Mode (regular VPN) vs. Visitor Mode (TCP Tunneling) From: Markus Hofbauer Subject: Re: [FW-1] Office Mode (regular VPN) vs. Visitor Mode (TCP Tunneling) Date: Tue, 16 Mar 2004 06:09:22 -0800 I noticed that the client gets frequently disconnected when using Visitor Mode... never took the time to debug the reason. But I'm pretty sure it's not because of a bad ISP connectivity from the client. /Markus At 13:42 16.03.2004, you wrote: Is there any reason that I shouldn't make Visitor Mode my default for my SecurClient users? If visitor mode encapsulates everything through TCP 443, therefore making it easier for my users to connect from various places, why wouldn't I just make it the 'standard'? What's the downside? Markus Hofbauer, IT-Service / Security Bacher Systems EDV GmbH, Wienerbergstr. 11B, A-1101 Wien, Austria phone: +43 (1) 60 126-34 | fax: +43 (1) 60 126-4 e-mail: [EMAIL PROTECTED] | web: www.bacher.at Jeanne Maillard -=-=-=-=-=-=-=-=- TRANSICIEL European Security Expertise Center Apprentie DESS Systèmes de Télécoms Réseaux Tél. +33 (0)5 61 30 60 24 Mobile +33 (0)6 68 53 88 02 E-mail : [EMAIL PROTECTED] http://www.transiciel.com _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] Here an Edge, there an Edge, E I E I O!
From the bottom left corner of the August 30th issue of Infoworld magazine: The latest addition to Watchguard's Firebox series of security appliances is the Firebox X Edge series, designed for remote branch offices of SMBs. Hope somebody from Nokia or Check Point trademarked their use of the term. Or maybe it's a Nokia under the covers? Ray _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] SecureClient and Internal Network Access
Your NAT is probably OK. Do you have a static route on the gateway so it knows how to route the 10.9.xxx.xxx traffic to the next hop internal router? Do your internal routers know to send all 10.9.xxx.xxx traffic back to the gateway? Which version of SecureClient? Are you using SCV? What do your desktop security rules look like? Normally you cannot ping the gateway unless you add a rule to allow it. Is this a simplified or traditional policy? Do you have a specific rule in the rule base to allow the SecureClient traffic access into and out of the internal network? Ray From: Bob [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [FW-1] SecureClient and Internal Network Access Date: Tue, 31 Aug 2004 11:03:03 -0700 Hi All, We are using checkpoint NG FP2. We configured checkpoint gateway so that the SecureClient can have remote access to the internal networks. The servers in the internal networks can reach (pings work) the secure clients but the secure clients cannot reach the internal network or any servers (pings or http access to any servers did not work). In the network properties for internal network i checked Add Automatic Address Translation rule and picked Hide as the translation method (Hide behind the interface of the install on Gateway). First of all do i need to configure NAT inorder for my network to work correctly. If so is my NAT rules incorrect. Please advice. Our network looks like this ClientCheckpointGateway Server 10.10.20.60/20 ExternalInternal 10.10.58.200/20 10.10.16.40 10.10.58.190 The Ip pool that i assigned is network 10.9.62.0/24. The secureclient got an ip address 10.9.62.1 when it connected to the gateway. The server can ping the client but the client cannot ping the gateway. Also in the log i do not see any packets being dropped. Any help is greatly appreciated, my boss is sitting on top of me so i had look for help quickly. -thanks, sam - Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = _ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] SecureClient and Internal Network Access
Hi Bob, Is there some reason you can't go to a current version of the firewall and SecureClient? You are putting a lot of risk into the picture if you plan on using such an old version in the real world. To see if the FP2 version is an issue, you can download an evaluation version of R55 which comes with a fully functional license for 15 days. Since this is a test setup, that's what I'd do. I'm getting confused by how you have your subnets arranged. I'm assuming you're using the same masks as you use in real life. Can you change the external network tio a 192.168 range to keep it totally different from the internal network? Ray From: Bob [EMAIL PROTECTED] To: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [FW-1] SecureClient and Internal Network Access Date: Wed, 1 Sep 2004 16:33:37 -0700 (PDT) Hi Ray, Let me thank you for . Actually let me draw the network again so that it is clear. I saw that formatting messed it up a little. I have attached a text file for better clarity. Right now the entire test bed is in the lab. So we are using 10.x.x.x addresses for both internal and external network on checkpoint gateway. 1. Client and checkpoint gateway's external sit on the same subnet (10.10.16.0/255.255.240.0) 2. Server and checkpoint gateway's internal interface sit on the same subnet (10.10.48.0/255.255.240.0) So there is no need for router here right because client can reach checkpoint gateway's external interface directly and Server can reach checkpoint gateway's internal interface directly. But i added the following static route on the server to 10.9.62.x network. 10.9.62.0 255.255.255.0 10.10.58.190 So the server knows how to get to 10.9.62.0 network. Now coming to version of secure client i am using checkpoint NG FP2 build 52032. sqa is the group created for remote access Inbound Rules Source Desktop Service Action internal n/w [EMAIL PROTECTED]*Any Encrypt *Any [EMAIL PROTECTED] *Any Accept Outbound Rules --- Desktop Destination Service Action [EMAIL PROTECTED] internal n/w *Any Encrypt [EMAIL PROTECTED] *Any *Any Accept External N/w on checkpoint:- 10.10.16.0 Internal N/w on checkpoing:-10.10.48.0 I am using Traditional Mode policy. -thanks Bob Ray [EMAIL PROTECTED] wrote: Your NAT is probably OK. Do you have a static route on the gateway so it knows how to route the 10.9.xxx.xxx traffic to the next hop internal router? Do your internal routers know to send all 10.9.xxx.xxx traffic back to the gateway? Which version of SecureClient? Are you using SCV? What do your desktop security rules look like? Normally you cannot ping the gateway unless you add a rule to allow it. Is this a simplified or traditional policy? Do you have a specific rule in the rule base to allow the SecureClient traffic access into and out of the internal network? Ray From: Bob Reply-To: Mailing list for discussion of Firewall-1 To: [EMAIL PROTECTED] Subject: [FW-1] SecureClient and Internal Network Access Date: Tue, 31 Aug 2004 11:03:03 -0700 Hi All, We are using checkpoint NG FP2. We configured checkpoint gateway so that the SecureClient can have remote access to the internal networks. The servers in the internal networks can reach (pings work) the secure clients but the secure clients cannot reach the internal network or any servers (pings or http access to any servers did not work). In the network properties for internal network i checked Add Automatic Address Translation rule and picked Hide as the translation method (Hide behind the interface of the install on Gateway). First of all do i need to configure NAT inorder for my network to work correctly. If so is my NAT rules incorrect. Please advice. Our network looks like this Client CheckpointGateway Server 10.10.20.60/20 External Internal 10.10.58.200/20 10.10.16.40 10.10.58.190 The Ip pool that i assigned is network 10.9.62.0/24. The secureclient got an ip address 10.9.62.1 when it connected to the gateway. The server can ping the client but the client cannot ping the gateway. Also in the log i do not see any packets being dropped. Any help is greatly appreciated, my boss is sitting on top of me so i had look for help quickly. -thanks, sam - Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have
[FW-1] Best reporting software for NG AI?
We need to purchase a reporting package that will automatically generate reports and distribute them I've just started testing an eval of SmartView Reporter but I was wondering what other programs people are using. It particularly would be nice to be able to create a report of things trying to connect by a specific service, such as PPTP or IPSec, that get dropped. A built-in query system would be wonderful. These would be more for audit usage than pretty pictures for non-technical management. Something a firewall administrator could use to help in the job. Thanks in advance for your suggestions, Ray _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
[FW-1] VPN routing question
I just set up a test VPN from an R55 gateway to an Edge XU box and I now have my computer on it's internal network. When I have SecureClient running on my computer, I can't get to the real internal network. I have to disable the policy, even though this new internal network is allowed in the desktop security policy, and also stop SecureClient. Then everything works OK. I vaguely recall reading about this before and it seemed that it had something to do with the topology being fed to SecureClient. All remote access will be to the R55 gateway and then down the site-to-site VPN to the Edge internal networks. We are using hub mode for SecureClient. Any pointers would be appreciated! Thanks, Ray _ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =