Dear Rajesh,
Sorry for the typo. The keyword 'recipient_email' is NOT required.
Regards,
Toby
Toby Chan [ITS] wrote:
Dear Rajesh,
I don't think the keyword 'recipient_email' is not required. Also, plz
make sure machine 192.168.1.51 is accepting e-mails.
Syntax:
internal_sendmail [-s subject] -t
We have TCP start 25 sec, TCP session default 3600sec and TCP End timeout
20sec. I was thinking on increasing
TCP start timeout to 300sec. The error flag is during PUSH-ACK
Apart from global properties, is there any other way by which I can configure
these settings for a specific firewall.
Hi cisco4ng,
I've got the same error in the past ...
setting ike_use_largest_possible_subnet is not working in FP3 !!
I'll think it's a BUG !!
migrate to NG AI or use a workaround
putting the super net 192.168.0.0/23 in the encryption domain (on both
vpn endpoints)
will work.
regards,
bernd
I finally got it to work between a NG FP3 HFA325 and Cisco VPN Concentrator
WITHOUT
using the workaround (192.168.0.0/23). I had a typo in the user.def file. The
correct syntax
is:
max_subnet_for_range = {
192.168.0.0, 192.168.0.255; 255.255.255.0,
192.168.1.0, 192.168.1.255; 255.255.255.0
};
I looks like the VPN tunnel does not what I want. The VPN worked fine if
for example I pinged the internal net. But if I tried to reach the
internet, the packets were sent in clear. And I realize now, that it may
give problems with VPN's comming from the internet.
I think I have to check again
Now it makes sense, Anurag. According to this latest information, I expect
that you are seeing TCP packet Out of state drops right at the very start
of the session, right? The start timeout of 60 secs covers normal three way
handshake - syn, syn+ack and an ack plus a data packet from the server
Hi,
For replacing our VPN we hace choosen for secure client, because there is
software that does some checks (are patches installed, virus up to date
...)on the remote computer. I have lost the site of this software, i found
it after a half days searching on the internet.
Is there someone on this
Hi all,
We have a large number of systems which are updating the Group Policy
fine (because they were built on the same network as the FW-1)
however, when we do a completely new install of the operating system,
it will *not* download the Group Policy initially - It may appear that
the Group
Good evening,
I'm having this problem once again, and even if at first I thought it
just filled my event manager, it causes me some troubles by the way.
I've been looking for a fix for this problem but I just can't find it.
Could one of you show me the way?
By the way you asked me if I had an
I will show a workaround for the license problem, not sure if it is legal and
violate checkpoint
licensing agreement:
Scenario: you said that your firewall has 3 interfaces: External, Internal
and DMZ correct?
1) Place a cisco router between your LAN users and the checkpoint LAN
interface,
FCS refers to First Customer Shipment.
And most likely you can manage HFA-414 with a HFA-412 management.
I have several firewalls with higher HFA's than our management and
I have no problems with it.
Regards,
Torkel
-Original Message-
From: Fire Wall [mailto:[EMAIL PROTECTED]
Sent:
Does this firewall have an Express License ? Look at the output of the
fw lichosts to try and pinpoint the problem. Do connections come
directly to the DMZ and not through the external interface of the
firewall ?
On Wed, 2 Mar 2005 19:22:54 +0100, Chanoine [EMAIL PROTECTED] wrote:
Good
R55 (FHA_09) on SPLAT
We've created a security server for smtp with the following:
RESOURCE:smtp:MATCH:
Sender: *
Recipient: [EMAIL PROTECTED],www}.moody.edu
Result: connection, however, dies on HELO ( or EHLO ):
[EMAIL PROTECTED] ~]$ telnet www.moody.edu 25
Trying 66.185.255.225...
Connected
I have provider-1 NG Feature Pack 3 with HFA-325 managing Enforcement module NG
Feature Pack with HFA-326 just fine.
I also have Provider-1 NG with AI R55W HFA-00 managing Enforcement module NG
with AI R55W HFA-02 without any issues (as of yet).
Regards,
Torkel Mathisen [EMAIL PROTECTED] wrote:
Hello guru's,
I'm having a problem with my NG AI R55 install. I'm seeing the
following error.
Number: 306360
Date: 2Mar2005
Time: 14:09:59
Product:VPN-1 FireWall-1
Interface: daemon
Origin: dcedfw01 (x.x.x.x)
Type:
I see this too when a network has a DHCP scope that is larger than the
limited license, or a WAN is connected and the remote IP's are seen by
FW-1, or you are doing server sided static NAT..which causes the natted
IP to be seen as the source on the internal interface.
When you do an fw lichosts
Group Policy for what, your maintenance department?
---
Chris Covington
IT
Plus One Health Management
75 Maiden Lane Suite 801
NY, NY 10038
646-312-6269
http://www.plusoneactive.com
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Hi,
I'm relatively new to the list but have been reading some excellent
posts over the last couple of months.
I thought I'd share a situation I'm having with a client which is
probably more political than it is technical.
I'd be grateful if anyone could shed some light on this situation.
Client
Erik Widholm wrote:
R55 (FHA_09) on SPLAT
We've created a security server for smtp with the following:
RESOURCE:smtp:MATCH:
Sender: *
Recipient: [EMAIL PROTECTED],www}.moody.edu
Result: connection, however, dies on HELO ( or EHLO ):
[EMAIL PROTECTED] ~]$ telnet www.moody.edu 25
Trying
Hi,
I'm with you!
80 CMAs must be the hell of doing this!
Maybe there is another way.
When I changed from Provider-1 4.1 to NG there was the possibility to
run both versions
at the same time.
So I migrated the CMAs step by step without interrupting the daily work.
But I don't know, if that will
That does work and in the 4.1 days was just abotu the only option. If
you don't need to route between two of the interfaces you can mark two
as external. That is the reason I was asking questions about the DMZ
interface. If you don't need to route between them then you don't have
to spend any more
I would like to build a super SPLAT box. This box will
have 4GB of RAM on it with RAID 1 80GB disk storage.
This super SPLAT box will be managed by my provider-1
NG with AI R55W. This box will be a VPN hubs to about
40 remote VPN devices (mainly Cisco Pix and VPN
Concentrators) and remote access
Hello gurus,
Anyone who knows how to export the security policy into a format xls ?
Regards
Edouard
=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
hi,
At 20:18 02.03.2005, you wrote:
Hello guru's,
I'm having a problem with my NG AI R55 install. I'm seeing the
following error.
[...]
Source Port:2013
Information:reason: Web security: HTTP method 'CCM_POST' is not
allowed.
For more details on HTTP
Just curious
MSN is now tunneling over port 80 and with out smartdefense how are
others blocking msn.
I've blocked just about every known msn, webmessenger, msn2go site
there is but still see a that users are using this still.
Any insight would be great.
At 00:46 03.03.2005, you wrote:
Hello gurus,
Anyone who knows how to export the security policy into a format xls ?
interesting thing that you need ...
I'd export the policy to html and AFAIK excel can read html ...
cheers
reinhard
Regards
Edouard
=
I have the following scenario:
1) upstream Cisco router External (ethernet0) interface has
public IP of 129.174.1.13
2) upstream cisco router Internal (ethernet 1) interface has
private IP of 192.168.1.2/24
3) Checkpoint firewall External interface has ip address 192.168.1.1/24
4) Checkpoint
Mine's a little different. My internal device accepts SecuRemote traffic
from the Internet which is passed through the R55 gateway and terminates on
the IP120. Th SecuRemote client is accessing a server behind the IP120 using
pcAnywhere.
What exactly are you trying to accomplish? The people behind
Resolve messenger.hotmail.com to 172.16.3.3 or some other non-existent
address. I have this entry in my proxy server's HOSTS file and it works
great because all DNS requests for clients are resolved by the proxy on
behalf of the client.
Ray
From: Eric Danso [EMAIL PROTECTED]
Reply-To: Mailing list
Thank you very much Toby. How can we test the alert configuration?
Rajesh.
Dear Rajesh,
I don't think the keyword 'recipient_email' is not required. Also, plz
make sure machine 192.168.1.51 is accepting e-mails.
Syntax:
internal_sendmail [-s subject] -t mailserver [-f sender_email]
Block MSN Authenticate server.
Regards,
- Original Message -
From: Eric Danso [EMAIL PROTECTED]
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Sent: Wednesday, March 02, 2005 6:39 PM
Subject: [FW-1] MSN blocking
Just curious
MSN is now tunneling over port 80 and with out smartdefense how
Rajesh,
It seems there's no way to triger an testing alert (would anyone correct
me if I'm wrong?). But you can setup a testing rule in your security
policy and track it with your newly defined alert.
Toby
Rajesh wrote:
Thank you very much Toby. How can we test the alert configuration?
Rajesh.
To me this seems pretty light on the drive space, especially with 40
remotes. We use all HP gear, 148 Gig x 15000 rpm drives. Is the 80 Gig the
best Dell offers?
-Original Message-
From: cisco4ng [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 02, 2005 6:16 PM
To:
That would be nice but what about legitimate traffic that needs to be
allowed to get there for certain users.??
On Wed, 2 Mar 2005 20:25:54 -0600, Neeraj Jha [EMAIL PROTECTED] wrote:
Block MSN Authenticate server.
Regards,
- Original Message -
From: Eric Danso [EMAIL PROTECTED]
Hi
Use a CPXP-SC3-50-NG on first module - this protects up to 50 devices
behind FW and includes management licence
Use a CPXP-HVPX-50-NG on the second module - this is a gateway licence
for HA
If you need more devices protected just increase the licence count
Easy!
-Original Message-
Allow all Legitimate User to trafic then block everyone . I think by
checkpoint firewall it is very easy to do that.
- Original Message -
From: Eric Danso [EMAIL PROTECTED]
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Sent: Wednesday, March 02, 2005 10:39 PM
Subject: Re: [FW-1] MSN
36 matches
Mail list logo