Does FW-1 support gigabit troughput?
Not on a single firewall module, That level of thoughput will require a
firewall farm surrounded by L4 switches. The last implentation I saw for
handling gigabit ethernet took IIRC 15-16 Solaris boxes.
greg
--
Greg Hennessy
E-Security Mechanic
We're trying to get Sql*net through a FW-1, version 4.0. We have recieved
information from Oracle saying:
1. Basic SQL*Net communication:
Communication between a client application (Enteprise Manager
console, one of the DBA applications, etc...) and the target
database is being
Jim,
Try disabling SYN Defender for test in the options
tab.
Then reenable it and try different time outs, and
passive/gateway options ...
Let us know what you find, and raise a ticket with
your MS support, and maybe FW1.
I am having similar (non-justified) issues, and I
wonder where it comes
I have a squid cache in a dmz off a pair of Nokia IP440s in HA mode and
have noticed extensive log entries. The Squid box is Nat'd both
internally and externally and is set to proxy http on port 8080. In the
logs I notice that a request for a page from a particular machine might
consist of 20 or
Good Day
I am trying to allow outbound FTP on one of our FW-1 modules on port 7270.
This is required as part of an existing interbank data transfer (so I have
not control over the port).
I have followed the advice on Phoneboys site, but still cannot get the
connection to work. It appears that
Hello,
This problem is an emergency
A-translated1 is différent of A-translated2
A is internal, B et C are external
Rules in Security Policy :
source destination
B ---A-translated1
A ---C
C
Yes, you can change inspection from INBOUND to OUTBOUND, and the inspection
will be done as the packet leaves the external interface.
You can also choose to do eitherbound, which inspects both times, but I
have seen very little "real world" applicability for this.
Don't get confused by
You would prefer a Nokia solution in any situation
where cost, stability, reliabiliy, ease of
configuration, management and security are a
consideration.
--- "Mayne, Peter" [EMAIL PROTECTED] wrote:
Assume I want to install a highly available
firewall. The two options under
consideration
How would this be done? Thanks.
Bob
From: Jonah Kowall [EMAIL PROTECTED]
To: "'Bob Bisignani'" [EMAIL PROTECTED],
"'[EMAIL PROTECTED]'"
[EMAIL PROTECTED]
Subject: RE: [FW1] MS Proxy Server and VPN-1
Date: Thu, 8 Jun 2000 13:47:55 -0400
Microsoft proxy server is not a firewall,
For HA mode you need to publish proxy arps using the "virtual" mac
address which is:
00:00:5E:00:01:xx where xx is the virtual router ID of the relevant
interface in hex format.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Jerald Josephs
Sent:
I am having the same type of problem, running FW-1 v4.0 SP5. I have tested
with the SMTP Resource not referencing our CVP Server at all, and configured
to allow all traffic, and still see the same results. My issue is
definitely the FW-1, not our content scanner. I've got an open ticket with
Hi!
I have:
'NT4.0'+'SP6'+17hotfixes,
'Firewall-1 v4.1'+'FW_SP1'+'fw1-patch-41603'.
FTP-Security Server.
I see:
REST 64386
502 Security server inhibited REST command
:-((
Help me, pls!
Best regards,
Igor Miturin
Complex Microsoft Windows NT4.0 PostSP6Hotfix
A few thoughts/questions:
1) are you running any sort of HA? sontebeat? rainwall? etc...
2) are you 100% sure that those servers are online that the mail is trying
to connect to?
3) in log viewer all the way to the right, what does the error message say?
Thanks,
john.
-Original
Mark,
Can you supply us with a little more info? What FW
ver(appears to be v4.0? What service pack?
What does your log say is happening? PASV?
Based on your stated confusion with Dameon's
documentation, did you add the actual port
number, or did you enter 'desired_port'?
Robert
- -
Robert P.
Hi Harpal
Ok, but what about the throughput? Do you know the maximum throughput
that fw-1 supports? Do you have a HEAVY traffic and fw-1 support it?
Joaquim
Hi Joaquim
We currently have a sun box running firewall 1 with two gigabit
interfaces.
We have not had any problems with it.
1) Nope.
2) Yup.
3) Various:
mail dequeuer;internaluser1@us;externaluser@them;Connection to
Final-MTA failed;internaluser1@us;externaluser@them;
mail dequeuer;externaluser@them;internaluser2@us;rcpt to:
internaluser2@us failed: 550 internaluser2@us... User
Are they your servers and are they natted?
-Original Message-
From: Scheidel, Greg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 13, 2000 8:43 AM
To: 'John Stevenson'; [EMAIL PROTECTED]
Subject: RE: [FW1] reject smtp msgs
1) Nope.
2) Yup.
3) Various:
mail
Hi Gregory,
did you switch on the spoofing protection on your fw interfaces? If yes,
you have to include the public and private addresse in the number of
allowed addresses on interface of the segment which is connected to the
web-sever.
If this is not your problem, it would be nice to see the
When i install the SP5 over FW-1 4.0 build
4031 no-vpn, the SP5 hangs with the message:
---
An error occurred during the move data process:
-132
component:
file group:
file:
---
Anybody knows which kind of problem is
this?
Thanks,
Flavio
Hi
This is a Ver 4.0 SP6 installation.
I currently have it set up with the service defined as type other, with a
match field of "tcp, dport=7270"
The base.def mods are as follows:
set sr10 D, dst = S or set sr10 20, \
record src,port,dst,sr10,ip_p; ... in connections \
FTP_TRACK_DATA_CONN
According to Chad Graham:
If you are using a host file try adding:
172.11.123.45foofoo.mycompany.com
You dont mention the 'os', but this will help determine the qualified
host name on a Solaris box.
hi Chad,
the platform indeed is Solaris and the /etc/hosts looks exactly
Hi all:
I am trying to close a relay hole but I am having one problem.
The customer requires their users to be able to use POP-3 from where ever...
so, limiting to smtp-resource to recipient *@mydomain.com will not work.
Does anybody have any ideas to close a relay and still allow pop and imap
Hi:
Is there any document that explains how to do these ???
Thanks
Arturo Nunez
To unsubscribe from this mailing list, please see the instructions at
Oh my god...
6.8% actual message..
93.2% legalize...
You must work for lawyers right? :-)
--
The early bird gets the worm, but the second mouse gets the cheese..
Trevor Paquette |ATT Canada |Work:(403)705-6390
[EMAIL PROTECTED]|600, 205 5th Ave SW | Fax:(403)705-9601
you do this when your new licence doesn't include support for the level
of encryption that was originally installed. I had a similar problem
having moved from a fully functional eval licence to a permanent one
with less encryption.
Declan
-Original Message-
From: [EMAIL PROTECTED]
Hello,
This problem is an emergency
A-translated1 is différent of A-translated2
A is internal, B et C are external
Rules in Security Policy :
sourcedestination
B ---A-translated1
A ---C
Hello,
We have 2 firewalls and 2 management servers. We upgraded one of the
firewall/management server pair to SP4. The other is at SP1.. The GUI for
SP4 is a bit different... My question:
Is it bad to use an updated SP4 GUI when using a SP1 management server to
blow down policies??
Thanks..
I'm seeing the same thing. My TCP timeout is way up there in thousands of
seconds. The SYN defender timeout is 60 seconds.
Database access between firewall segements fail.
Can SYN defender be turned on for only one interface?
Frank
On Tue, 13 Jun 2000, Cisco Wave wrote:
I thought about
Websites: Do an Internet search for "BGP" or "BGP4".
Books: The only brief book (137 pages) I have found on this subject is
"BGP4: Inter-Domain Routing in the Internet" by John W. Stewart III (ISBN:
0-201-37951-1).
Consider yourself lucky if you only need 100% uptime during business hours
Has anyone had problems with the sendmail.exe that comes with the
management module for NT? When I try mailing from the command line it
just hangs (though it shows as working in task manager). The syntax is
correct, since I used the Phoneboy article on it. The mail server is
simply sendmail
You need to run bgp on the outside routers with HSRP as a virtual gateway.
-Original Message-
From: Really Boring [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 13, 2000 11:25 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] redundant internet service providers
When i install the FW-1 SP5 over FW-1 4.0
build 4031 no-vpn, the SP5 hangs with the message:
---
An error occurred during the move data process:
-132
component:
file group:
file:
---
Anybody knows which kind of problem is this and the
solution?
Thanks,
Flavio
Does
this happen to be a Compaq server or some other server that uses a remote SNMP
service? I had a similar problem when upgrading my Compaq server with the
Compaq services installed. Tech support told me to turn off the Compaq
services and reinstall the service pack, and then the SP
Has anyone installed sp6 for fw-1. Also, what is the supported NT service
pack with fw-1 sp6? Thanks
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Hi,
We have a firewall-1 4.1 installed on a WinNT4 with
3 network cards from private networks.
1st card - 192.168.201.8and 192.168.201.8
gateway: 192.168.201.3
2nd card - 192.168.1.33 no
gateway
3rd card - 192.168.202.1 no
gateway
I want the firewall to redirect all the incoming
packets
Indeed
if you put of the cpq services you're releived of the
problem
Learned this the hard way too :)
Cheers
Ronny
-Oorspronkelijk bericht-Van:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Namens
Oxenreider, JeffVerzonden: mardi 13 juin 2000
19:29Aan: 'Flavio
Hi,
We have a firewall-1 4.1 installed on a WinNT4 with
3 network cards from private networks.
1st card - 192.168.201.8and 192.168.201.8
gateway: 192.168.201.3
2nd card - 192.168.1.33 no
gateway
3rd card - 192.168.202.1 no
gateway
I want the firewall to redirect all the incoming
packets
www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3
multippp.htm
www.cisco.com/warp/customer/cc/cisco/mkt/core/adap/multi/tech/althb_wp.htm
www.3com.com/solutions/enterprise/wansolutions/wanpapers
http://207.235.6.38/
www.atmforum.com
www.larsom.com/products
The
-132 is more than likely a locked file issue. I posted this earlier. The SP
stops the service, but for some reason a file it is trying to write over is
locked.
Here
is your solve...
Maybe
Compaq was using a file? hmhmm?
Here's
my cut and paste from another message
snip
I.
1 stop
I want a static NAT for the internal network
address because the box 192.168.202.12 is going to be a web-server connected to
F5 BigIP. Actually the whole scheme is:
INTERNET - BigIP - Firewall - web
server
- Original Message -
From:
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
- For all testing, test with an application that you can control and not
have any traffic except your tests.
- TCP Timeout default setting is 3600 secs. Try setting to that and retest;
see if it makes a difference. If it does, then it points to TCP Timeout
setting.
- Make sure you've turned
Why would an FTP control connection be allowed but not the corresponding data
connection even though the "Enable FTP PORT data connections" and the "Enable
FTP PASV data connections" buttons are checked in the properties window?
Thank you for the reply.
On Tue, 13 Jun 2000, Scheidel, Greg wrote:
- TCP Timeout default setting is 3600 secs. Try setting to that and retest;
see if it makes a difference. If it does, then it points to TCP Timeout
setting.
I've set it to 3600 and then to 7200. No change.
- Make sure
Mark,
Sorry for the delay. The 'S' 'D' should be replaced by the
port and server. Since your most likely doing NAT(RFC1918
addressing), I'm not quite sure what should be put here. I
would _assume_ that the NAT rules would take care of it.
Are you doing static or hide NAT? I think that hide
On Jun 12, 17:53, Josh Rivel wrote:
Subject: [FW1] FTP Broken after upgrade to SP6 on Solaris
Hi.
We just upgraded our Firewall-1 machine (Solaris 2.5.1) from 4.0
to 4.0 SP6.
Since then FTP through the firewall seems to be broken. I have "Enable
FTP/PASV mode" checked under the policy
Just to add a note here:
== In any case Firewall external interface should be valid/routable IP address, as
that
is used in encryption. Also if this is a remote Firewall, and you are managing from
management server situated in different geographic location, you need to access this
remote
Greetings all,
I am looking at the Nokia boxes, espeically appealing is their out of the
box VRRP/sync functionality. My disclaimer is that aside from reading the
RFC, I am VRRP ignorant. A few questions come up though:
1) If a given box is master on both the inside and outside, and if
excuse my spelling in the previous message
Your point number 2 is what happens when you implement Monitored VRRP, where
if one interface goes down the whole box goes down and the other box kicks
in.
-Original Message-
From: Brandon Applegate [mailto:[EMAIL PROTECTED]]
Sent: Tuesday,
Your point number 2 is what happens when you implement Monitored VRRP, where
if one interface goes down the who box goes down and the other box kicks in.
siddika
-Original Message-
From: Brandon Applegate [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 13, 2000 4:23 PM
To: FW-1-LIST
Yes. This is just licensing stuff for the number of
hosts behind the licensed IP.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o dS e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
Frank [EMAIL PROTECTED] 6/13/00 2:39:37 PM
Do
My apologies if this has already been discussed. I just received this
notice, among others, and would like advice on how to counter this tool, if
possible. If the answers are already in the archives, just point me in the
right direction...
(Security Wire Digest, Vol. 2, No. 22; 12 June)
are you using dhcp for all the internal clients that did not reply?
are you using dhcp for all the internal clients that did reply?
if so are your internal hosts looking to .253 or .252?
make sure they (the internal hosts) all look to .253 for thier dg and set
.253's dg to be .252(.)
...you'll
I put the following in fwstart (script):
echo per http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html
$FWDIR/bin/fw ctl debug -buf
-Original Message-
From: Sterling, Chuck [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, June 13, 2000 4:32 PM
To: 'Fw-1-Mailinglist (E-mail)'
http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html
-Original Message-
From: Sterling, Chuck [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 14 June 2000 9:32 AM
To: 'Fw-1-Mailinglist (E-mail)'
Subject: [FW1] Jolt 2
Importance: Low
My apologies if this has already been
Hi Brendan -
are you using dhcp for all the internal clients that did not reply?
are you using dhcp for all the internal clients that did reply?
No DHCP anywhere.
those that aren't are either looking to reply via a different
(old gateway IP??) router or are oblivious to the existence of
(a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Look at the features and figure out what fits your needs. They each
have there strengths and weaknesses.. ALSO, don't rule out NFR.
Carric's Opinions:
Net Prowler: Have they released a truly distributed architecture
product (i.e. you can manage
We are looking for an effective Intrusion Detection program. We are
introduced to ISS Intrusion Detections, Network Associates' Cypercop and
Axent's.
Any comments/suggestions about these products are much appreciated.
Ivan
vulnerabilities of extricity, webmethods and netfish
I am looking for known vulnerabilities of extricity, webmethods and netfish.
Any pointers/suggestions/comments are appreciated.
Thanks,
To unsubscribe
I have a similar problem to the one described in the Phoneboy FAQ
(copied below) except that I am talking to FW1 v4.1 (Checkpoint 2000)
with latest hotfix. I have configured FW1 to use IKE - with default
settings and the client to prefer IKE. As below I can download the
topology but the
Hi
Sorry, didn't mean to confuse. We do not do any NAT at all.
I will try with the Port and Server and see what happens.
Thanks
mark
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Robert MacDonald
Sent: Tuesday, June 13, 2000 9:17 PM
To: [EMAIL
60 matches
Mail list logo