Re: [FW-1] No Valid FM License
Frederico, What is your license string saying ? I see this when I did a fwstop ... but no fwstart again Met vriendelijke groeten - Bien à vous - Kind regards Guy ROELANDTSEMEA GS Internet Expertise Centre - CCSA CCSECompaq Software Engineer - BelgiumE-mail : [EMAIL PROTECTED]Tel: +32(02)729.77.44 (options 3 - 3 - 1)Fax: +32(02)729.77.65 This message may contain confidential and/or proprietary information,and is intended only for the person/entity to whom it was originallyaddressed. The content of this message may contain private views andopinions which do not constitute a formal disclosure or commitmentunless specifically stated. Should you receive this message by mistake please inform the sender immediately. -Original Message-From: Frederico Augusto [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 6:42 PMTo: [EMAIL PROTECTED]Subject: [FW-1] No Valid FM License Hi, every time i try to start my FW-1 i get the message "No Valid FM license". In the knowledge base of checkpoint, they told us to use fw putlic -o and re-install the license. But,It doesn't work. I am uusing nokia ip 650 with CP FW1 4.1 . I havestarted from scratch and still get the same message .Can anyone help me ? regards,Frederico Augusto MoreiraNetwork [EMAIL PROTECTED]http://www.avati.com.brPhone:55 31 32982600
[FW-1] different about snmp vs FW1_snmp
Hi there, I am running FW-1 4.1 SP2 on Sun Solaris 2.6 machine. When run fwstart, it states that it can't use port 161 for snmp, and so it uses port 260. I believe port 161 was already used by the Sun OS. Now, if I want to query FW-1 snmp MIBS, does it matter if I send the query to port 161 or 260? Currently, my firewall rule allow only port 161. Thanks. === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] FW-Documentation
Manfred, Go to Phoneboy (www.phoneboy.com), there is a section containing tools that allow you to make nice things with the objects.C and the security policy files. Hope that's what you are looking for. Met vriendelijke groeten - Bien à vous - Kind regards Guy ROELANDTS EMEA GS Internet Expertise Centre - CCSA CCSE Compaq Software Engineer - Belgium E-mail : [EMAIL PROTECTED] Tel: +32(02)729.77.44 (options 3 - 3 - 1) Fax: +32(02)729.77.65 = This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. Should you receive this message by mistake please inform the sender immediately. = -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 2:28 PM To: [EMAIL PROTECTED] Subject: [FW-1] FW-Documenatation Hallo We have same Checkpoint-FW´s and I search any tool to make a documentation about the FW´s (Rules etc.) Thanks for any help manfred Best Regards Mit freundlichen Grüßen Manfred Steinbacher EDS Austria - Core Infrastructure Network Services EDS Austria / AVL - Account Phone: +43 316 787 470 Fax: +43 316 787 1783 eMail: [EMAIL PROTECTED] Hans-List Platz 1 A-8020 GRAZ === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] how to capture huge fw logs
Hi, my cp fw generate 1gig of log each day due to the huge user traffic and I have problems capturing those logs without compromising the utilization of the cpu. Any help will be much appreciated. Thanks. === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] NG virtual interface
Hi all, I have a NG Firewall-1 on a Solaris 8 (Sparc platform), and I want add virtual interface (hme0:1), but when I execute fw ctl iflist the virtual interface is not shown. I had not problems when I did it in FW-1 ver 4.1. Can someone help me, please? Thanks __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] NG VPN-1/Secure Client - FWZ works, IKE doesn't, no errors report ed.
Dear firewallers - This is my scenario: Running the latest build of NG and Secure Client on a hardened NT test box. Built the firewall from an ruleset based on previous version working box with IKE VPN. Installed fresh certificates for everything. Attempted test with various encryption levels - reduced to lowest for this example: Tested Secure Client with FWZ and it works fine, change to IKE and the logs are as follows: login - SSL - DES+ SHA1, Internal Password :Success reason: User authenticated by Firewall. Sending SSL Encrypted Topology, using IKE authentication ..then if I ping a host or telnet to an SMTP port of a known server (i.e. the same test for FWZ) there is no response and the firewall log displays: Key Install - IKE - ESP DES + SHA1 IKE: Quick Mode completion IKE IDs: host: [internal host IP address] and host: [external host IP address] so with IKE perhaps somewhere the packets are being dropped, rerouted, or otherwise ignored but neither party is complaining. Checked and confirmed that: The ISP is not using NAT in any way. The ping firewall hostname test works on the server - it returns its external IP address. I am installing the policy at the firewall each time and deleting and reloading the topology each time on the client. Any ideas? Chris Glaister Network analyst (CCSA/CCSE) __ Capital International Limited. This message is bound by terms and conditions. For further information please follow http://www.capital-iom.com/disclaimer.htm === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Firewall Errors
Title: Message i had this happen to me last night. no fw changes on either end of the VPN and my remote office (the side with the Win2K, CP2K) loses all connectivity to the main office. Meanwhile the main office can still access everything on their network. What SPs are you all running on your fw's. I've got SP5 on my 4.0 firewall and SP3 on my 2K firewall. Also, which end of your VPN loses connectivity ? For our setup, it is always the 2K side and never the 4.0 side. To fix the problem last night I: 1. reinstalled the policy on both ends -- no result 2. changed the shared secret -- no result 3. rebooted the remote firewall -- connectivity restored 5 minutes post reboot. Hopefully together, we can nail down what's causing the issue and fix it. CF Christopher A. FerraroSystems EngineerHubbard One312.939.5000 x269mobile: 312.286.8466www.hubbardone.com -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 8:17 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors I get the same problem from time to time. I loose all connectivity and need to reboot! -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:12 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Still have not, although it seems to be working we have had some intermitant problems with losing all conectivity... Not sure if it is related. Mike -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 24, 2001 9:47 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors How did you fixed the problem? -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 3:26 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Had the problem on 2 different machines with different NIC's all using standard win2k drivers. -Original Message-From: Zeltser, Roman [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 1:26 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors I would check the NIC driver for Win2K as well as would try to replace the card ** Roman Zeltser, @National Computer Center, DNERS Information Systems -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 10:37 AMTo: [EMAIL PROTECTED]Subject: [FW-1] Firewall Errors Help, I was wondering if anyone out there has had the same issues as me. After we migrated from NT4.0 fw 4.1 to Windows 2000 server fw 4.1 on our firewall, the following error is coming out on the event viewer every second. I have applied service pack 3 and 4 and the error keep coming. FW1: ndis_allocate_packet: Cannot allocate new packets Can anyone give me a few pointers as to where to look! Thanks Laz
Re: [FW-1] AIX 5.1
I'm holding off on upgrading to AIX 5.1 until checkpoint can say that it's going to work. ;) Right now, I think that 4.3.3 is the latest release that is supported.. At least officially supported. I have FW1 running on a couple of RS/6000 B50s running AIX 4.3.3_09. No real reason to upgrade if it's not broken or if there aren't any real huge benefits. joe == Joseph Voisin, Systems and Network Administrator, Engel Canada Inc. www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436 == -Original Message- From: Matt T. Duval [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 6:31 PM To: [EMAIL PROTECTED] Subject: [FW-1] AIX 5.1 Anyone done, seen, heard about this? Thanks, Matt Duval HealthTrans www.healthtrans.com Transforming Healthcare, One Transaction At A Time === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Migration Headache
How are you handling your mail? Does your mail server have it's own external IP address? (I have about 6 addresses I can use. I assigned one just to the mail server) Make sure that you ARP the IP address onto the Ethernet adapter. In windows it's probably just adding it in the network config. For me, on AIX, I had to use the ARP command to add it. Because the firewall itself has to respond to the IP address, it has to know that it is supposed to do so. Access Rules: ANY MAIL_EXT SMTP ACCEPT MAIL_INT ANY SMTP ACCEPT NAT Rules: INT_NET INT_NET ANY ORIGINAL ORIGINAL ORIGINAL !INT_NET MAIL_EXT SMTP ORIGINAL MAIL_INT ORIGINAL MAIL_INT ANY SMTP ORIGINAL MAIL_EXT ORIGINAL Oh yeah, something that bit me in the butt. If you use your Firewall IP address as the address for your mail server.. make sure that you put the SMTP accept rule above the firewall stealth rule Ya know, the "ANY FIREWALL DROP ALERT" rule. I don't know if any of this is even your problem, but I like to at least try and help. J Joe == Joseph Voisin, Systems and Network Administrator, Engel Canada Inc. www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436 == -Original Message- From: Hanke, Eric [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:12 PM To: [EMAIL PROTECTED] Subject: [FW-1] Migration Headache Hello list: Tried a migration (fresh install) of FW-1 4.1 last night on a Windows 2000 SP 2 Compaq Proliant 1600. Thought the install went well until my users were not able to receive any e-mail, sending e-mail was ok. Here is a quick Config rundown: Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2) Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000 SVR SP2) This was a fresh install. I opted to manage my routes manually; I already had a text printout of the routes from my NT 4.0 Firewall-1 (4.0) Basically the first few rules look as such Firewall - Management Accept Management - Firewall Accept ANY - SMTP_SVR(NAT'ed) Accept SMTP_SVR(NAT'ed) - Outside_world Accept I also had the necessary DNS rules installed so the Mail server could do a DNS lookup. The strange thing is that on the Log you could see the Firewall pass the request from the public IP of the SMTP server to the NAT'ed address but the SMTP server never received the e-mail. I think this is a routing problem; I am new to routing with Windows 2000. Any ideas or a thought on what to look at next is greatly appreciated. Eric Eric M Hanke Senior Network Engineer Tempel Steel Company Magnetic Steel Laminations for the Electronic and Electrical Industries Phone (773) 250-8056
Re: [FW-1] Migration Headache MORE
You may also need to provide an arp entry for that (depends on you set up) AND you may need a third part utility for that (I use fwparp). If you think it is a routing issue confirm the following registry entry: In location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Value for IpEnableRouter should be set to 1 (not zero) Andy Hello list: Tried a migration (fresh install) of FW-1 4.1 last night on a Windows 2000 SP 2 Compaq Proliant 1600. Thought the install went well until my users were not able to receive any e-mail, sending e-mail was ok. Here is a quick Config rundown: Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2) Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000 SVR SP2) This was a fresh install. I opted to manage my routes manually; I already had a text printout of the routes from my NT 4.0 Firewall-1 (4.0) Basically the first few rules look as such Firewall - Management Accept Management - Firewall Accept ANY - SMTP_SVR(NAT'ed) Accept SMTP_SVR(NAT'ed) - Outside_world Accept I also had the necessary DNS rules installed so the Mail server could do a DNS lookup. The strange thing is that on the Log you could see the Firewall pass the request from the public IP of the SMTP server to the NAT'ed address but the SMTP server never received the e-mail. I think this is a routing problem; I am new to routing with Windows 2000. Any ideas or a thought on what to look at next is greatly appreciated. Eric Eric M Hanke Senior Network Engineer Tempel Steel Company Magnetic Steel Laminations for the Electronic and Electrical Industries Phone (773) 250-8056 Andy Druda Network Communications Manager Wagner College Staten Island, New York 10301 1 718 390 3204
Re: [FW-1] UDP natting problem
Hi, check out http://www.securityportal.com/list-archive/fw1/2001/May/0432.html maybe this solves your problem. Unfortunaly the list is currently down, but I hope it will be in the next time again online. best regards Daniel -Original Message- From: Michael Haller [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 3:15 PM To: [EMAIL PROTECTED] Subject: [FW-1] UDP natting problem Hi, We're trying to demo client-server software which crosses our firewall (and the atlantic). All communication is by UDP packets. The machine we're setting the demo up on is a machine on our internal network (which is a 172.18.0.0 net). This machine is called int_ip. To allow connections to this machine our ISP has added a routable IP with the DNS entry ext_ip at their site. I've created a network workstation object for this machine and set it to have static natting for the ext_ip. I've added a rule which enables UDP high ports and certain other services to/from the int_ip. And it works...in general. I can ping external machines which see the pings coming from ext_ip and not int_ip. If I snoop on the internal interface of the firewall I see the pings coming from int_ip. If I snoop on the external interface I see the pings coming from ext_ip. Other services, like ssh, work fine too. The problem occurs when we start the demo. When the demo starts up (on int_ip) it sends a packet on port 3111 (say). The server sees this packet coming from ext_ip (good). It sends an ack and tells the client (at ext_ip) to start sending to port 3112 (say). The client (int_ip) see this and starts sending to port 3112. This is where the problem begins. The firewall doesn't seem to nat the packets sent to port 3112. Snooping the firewall interfaces: the internal interface shows all UDP for both 3111 and 3112 coming from int_ip. The external interface shows all UDP to 3111 as coming from ext_ip but all UDP for 3112 as coming from int_ip. It seems the firewall gets confused when the client starts sending to a new port. Just to reiterate, the ports don't seem to be the problem themselves. It is when an existing client starts sending to a new port. No natting occurs on the packets for the new port. Any clues as to what might be wrong? Many thanks, - Michael === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] how to capture huge fw logs
Try webtrend for firewalls... but check why 1g log is generated? is it all required? u may select not to log many things, like http traffic. Azhar Iqbal Mirza Sr. Network Systems Engineer ADNOC Distribution Al Salam Street, P O Box 4188, Abu Dhabi, UAE. E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Tel (971) 2 6771300 ext :469 Did (971) 2 6959 469 Fax (971) 2 6742265 Mobile (971) 50 613 96 86 -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED]]On Behalf Of Chua Yew Gin Sent: Thursday, October 25, 2001 6:17 AM To: [EMAIL PROTECTED] Subject: [FW-1] how to capture huge fw logs Hi, my cp fw generate 1gig of log each day due to the huge user traffic and I have problems capturing those logs without compromising the utilization of the cpu. Any help will be much appreciated. Thanks. === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Upgrade 4.1 to NG
That works. But upgrading a policy from 4.1 to NG is whole different story :-(. Will post my experiences when the upgrade is done. Nico On Thu, Oct 25, 2001 at 07:54:57AM +0100, Roelandts, Guy wrote: Ryan, This is supposed to work, developing a policy on a NG management server and installing it on a 4.1 firewall module. Met vriendelijke groeten - Bien à vous - Kind regards Guy ROELANDTS EMEA GS Internet Expertise Centre - CCSA CCSE Compaq Software Engineer - Belgium E-mail : [EMAIL PROTECTED] Tel: +32(02)729.77.44 (options 3 - 3 - 1) Fax: +32(02)729.77.65 = This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. Should you receive this message by mistake please inform the sender immediately. = -Original Message- From: Ryan Nobrega [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 8:55 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Upgrade 4.1 to NG Would it not make sense to upgrade your firewall module to NG as well. Not Sure if a policiy created with NG would work on a 4.1 module? -Ryan Nobrega -Original Message- From: Nico De Ranter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 2:40 PM To: [EMAIL PROTECTED] Subject: [FW-1] Upgrade 4.1 to NG Anybody attempt an upgrade from 4.1 to NG already? We are getting error messages when trying to save a policy from the NG policy editor (management console is NG, firewall module is 4.1) Nico - It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry. - Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [EMAIL PROTECTED] === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === - It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry. - Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [EMAIL PROTECTED] === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] UNSUBSCRIBE fw-1-mailinglist
UNSUBSCRIBE fw-1-mailinglist
Re: [FW-1] Migration Headache
If you think it is a routing issue confirm the following registry entry: In location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters Value for IpEnableRouter should be set to 1 (not zero) Andy At 08:35 AM 10/25/01, Firewall-1 (Joe Voisin) wrote: How are you handling your mail? Does your mail server have it's own external IP address? (I have about 6 addresses I can use. I assigned one just to the mail server) Make sure that you ARP the IP address onto the Ethernet adapter. In windows it's probably just adding it in the network config. For me, on AIX, I had to use the ARP command to add it. Because the firewall itself has to respond to the IP address, it has to know that it is supposed to do so. Access Rules: ANY MAIL_EXT SMTP ACCEPT MAIL_INT ANY SMTP ACCEPT NAT Rules: INT_NET INT_NET ANY ORIGINAL ORIGINAL ORIGINAL !INT_NET MAIL_EXT SMTP ORIGINAL MAIL_INT ORIGINAL MAIL_INT ANY SMTP ORIGINAL MAIL_EXT ORIGINAL Oh yeah, something that bit me in the butt. If you use your Firewall IP address as the address for your mail server.. make sure that you put the SMTP accept rule above the firewall stealth rule Ya know, the ANY FIREWALL DROP ALERT rule. I don't know if any of this is even your problem, but I like to at least try and help. J Joe == Joseph Voisin, Systems and Network Administrator, Engel Canada Inc. www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436 == -Original Message- From: Hanke, Eric [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:12 PM To: [EMAIL PROTECTED] Subject: [FW-1] Migration Headache Hello list: Tried a migration (fresh install) of FW-1 4.1 last night on a Windows 2000 SP 2 Compaq Proliant 1600. Thought the install went well until my users were not able to receive any e-mail, sending e-mail was ok. Here is a quick Config rundown: Checkpoint FW-1 4.1 SP5 on Enforcement Module (Windows 2000 SVR SP2) Checkpoint FW-1 on the GUI Client and Management Module (Windows 2000 SVR SP2) This was a fresh install. I opted to manage my routes manually; I already had a text printout of the routes from my NT 4.0 Firewall-1 (4.0) Basically the first few rules look as such Firewall - Management Accept Management - Firewall Accept ANY - SMTP_SVR(NAT'ed) Accept SMTP_SVR(NAT'ed) - Outside_world Accept I also had the necessary DNS rules installed so the Mail server could do a DNS lookup. The strange thing is that on the Log you could see the Firewall pass the request from the public IP of the SMTP server to the NAT'ed address but the SMTP server never received the e-mail. I think this is a routing problem; I am new to routing with Windows 2000. Any ideas or a thought on what to look at next is greatly appreciated. Eric Eric M Hanke Senior Network Engineer Tempel Steel Company Magnetic Steel Laminations for the Electronic and Electrical Industries Phone (773) 250-8056 Andy Druda Network Communications Manager Wagner College Staten Island, New York 10301 1 718 390 3204
[FW-1] Noël BRETON/Dsinds/Tours/Cnav/FR est absent
Je serai absent(e) du 25/10/2001 au 05/11/2001. Je répondrai à votre message dès mon retour. === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Small Office License
Title: RE: [FW-1] Small Office License The only difference is the license count... like all limited licenses, you can only protect a given number of nodes (5, 10, 25, 50). I have implemented a PDS with 3 NIC's, so I imagine you can have as many zones as the hardware / OS will support. NG is slightly different in that it allows you to specify whether a NIC is considered internal / external. All the nodes you are protecting have to be allowed for in your license count. I haven't tried this feature yet, but I'm assured it works. Another limitation I just thought of - you can only set up a limited number of VPN tunnels, either SecuRemote or VPN to VPN. The limitation is your license count + 5 (10, 15, 30, 55 respectively). Craig Little B.Sc, CPD, CPI, SCJD, CCSA, CCSE Senior Consultant Layer-0 Internet Security www.layer-0.com http://www.layer-0.com/ mailto:[EMAIL PROTECTED] Ph: 02 4648 2855 Fax: 02 4647 8899 Mob: 0416 112 138 -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Davies Sent: 24 October 2001 4:59 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Small Office License Dear Craig, Thanks for that. Is the Small Office restricted on the number of ethernet port/ Security Zones. I am looking at implementing 4 zones for a customer (Internet, DMZ, Corporate LAN, Dialup) Regards Stephen Davies * Mobile : +61 041 998 7716 * Fax : +61 (8) 6210 1828 * Email : [EMAIL PROTECTED] -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED]]On Behalf Of FireWall-1 (Layer-0) Sent: Wednesday, October 24, 2001 8:06 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Small Office License You can't run the High Availability features or FWZ encryption, though everything else seems to be enabled. You can get it for up to 50 nodes, not 25. I have been running it on RedHat without any problems. Configuration is via cpconfig, and you need a separate GUI console (e.g. Windoze), though the management daemon (fwm) can be run locally or centrally managed. Various appliance implementations restrict features further. E.g. some don't offer VPN, others don't offer SecureClient. I've implemented straight on top of RH Linux without any probs though... Craig Little B.Sc, CPD, CPI, SCJD, CCSA, CCSE Senior Consultant Layer-0 Internet Security www.layer-0.com mailto:[EMAIL PROTECTED] Ph: 02 4648 2855 Fax: 02 4647 8899 Mob: 0416 112 138 -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED]]On Behalf Of Aaron Brasslett Sent: 24 October 2001 1:55 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Small Office License One significant difference that I have found is that the only encryption scheme is IKE. I'm sure there are other differences though. I running the GUI on a Windows machine, so I can't answer your question about the console. Aaron -Original Message- From: Stephen Davies [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 10:24 AM To: [EMAIL PROTECTED] Subject: [FW-1] Small Office License Hello, Can anyone tell me what restrictions are on the Small Office license of Firewall-1. I know it is limited to the number of 25 Addresses supported, however is there any restrictions on Ethernet Ports are anything else. What is the different between the Small Office and Internet Gateway versions of Firewall-1. If I am to run Firewall-1 Internet Gateway on Redhat, does it come with any kind of management console? Do I need the Motif GUI or Enterprise management console? Thanks in advance. Regards Stephen Davies * Mobile : +61 041 998 7716 * Fax : +61 (8) 6210 1828 * Email : [EMAIL PROTECTED] === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] fw log -ftn doesn't work anymore in NG management console?
Hi, I upgraded my management console to NG (to support an extra NG firewall) but now fw log -ftn doesn't do anything anymore. fw log -fn does work but that stops at the point in the log when you started the command while fw log -ftn is supposed to give a continuous log. According to the output of fw log -help it should still work: Usage: fw log [-f[t]] [-l] [-o] [ -c action] [-h host] [-s starttime] [-e endtime] [-b stime etime] [-u unification scheme file] [-m (initial|semi|raw|account)] [logfile] Anybody any ideas? Nico - It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry. - Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [EMAIL PROTECTED] === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Firewall Errors
Title: Message We have lost connectivity much like this on the Win2k side... All firewalls are 4.1 sp4. Main site is on NT, all the satellite offices are on Win2k. -Original Message-From: Christopher Ferraro [mailto:[EMAIL PROTECTED]]Sent: Thursday, October 25, 2001 9:27 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors i had this happen to me last night. no fw changes on either end of the VPN and my remote office (the side with the Win2K, CP2K) loses all connectivity to the main office. Meanwhile the main office can still access everything on their network. What SPs are you all running on your fw's. I've got SP5 on my 4.0 firewall and SP3 on my 2K firewall. Also, which end of your VPN loses connectivity ? For our setup, it is always the 2K side and never the 4.0 side. To fix the problem last night I: 1. reinstalled the policy on both ends -- no result 2. changed the shared secret -- no result 3. rebooted the remote firewall -- connectivity restored 5 minutes post reboot. Hopefully together, we can nail down what's causing the issue and fix it. CF Christopher A. FerraroSystems EngineerHubbard One312.939.5000 x269mobile: 312.286.8466www.hubbardone.com -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 8:17 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors I get the same problem from time to time. I loose all connectivity and need to reboot! -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:12 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Still have not, although it seems to be working we have had some intermitant problems with losing all conectivity... Not sure if it is related. Mike -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 24, 2001 9:47 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors How did you fixed the problem? -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 3:26 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Had the problem on 2 different machines with different NIC's all using standard win2k drivers. -Original Message-From: Zeltser, Roman [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 1:26 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors I would check the NIC driver for Win2K as well as would try to replace the card ** Roman Zeltser, @National Computer Center, DNERS Information Systems -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 10:37 AMTo: [EMAIL PROTECTED]Subject: [FW-1] Firewall Errors Help, I was wondering if anyone out there has had the same issues as me. After we migrated from NT4.0 fw 4.1 to Windows 2000 server fw 4.1 on our firewall, the following error is coming out on the event viewer every second. I have applied service pack 3 and 4 and the error keep coming. FW1: ndis_allocate_packet: Cannot allocate new packets Can anyone give me a few pointers as to where to look! Thanks Laz
[FW-1] Inspect Language
Hi to all, I want to use a user-defined service for an application. The condition for accepting the communication of a client with the server should depend on a string in the fourth packet. Is it possible to define such service, so that the FW1 accept the connection, if in the fourth packet is the string and if not drop it ? If yes has anyone a sample for it ? If no has anyone another possible solutiion for this problem ? best regards fitz === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] VPN with OSPF for Failover
What I want to do is for my friend's remote vpn sites (10) to fail over to his secondary VPN HUB. Here is his scenario. He just got acquired by another company. His current company relies on a Full blown IPsec VPN mesh with a backup ISDN. He is running Voice over IP thru his IPsec 3DES VPN. This new company relies on a LARGE Frame network that runs OSPF on Cisco's. They now want to implement a VPN running OSPF because they use OSPF. They installed a frame link from his location (New York) to there headquarters (Detroit). Now they want to implements a secondary location (Houston) which has a internet connection and a frame connection back into the headquarters (Detroit). They want this secondary location (Houston) to be a backup incase his location (New York) fails for his remote sites. Someone within this new company mentioned that his current Nokia/Check Point solution won't work with the failover design because IPsec can't handle multicast broadcast traffic (ex OSPF). They need to run OSPF for a failover design. Their solution is to REMOVE all of his Nokia/Check Point and implement a Cisco Router based VPN design. Cisco's 1750 for Remote sites and 7140 for each Hub. Each router both remote site and hub will have Cisco's firewall/IDS package and encryption module The Cisco's VPN tunnels are going to be using GRE encapsulation for the OSPF. Incase of a failover to the Secondary HUB and OSPF will update the Frame network regarding the failover. IPsec 3DES for the data encryption. This new design is not going to be a MESH but a Hub and Spoke. His problem with this HUB and SPOKE design is this. 1). He is afraid because this design relies on a 1 tier security design. The Cisco's routers will be handling the VPN, Routing Protocols, Firewall, and IDS on each router. His current design is 2 tier level. Cisco for the Internet router and Nokia/Check Point for VPN/Firewall 2). He thinks his Voice over IP will fail between remote sites because the MESH will be gone. 3). The performance an the Cisco. Would they be able to handle the load? Since they will be doing everything. (VPN, Routing, and IDS) Has anyone implemented this solution? AC -Original Message- From: Chris Arnold [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 10:12 PM To: 'Cardona, Alberto '; '[EMAIL PROTECTED] ' Subject: RE: [FW-1] VPN with OSPF That depends on what you mean by running site to site IPsec VPNs and using OSPF. Do you mean tunneling OSPF through an IPSec tunnel for some reason or using OSPF to route traffic to available VPN endpoints before going through a tunnel or on your edge routers once your VPN traffic has been encapsulated? Chris -Original Message- From: Cardona, Alberto To: [EMAIL PROTECTED] Sent: 10/24/01 4:16 PM Subject: [FW-1] VPN with OSPF Is anyone running site to site IPsec VPNs and using OSPF? If so did you have to implement GRE? Thanks AC === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP!!!!!!!!!
I'm wondering if our mail servers are being exploited in the same way. Is there any way to tell if our Exchange 5.5 server is being used by spammers? Thanks, John FW-1 4.1 NT -Original Message- From: Tim Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 7:24 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! What type of mail relay are you using? If it is Exchange you can refuse relaying very easily except for appropriate inbound mail. I am sure Sendmail has similar features. Tim Anderson -Original Message- From: Reed Mohn, Anders [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 3:48 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! Sorry for pointing out the obvious here, but: The best way is, of course, to fix the mailserver. One day, someone will find a loophole through the firewall, and you will be up that creek again. Cheers, Anders :) -Original Message- From: Timothy K. Cornelius [mailto:[EMAIL PROTECTED]] Sent: 23. oktober 2001 23:27 To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewall(FW-1 ) HELP! At this time our internet mailserver(behind the FW-1) has been designated as an open relay mailserver and has been blacklisted by several spam blocker websites( www.orbz.org http://www.orbz.org is one of them) after reading up on how to stop this at the firewall I added two rules on the firewall with services w/resources. the resource(SMTP-our-mail-only-in) is SMTP and the match is coming in the sender is * and the recipient is *loi.org. The other is going out, the resource(SMTP-our-mail-only-out) is SMTP and the match is sender is *loi.org and the recipient is * I have also created a rule below these two that denies and mail service plus 2 services with resources (SMTP-openrelay-in and SMTP-openrelay-out) these are the same as the first two. Is this not the correct way to handle stopping an open relay mailserver or is there a better way? PLEASE HELP ME ASAP!!! our mail services are just about non-existent, except my Firewall email groups. 1 Source: anyDest.: mailserver Service: SMTP-our-mail-only-in Action: accept 2 Source:mailserverDest: any Service:SMTP-our-mail-only-out Action: accept Thanks in advance, Tim --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Firewall Errors
Title: Message On my end it is always the Win2k,(Win2k sp2 with cp 4.1 sp4). A reboot it is the only way to fix this issue. It seems that just us two are having this problem, no body else is! I am using the 3c905C for the DMZ Compaq Netelligent 10/100TX PCI for the External Net 3Com EtherLink 10/100 PCI TX NIC (3C905B-TX) for the internal net What do you have? Laz -Original Message-From: Christopher Ferraro [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 9:27 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors i had this happen to me last night. no fw changes on either end of the VPN and my remote office (the side with the Win2K, CP2K) loses all connectivity to the main office. Meanwhile the main office can still access everything on their network. What SPs are you all running on your fw's. I've got SP5 on my 4.0 firewall and SP3 on my 2K firewall. Also, which end of your VPN loses connectivity ? For our setup, it is always the 2K side and never the 4.0 side. To fix the problem last night I: 1. reinstalled the policy on both ends -- no result 2. changed the shared secret -- no result 3. rebooted the remote firewall -- connectivity restored 5 minutes post reboot. Hopefully together, we can nail down what's causing the issue and fix it. CF Christopher A. FerraroSystems EngineerHubbard One312.939.5000 x269mobile: 312.286.8466www.hubbardone.com -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 8:17 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors I get the same problem from time to time. I loose all connectivity and need to reboot! -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:12 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Still have not, although it seems to be working we have had some intermitant problems with losing all conectivity... Not sure if it is related. Mike -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 24, 2001 9:47 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors How did you fixed the problem? -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 3:26 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Had the problem on 2 different machines with different NIC's all using standard win2k drivers. -Original Message-From: Zeltser, Roman [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 1:26 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors I would check the NIC driver for Win2K as well as would try to replace the card ** Roman Zeltser, @National Computer Center, DNERS Information Systems -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 10:37 AMTo: [EMAIL PROTECTED]Subject: [FW-1] Firewall Errors Help, I was wondering if anyone out there has had the same issues as me. After we migrated from NT4.0 fw 4.1 to Windows 2000 server fw 4.1 on our firewall, the following error is coming out on the event viewer every second. I have applied service pack 3 and 4 and the error keep coming. FW1: ndis_allocate_packet: Cannot allocate new packets Can anyone give me a few pointers as to where to look! Thanks Laz
Re: [FW-1] CheckPoint FireWall-1 INSECURE SMTP server - BIG HOL E!!
Agreed on ALL points. Dan -Original Message-From: Ron Atkinson [mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 24, 2001 12:24 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOLE!!There are cases though in which it's impossible to configure the firewall SMTPsecurity server correctly. In my case Ihave a mail server that Idon't even know how many domain names there are. It's either in the upper hundreds of domains or a little of a thousand. Now try to write an SMTPresource with a thousand domain names in it that may have additions/deletions at a moments notice. Even in some larger companies where I've worked we still would have dozens of domain names that can all be used for email, so SMTP resources reach a point in which they are very cumbersome, difficult to administer, and you're duplicating the work that others have already done elsewhere. CheckPoint has always had flaws in it's SMTP security server and dequeuer (mdq), and many of the other technical issues have been addressed here before (MX record issues, dequeuing priority, CVP, etc.). Plus with having to define domain names not only on every mail server, but now on the firewalls too, it's much easier to either have a properly configured mail server with anti-virus on there, or create a sandwich of mail servers in front (or DMZ) and behind the firewalls. Let the entry point mail servers handle anti-relaying and pass valid email inbound to your company mail server. I've been down this route before in more than one company and have always found it better to dump the CheckPoint SMTPserver and just build a properly configured mail system. Ron Dan Hitchcock wrote: (Response to Miles' original post) Interesting finding... I tested your data as described below, and I am not convinced that this "allows relaying". The whole concept of relay restriction is that some destinations are permitted, and others are not. The syntax you suggest causes the message to be forwarded to the mail server defined in the SMTP resource rule (the "permitted destination"), but where does it go from there? Well, if you're using any mail server I've ever seen, absolutely nowhere. The firewall has done its job - as you noted in your original post, the SMTP security server does not forward to "forbidden" destinations as relay when properly configured. The destination mail server will drop the request, as it will be unable to find a user named "fred%hotmail.com" in its local address table. The blah%blah.com syntax won't be automatically converted to a valid address by any mail server I know of, much less forwarded, and even if it was, we're now talking about a problem on the mail server, not the firewall. As you noted, you can put whatever you want as long as it ends in @domain.com, but I fail to see the relevance. Example: 220 CheckPoint FireWall-1 secure SMTP server helo breakwater.net 250 Hello breakwater.net, pleased to meet you mail from:[EMAIL PROTECTED] 250 [EMAIL PROTECTED]... Sender ok rcpt to:vf^hnhj#$bg()@breakwater.net 250 vf^hnhj#$bg()@break... Recipient ok As with all other security tools, the administrator is welcome to mis/non-configure their software, but this does not mean that the vendor has produced a faulty or insecure product. If anyone has successfully used the firewall-1 SMTP security server when properly configured as a relay, or accomplished anything with the data provided by Miles, please post. Dan Hitchcock -Original Message- From: Bob Webber/Markham/Contr/ATT/IJV [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 11:42 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOL E!! Hi all: I think this is only a problem if the mail server that FW-1 relays to is configured as an open relay. I have both eSafe and ISVW in my environment. With either implementation, the mail server(s) on the inside that receive the scanned mail are configured to only accept mail for one particular domain. I have heard about this issue before, and I am unable to duplicate it on my servers. (Now if we could only do something about those pointless out-of-office replies!) Regards. Bob Webber ATT Global Network Services Tel: (905) 762-7433 Fax: (905) 762-7497 Notes: Bob Webber/Markham/IBM@IBMCA Internet: [EMAIL PROTECTED] "Logic merely enables one to be wrong with authority" - Doctor Who "Firewall-1 (Joe Voisin)" [EMAIL PROTECTED]@beethoven.us.checkpoint.com on 10/23/2001 12:29:27 PM Please respond to Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] Sent by: Mailing list for discussion of Firewall-1 [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:
[FW-1] off-topic, live environment move
Hello, I'm hoping for some advice, pointers etc. My company would like to move to a different ISP for our live web, etc, servers.. with zero downtime. We currently have a fully redundant system, with at least two devices in each point of the chain. The suggestion is we 'split' the redundant equipment and effectivly have two live sites until we can close the original site. We can then build-back the redundancy. I would appreciate anything people could suggest, as the idea scares the hell outta me (and they've put me in charge, dammit!) all my thanks rich :) Richard Marshall Network Systems Analyst NetDoktor Tel: + 44 20 7681 8470 Mobile: + 44 7980 865 306 MSN Messenger: [EMAIL PROTECTED] E-mail: [EMAIL PROTECTED] http://www.netdoktor.com --- === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] where to download the gui clients?
I run Log Viewer version 41862 (SP4) without DNS resolution for weeks, the only action i have to do is to click the Down arrow icon (Edit/Go to bottom in the menu) so it goes to the end of the log file on monday morning because at midnight i have a scheduled job to switch the log file and until i use that option i remains on the last entries of the sunday night and i run it on a WIN92SE client not even NT At 07:38 2001-10-25 +0100, Roelandts, Guy wrote: Peter, Have you turned off the dns resolution ? We have a console that is open day and night since weeks without problems, it shows both the log viewer, the policy editor and the system status Met vriendelijke groeten - Bien à vous - Kind regards Guy ROELANDTS EMEA GS Internet Expertise Centre - CCSA CCSE Compaq Software Engineer - Belgium E-mail : [EMAIL PROTECTED] Tel: +32(02)729.77.44 (options 3 - 3 - 1) Fax: +32(02)729.77.65 = This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. Should you receive this message by mistake please inform the sender immediately. = -Original Message- From: Peter G. Viscarola [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 10:59 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] where to download the gui clients? build 41710 etc. where to download upgrades? (the log viewer hangs on my machine after a while..) I'm running V4.1 of the log view, build 41813... It's ALWAYS hung after a while. See the Checkpoint folks are better at writing firewall code than GUIs... Peter === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === Yves Belle-Isle V.P. VE2YBI YB17Email: [EMAIL PROTECTED] Responsable des SystemesTel: (819) 379-3446 Sogi Informatique Ltee. Fax: (819) 379-3449 === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] Vac debug
Hi, Is there a diagnostic or debug utility for Vpn accelerator Card, other than bcmdiag on Solaris? How can I see the effect of Accelerator Card to Vpn process? Regards. -- Ihsan Cakmakli YKT Tel: 90.262.6472861 Gsm: 90.532.4617704 (sb) Fax: 90.262.6471711 [EMAIL PROTECTED]
Re: [FW-1] Firewall Errors
I had the same problem, W2K SP2, Check Point SP5, suddenly lose all connectivity. One thing I did do was turn off SynDefender completely. I haven't had the problem in a while, but I am not completely sure that is the solution. The one time I did have it, I unplugged one of the Cat5 cables from the back of FW. FW-1 gets really gets flaky if you unplug your Ethernet while it is running for any reason. In the same vein, check for duplexing and speed to make sure it matches with the hub or switch you are connecting to. To everyone having the same issue: Are you running SynDefender? Is that the common link? On Thu, 25 Oct 2001 08:27:08 -0500, Christopher Ferraro [EMAIL PROTECTED] wrote: i had this happen to me last night. no fw changes on either end of the VPN and my remote office (the side with the Win2K, CP2K) loses all connectivity to the main office. Meanwhile the main office can still access everything on their network. What SPs are you all running on your fw's. I've got SP5 on my 4.0 firewall and SP3 on my 2K firewall. Also, which end of your VPN loses connectivity ? For our setup, it is always the 2K side and never the 4.0 side. To fix the problem last night I: 1. reinstalled the policy on both ends -- no result 2. changed the shared secret -- no result 3. rebooted the remote firewall -- connectivity restored 5 minutes post reboot. Hopefully together, we can nail down what's causing the issue and fix it. CF Christopher A. Ferraro Systems Engineer Hubbard One 312.939.5000 x269 mobile: 312.286.8466 http://www.hubbardone.com/ www.hubbardone.com -Original Message- From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 8:17 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Firewall Errors I get the same problem from time to time. I loose all connectivity and need to reboot! -Original Message- From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:12 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Firewall Errors Still have not, although it seems to be working we have had some intermitant problems with losing all conectivity... Not sure if it is related. Mike -Original Message- From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 9:47 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Firewall Errors How did you fixed the problem? -Original Message- From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 3:26 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Firewall Errors Had the problem on 2 different machines with different NIC's all using standard win2k drivers. -Original Message- From: Zeltser, Roman [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 1:26 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Firewall Errors I would check the NIC driver for Win2K as well as would try to replace the card ** Roman Zeltser, @National Computer Center, DNE RS Information Systems -Original Message- From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 10:37 AM To: [EMAIL PROTECTED] Subject: [FW-1] Firewall Errors Help, I was wondering if anyone out there has had the same issues as me. After we migrated from NT4.0 fw 4.1 to Windows 2000 server fw 4.1 on our firewall,the following error is coming out on the event viewer every second. I have applied service pack 3 and 4 and the error keep coming. FW1: ndis_allocate_packet: Cannot allocate new packets Can anyone give me a few pointers as to where to look! Thanks Laz === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] how to capture huge fw logs
Don't log everything. Turn off logging for the high utilization but safe traffic (such as outgoing http or smtp). Log stuff potentially critical but not as common like access attempts to internal servers on wrong ports. Hal -Original Message- From: Chua Yew Gin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 8:17 PM To: [EMAIL PROTECTED] Subject: [FW-1] how to capture huge fw logs Hi, my cp fw generate 1gig of log each day due to the huge user traffic and I have problems capturing those logs without compromising the utilization of the cpu. Any help will be much appreciated. Thanks. === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] AIX 5.1
I though it had some new features like: 1.) The ability for the default gateway to monitor it self and switch to a new one if in trouble. 2.) The ability to have a default gateway per interface 3.) Finally a 64bit kernel and a lot of others...I should get my copy of 5.1 pretty soon. I will do some testing Thanks, Matt Duval HealthTrans www.healthtrans.com Transforming Healthcare, One Transaction At A Time -Original Message- From: Firewall-1 (Joe Voisin) [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 6:18 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] AIX 5.1 I'm holding off on upgrading to AIX 5.1 until checkpoint can say that it's going to work. ;) Right now, I think that 4.3.3 is the latest release that is supported.. At least officially supported. I have FW1 running on a couple of RS/6000 B50s running AIX 4.3.3_09. No real reason to upgrade if it's not broken or if there aren't any real huge benefits. joe == Joseph Voisin, Systems and Network Administrator, Engel Canada Inc. www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436 == -Original Message- From: Matt T. Duval [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 6:31 PM To: [EMAIL PROTECTED] Subject: [FW-1] AIX 5.1 Anyone done, seen, heard about this? Thanks, Matt Duval HealthTrans www.healthtrans.com Transforming Healthcare, One Transaction At A Time === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] nokia serial port configuration
8-N-1, 9600 On Thu, 25 Oct 2001, K wrote: Hi all, Can't find manual for Nokia 440, what terminal settings do I use with appliance? === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] port 0
Hello: We are using Checkpoint firewall 4.1 sp3. In firewall 1 connction table I see entries in the form of Src_IP Src_Prt Dst_IP Dst_Prt IP_protKbufTypeFlags Timeout 192.11.222.169 38061 155.33.17.101 0 17 0 16386 0300 15/40 Why Do I have an entry on the table for Destination port of 0 ? My impression was that firewall will drop any destination port 0 packets. Any info will be appriciatd. Thanks NAvid === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] nokia serial port configuration
vt100 emulation 9600 baud 8 bits no parity -Steve -Original Message- From: K [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 9:57 AM To: [EMAIL PROTECTED] Subject: [FW-1] nokia serial port configuration Hi all, Can't find manual for Nokia 440, what terminal settings do I use with appliance? === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Topology issue
On Thu, 25 Oct 2001, FireWall-1 (Layer-0) wrote: After trying several options, I tried the following rule at the top of the rulebase: Any-Firewall-(Port 256)-Accept and viola! it works. They probably disabled 'Accept FW1 Connections' in Policy Properties. My question is: a) should this rule be necessary? Tighter security for the firewalls, deny that which is not explicitly allowed. I think that answers (and/or negates) all your questions. b) is this a known issue with SP1, or is it unique to this site? c) not being able to see any reason for this, why is it necessary? Chipper -- Please encrypt anything important. PGP Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=getsearch=0x6CFA486D They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety - Benjamin Franklin === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
[FW-1] 4.1 and Lotus Notes issues
I'm using FW 4.1 with SP 5 on W2k and have had more then my share of problems. I now managed to get Static NAT to work for one IP address but not for another. The one that works is a NT 4 IIS 3.0 Web Server and the one that doesn't is a Lotus Domino Server on W2K running our Web Site and also functions as our external E-mail server. Has anyone had problems relating to Lotus and NAT? Any help would be appreciated. Wade Sellers === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP!!!!!!!!!
I had the same problem. The fix was to stop relaying on the Exchange server. -Original Message- From: John Tanouye [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 12:41 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! I'm wondering if our mail servers are being exploited in the same way. Is there any way to tell if our Exchange 5.5 server is being used by spammers? Thanks, John FW-1 4.1 NT -Original Message- From: Tim Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 7:24 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! What type of mail relay are you using? If it is Exchange you can refuse relaying very easily except for appropriate inbound mail. I am sure Sendmail has similar features. Tim Anderson -Original Message- From: Reed Mohn, Anders [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 3:48 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! Sorry for pointing out the obvious here, but: The best way is, of course, to fix the mailserver. One day, someone will find a loophole through the firewall, and you will be up that creek again. Cheers, Anders :) -Original Message- From: Timothy K. Cornelius [mailto:[EMAIL PROTECTED]] Sent: 23. oktober 2001 23:27 To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewall(FW-1 ) HELP! At this time our internet mailserver(behind the FW-1) has been designated as an open relay mailserver and has been blacklisted by several spam blocker websites( www.orbz.org http://www.orbz.org is one of them) after reading up on how to stop this at the firewall I added two rules on the firewall with services w/resources. the resource(SMTP-our-mail-only-in) is SMTP and the match is coming in the sender is * and the recipient is *loi.org. The other is going out, the resource(SMTP-our-mail-only-out) is SMTP and the match is sender is *loi.org and the recipient is * I have also created a rule below these two that denies and mail service plus 2 services with resources (SMTP-openrelay-in and SMTP-openrelay-out) these are the same as the first two. Is this not the correct way to handle stopping an open relay mailserver or is there a better way? PLEASE HELP ME ASAP!!! our mail services are just about non-existent, except my Firewall email groups. 1 Source: anyDest.: mailserver Service: SMTP-our-mail-only-in Action: accept 2 Source:mailserverDest: any Service:SMTP-our-mail-only-out Action: accept Thanks in advance, Tim --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP!!!!!!!!!
In 5.5 you can disable mail relay. I don't recall exactly which tab, but it's in the properties sheet of the IMC. Also look for 550 error messages. --- John Tanouye [EMAIL PROTECTED] wrote: I'm wondering if our mail servers are being exploited in the same way. Is there any way to tell if our Exchange 5.5 server is being used by spammers? Thanks, John FW-1 4.1 NT -Original Message- From: Tim Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 7:24 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! What type of mail relay are you using? If it is Exchange you can refuse relaying very easily except for appropriate inbound mail. I am sure Sendmail has similar features. Tim Anderson -Original Message- From: Reed Mohn, Anders [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 3:48 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! Sorry for pointing out the obvious here, but: The best way is, of course, to fix the mailserver. One day, someone will find a loophole through the firewall, and you will be up that creek again. Cheers, Anders :) -Original Message- From: Timothy K. Cornelius [mailto:[EMAIL PROTECTED]] Sent: 23. oktober 2001 23:27 To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewall(FW-1 ) HELP! At this time our internet mailserver(behind the FW-1) has been designated as an open relay mailserver and has been blacklisted by several spam blocker websites( www.orbz.org http://www.orbz.org is one of them) after reading up on how to stop this at the firewall I added two rules on the firewall with services w/resources. the resource(SMTP-our-mail-only-in) is SMTP and the match is coming in the sender is * and the recipient is *loi.org. The other is going out, the resource(SMTP-our-mail-only-out) is SMTP and the match is sender is *loi.org and the recipient is * I have also created a rule below these two that denies and mail service plus 2 services with resources (SMTP-openrelay-in and SMTP-openrelay-out) these are the same as the first two. Is this not the correct way to handle stopping an open relay mailserver or is there a better way? PLEASE HELP ME ASAP!!! our mail services are just about non-existent, except my Firewall email groups. 1 Source: anyDest.: mailserver Service: SMTP-our-mail-only-in Action: accept 2 Source:mailserverDest: any Service:SMTP-our-mail-only-out Action: accept Thanks in advance, Tim --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === = D. CupitMCSE, CCNA, CNE, A+ Integrity Integration 516.566.8270 MTM; [EMAIL PROTECTED] 307 7th Ave. Ste. 903 New York, N.Y. 10001 __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===
Re: [FW-1] Firewall Errors
Title: Message My win2k box has two intel server adapters anonboard Intel 8255x-based PCI Ethernet Adapter (10/100) and anIntel(R) PRO/100+ Dual Port Server Adapter no DMZ in this office it appears that the only similarity between our boxes are the OS, SP level and the checkpoint software. I don't have to reboot to fix my problem, however. Most of the time i get an alert on my pager and by the time i log on to the server, connectivity is restored. I have a couple of theories: 1. Win2K and CP2K really don't play well together -- obviously the remedy to this would be to upgrade the CP install to NG 2. CP 4.0 and CP2K IKE encryption methods are different and thus sometimes a communication failure occurs on VPNs between these dissimilar boxes. I have a question for you, though Laz. When your 2K box cannot reach your 4.0 (NT version) main office, can it reach the other remote offices that are running 2K ? I am prepared to upgrade my NT 4.0 CP4.0 box to CP2K, but not until i hear that it's more stable than the platform i'm running on. I've never had a problem with that firewall in the time i've been running it. Do you see any errors in the info field of your fw log when this occurs ? I still see encrypt and decrypt. it appears that only tcp packets are affected. udp packets pass fine on both ends. just tcp packets die on the remote end, and just the decrypt stage on the remote server. packets just never return. traceroutes on both fw's play out fine during this time. My main office can access resources at my remote office, but not vice versa, although packets are clearly seen to be passed successfully on both ends. CF Christopher A. FerraroSystems EngineerHubbard One312.939.5000 x269mobile: 312.286.8466www.hubbardone.com -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 11:03 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors On my end it is always the Win2k,(Win2k sp2 with cp 4.1 sp4). A reboot it is the only way to fix this issue. It seems that just us two are having this problem, no body else is! I am using the 3c905C for the DMZ Compaq Netelligent 10/100TX PCI for the External Net 3Com EtherLink 10/100 PCI TX NIC (3C905B-TX) for the internal net What do you have? Laz -Original Message-From: Christopher Ferraro [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 9:27 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors i had this happen to me last night. no fw changes on either end of the VPN and my remote office (the side with the Win2K, CP2K) loses all connectivity to the main office. Meanwhile the main office can still access everything on their network. What SPs are you all running on your fw's. I've got SP5 on my 4.0 firewall and SP3 on my 2K firewall. Also, which end of your VPN loses connectivity ? For our setup, it is always the 2K side and never the 4.0 side. To fix the problem last night I: 1. reinstalled the policy on both ends -- no result 2. changed the shared secret -- no result 3. rebooted the remote firewall -- connectivity restored 5 minutes post reboot. Hopefully together, we can nail down what's causing the issue and fix it. CF Christopher A. FerraroSystems EngineerHubbard One312.939.5000 x269mobile: 312.286.8466www.hubbardone.com -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 8:17 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors I get the same problem from time to time. I loose all connectivity and need to reboot! -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:12 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Still have not, although it seems to be working we have had some intermitant problems with losing all conectivity... Not sure if it is related. Mike -Original Message-From: Rodriguez, Laz [mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 24, 2001 9:47 AMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors How did you fixed the problem? -Original Message-From: Jerris, Michael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 3:26 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] Firewall Errors Had the problem on 2 different machines with different NIC's all using standard win2k drivers. -Original Message-From:
Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP!!!!!!!!!
telnet to mail-abuse.net from the mail server and it will do some testing for you. :) It will do 19 tests to see if it will accept a relayed message... Give it a try. ;) humor attempt You can also go to orbz.org and report yourself.. this will queue a test to occur on your mail server.. the problem with doing this is that if it does relay, you will get blacklisted. ;) Sorta like Russian roulette.. hehe Do you feel lucky? Well do you? Punk! /humor attempt == Joseph Voisin, Systems and Network Administrator, Engel Canada Inc. www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436 == -Original Message- From: John Tanouye [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 12:41 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! I'm wondering if our mail servers are being exploited in the same way. Is there any way to tell if our Exchange 5.5 server is being used by spammers? Thanks, John FW-1 4.1 NT -Original Message- From: Tim Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 7:24 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! What type of mail relay are you using? If it is Exchange you can refuse relaying very easily except for appropriate inbound mail. I am sure Sendmail has similar features. Tim Anderson -Original Message- From: Reed Mohn, Anders [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 3:48 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewa ll(FW-1 ) HELP! Sorry for pointing out the obvious here, but: The best way is, of course, to fix the mailserver. One day, someone will find a loophole through the firewall, and you will be up that creek again. Cheers, Anders :) -Original Message- From: Timothy K. Cornelius [mailto:[EMAIL PROTECTED]] Sent: 23. oktober 2001 23:27 To: [EMAIL PROTECTED] Subject: Re: [FW-1] Spam blacklist...How to stop open relays at the firewall(FW-1 ) HELP! At this time our internet mailserver(behind the FW-1) has been designated as an open relay mailserver and has been blacklisted by several spam blocker websites( www.orbz.org http://www.orbz.org is one of them) after reading up on how to stop this at the firewall I added two rules on the firewall with services w/resources. the resource(SMTP-our-mail-only-in) is SMTP and the match is coming in the sender is * and the recipient is *loi.org. The other is going out, the resource(SMTP-our-mail-only-out) is SMTP and the match is sender is *loi.org and the recipient is * I have also created a rule below these two that denies and mail service plus 2 services with resources (SMTP-openrelay-in and SMTP-openrelay-out) these are the same as the first two. Is this not the correct way to handle stopping an open relay mailserver or is there a better way? PLEASE HELP ME ASAP!!! our mail services are just about non-existent, except my Firewall email groups. 1 Source: anyDest.: mailserver Service: SMTP-our-mail-only-in Action: accept 2 Source:mailserverDest: any Service:SMTP-our-mail-only-out Action: accept Thanks in advance, Tim --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001 === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html === === To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===