Hi,
AFAIK for mtu-discovery ICMP Type 3 Code 4 is needed (Fragmentation needed
but DF set). If you allow "destination unreachable" inbound which is Type 3
it should work.
regards,
Axel Hoffmann
System Engineer
--
Eckmann Daten
Thanks, it works. I hope, other modules including H.A. won't need any other
package.
Regards.
Ihsan
-
On Thu, 6 Jul 2000 [EMAIL PROTECTED] wrote:
> I am looking for Core Solaris 2.7 installation of fw 4.1 on Ultra 220,
250,
> 420
Hi,
what hardware and software (Nokia vs Checkpoint) will you need to handle
1GigE line. There's no VPN involved. Will 2,3,... Sun's (dual CPU 450MHz
or the like) be enough?
Thomas
== PGP fingerprint B1 EE D2 39 2C 82 26 DA A5 4D E0 50 35 75 9E ED ==
Thought you got rid of all
Brian,
can't remember if I passed this info on or not, but I have got some good
support from MS people at the newsgroup microsoft.public.internet.radius
and they definitely recommend going to sp6a
cheers
deanc
> install both IAS updates from link below mcis first then sp6a
> http://www.m
I suggest you use Ghost or Drive Image to create an
image of the hard drive and save it on a server that is
backed up. In the event of disaster, you can reload the
disk image in about about 15 minutes.
The process works like this with Ghost:
- you create a DOS boot floppy that can log into th
Gang,
Thanks to everyone who replied to my RADIUS question. In the interest of
summarization for all involved, basically, from the folks out here in the
list, it looks like NT "Option Pack" RADIUS will work PROVIDED you have SP4
or less on the host with Option Pack on it. If you apply Servi
I will give you my personal opinion to your questions. I personally like
the way rules are processed in the Checkpoint firewall. It starts at rule
number 1 and if this rule applies to the packet and action is taken if this
rule does not apply it goes to the next rule. This is very easy to
unde
Another thing to add is that if your internal users are using
Hide NAT, they would be protected from external access anyway ..
-Original Message-
From: James Edwards [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 07, 2000 12:05 AM
To: 'Sam Ghannadi'; 'fw-1-mailinglis'
Subject: RE: [FW1] N
The rules you have set should be sufficient.
The default gateway for the mail server should point to the firewall's
DMZ nic, not the internal nic.
e.g. If you have 192.168.1.x as the internal network (with 192.168.1.1 as
the internal gateway) and 192.168.2.x as the DMZ network (with 192.168.2.1
a
Norman,
Has anything been entered into the DNS for the mail server? You will most
likely need an A, PTR and MX record. Something like:
Domain. IN MX 10 smtpserver.domain.
Smtpserver.domain. IN A legal-IP-address
And for the reverse DNS lookup
Leval-ip-address.
Hi,
Can someone please tell me what rule that I have to set to enable my mail
server (Exchange Server) to send/receive mail to/from the Internet? My mail
server is in the DMZ, with a valid ip. I have set a rule that allow from any
to the mail server through smtp, and vice versa. My default gatew
Does anyone know if the Nokias support UDP Broadcast forwarding or, in Cisco
terminology, a "helper addresses" for braodcast addresses?
Here's the background info. Our Nokia 650 FW has a VPN DMZ, after the
traffic is decrypted, it is routed throught he FW to the internal network.
We are using
Dear All,
someone please give me their opinions
Our rule base has been left unattended for a little while...I know the in's
and out's of creating rules and stuff like that...but I was thinking of a
reorganisation
Is it better to put all the accept rules at the top so that these are
exe
My firewall is sending pings to 149.1.1.1 on a periodic basic. 149.1.1.1 IP
address points back to PSINet ISP. Any ideas why?
Thanks,
Jaime
To unsubscribe from this mailing list, please see the instructions
Yep, can be from service providers that, when someone hits a webpage they
host, they traceroute back to you to find out your physical location, then
point you to the closest mirror of that site.
Still worth a follow up email to the originating site if the scans are
annoying you. I consider such b
Hi
all
is anyone using the
ArcServ backup agent for Unix to back up Checkpoint ?
Ryan V.
FinneseyNetwork Administrator @tmosphere Interactive 1375 Broadway, 11th floor New York, NY 10018 212 827 2507 phone 212 827 2525 fax [EMAIL PROTECTED]
Aren't these "scans" really traceroutes ?
--- Karim Amrani <[EMAIL PROTECTED]> wrote:
> Date: Thu, 06 Jul 2000 19:20:20 +0200
> From: "Karim Amrani" <[EMAIL PROTECTED]>
> Reply-to: [EMAIL PROTECTED]
> Organization: Cogelog
> To: "Truszynski Carl G." <[EMAIL PROTECTED]>
> CC: "'Checkpoint Maillis
Hi,
our customer needs to use the service 'dcom' for same application.
This service uses a dinamic assignation of ports.
Can someone help me for the definition of this service?
thanks a lot
regards
manus
To
I have a network admin who would like to connect via their cbale modem to
our network. what would the process be for that? I looked over a few Faq's
but am unsure of the exact steps needed, does all the VPN stuff come with or
is downlaodable from Checkpoint? Is there an extra cost? What else
I want to be able to back up the NT firewall, since it is on it's own little
domain etc, I can not use regular NT permissions to give the backupexec
program access. Can I run the Backupexec agent on NT and give special
permission to ONE server to access it via IP?
Anyone have any other suggesti
I have a question about the put key command. We
recently inherited several firewalls being managed by
one management server/firewall. Two of the sites are
having timeout connections. Looking into the phoneboy
faq: Failed to Install Security Policy, it explains
that the module doesnt recongize the
On Thu, 6 Jul 2000 [EMAIL PROTECTED] wrote:
> I am looking for Core Solaris 2.7 installation of fw 4.1 on Ultra 220, 250,
> 420 and 450 platforms. I use Lance Spitzner armoring documents on Ultra-5
> and 10 and it works fine. However, on above platforms FW installation gives
> "segmentation faul
1) Take a look at the route tables on the firewall and validate
2) Any dynamic routing protocols running the firewall?
3) Do you have control ip forwarding set on the management server?
Since it seems to work fine when the firewall service is not running, why
not remove ICMP from the implied ru
We might be having an MTU discovery problem, and I remember reading about
this in the paper at: www.feelabs.com/~whitis/isp_mistakes.html
Is there a predefined FW-1 icmp service which allows ICMP "too big" messages
so that I can make sure I'm not breaking PMTU discover???
Background info: We
Since Telnet is a tcp based service, the default timeout for TCP is 3600
seconds (60 minutes)
This is under policy/properties/tcp session timeout.
Thomas
-Original Message-
From: Scott Becker [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 06, 2000 4:12 AM
To: [EMAIL PROTECTED]
Subjec
This works only if local users are sharing on the default ports.
Thomas Poole
-Original Message-
From: Eames, Joel E. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 06, 2000 12:03 PM
To: 'fw-1-mailinglis'
Subject: RE: [FW1] Napster
SOURCE - DESTINATION - SERVICE -ACTION
int
I have gotten it to work either way, but CheckPoint may not support you if
you do not license the external interface.
ie- Best Practice would be to use external.
Internal is obviously easier, especially if you may change ISP's...
Thomas Poole
-Original Message-
From: Uy, Alex [mailto:[E
As mentioned in several of the replies to your post it was noted that Nokia's HA
solution relies on VRRP, which provides failover, but not
load sharing in an of itself. You can, as mentioned, configure "static" load sharing
(i.e. one subnet uses one firewall as primary, and another
subnet use
Hello Carl,
TCG> I've recently been getting alerts from our firewall that pert 33435
TCG> through 33454 are being scanned repeatedly. Does anyone know of a site that
TCG> lists ports used by Trojans and backdoors that I can use as a reference to
TCG> check these out?
this is probably j
Hi,
I am looking for Core Solaris 2.7 installation of fw 4.1 on Ultra 220, 250,
420 and 450 platforms. I use Lance Spitzner armoring documents on Ultra-5
and 10 and it works fine. However, on above platforms FW installation gives
"segmentation fault- core dumped" errors.
Regards.
Ihsan Cakmakl
Nokia's HA is VRRP (free), with a Monitored Circuit option (also free) to
cause any/all interfaces - you choose which ones - to fail over whenever
any one of them does. In my tests, it fails over in about 3 seconds, and
fails back in about 6 seconds - not long enough for anyone to really
not
I'd suggest that you get Suns and a more scalable HA product, such as,
oh, I don't know, Rainwall :-)
Nokia's VRRP solution bears some very close resemblances to the HSRP
protocol that it's descended from. It's a master/slave relationship which
requires that one box be passively listening for th
You've run out of kernel memory for the firewall state table. I'm
guiessing your CPU load just wnet nuts too, right? Anyway,
www.phoneboy.com lists the fix for this, which is to add the line:
set fw:fwhmem=0x400
to your /etc/system file and then reboot. Actually phoneboy suggests a
small
I use this one...
http://www.simovits.com/nyheter9902.html
HTH,
Karim
"Truszynski, Carl G." wrote:
Hi all,
I've recently been getting
alerts from our firewall that pert 33435
through 33454 are being scanned repeatedly. Does anyone know
of a site that
lists ports used by Trojans and backd
Carl,
On my site, http://www.wittys.com/files/all-ip-numbers.txt is probably
the list you're looking for. Off the top of my head, what you're seeing
is traceroute (so long as it's UDP). Hope this helps!
Jason
"Truszynski, Carl G." wrote:
>
> Hi all,
> I've recently been getting aler
The nokia platform is FreeBSD unix that is thinned out a bit. The HA option
is using VRRP. I have implemented it and it works fine.
Moving from Solaris to Nokia is not that difficult and will provide you with
a few benefits. The Nokia platform tends to be slightly easier to config
(for non-
Folks,
Any ideas why I am getting these error messages on my Solaris, sparc, IOS 2.6
FW-1 v 4.0 with 256M memory. See error message below.
excerpt from /var/adm/messages file...
Jul 6 16:40:55 mcfw unix: FW-1: fw_init_xlation_tables: fw_xlate_set_tables
fai
led
Jul 6 16:40:55 mcfw u
Thanks for your response. I have upgraded to SP5 (Build 4094). This did
not effect the problem in any way unfortunately. Any other ideas?
Thanks,
Tracy
To unsubscribe from this mailing list, please see th
Hi all,
I've recently been getting alerts from our firewall that pert 33435
through 33454 are being scanned repeatedly. Does anyone know of a site that
lists ports used by Trojans and backdoors that I can use as a reference to
check these out?
==
I am currently running our Firewall (version 4.0) on a Solaris 2.6 box and am looking
to upgrade the hardware and software. Shortly after the hardware is upgraded I'll
have budget to add a high availability option.
One of our people went to a Nokia sales presentation and said that we don't
Check Point is usually pretty good about backwards compatability, but
I've never seen a software manufacturer do firewards compatability
Check Point would definitely say that your management console must be
the most current - regardless of authentication, moduels change, object
formats might
Can someone please point me to the release notes
for 4.1? I am having trouble locating them on Checkpoints
site. Also any whitepapers on migration/upgrade issues
and procedures, if available.
TIA
Hal
Hal Dorsman
Data Network Engineer
Blackfoot Telephone Cooperative
Missoula, Montana, USA
[EM
If you have your firewall set up like most people, you have already done it.
Most people are very careful about what they let in, only allowing certain
services to certain machines and blocking everything else coming in. If
this is the case, you have already blocked an external person from acces
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I've successfully created a directory under /opt/maintenance and put
in a shell script doing some logswitch-stuff. Rebooting doesn't
affect these (IPSO 3.1.4 and also 3.2).
Nokia's installed ftp tool knows about .netrc, which could contain
any macros
I'd like to see what was fixed / changes / broken.
Thanks,
Joel Eames
--
Texas Children's Hospital
Information Services
Data Security Analyst
--
(713) 770-4441
> -Original Message-
> From: Eames, Joel E.
> Sent: Thursday, July
As I said above on my first append, I have tried with 2 IP addresses in
195.x.x.x and the firewall log show me the good client IP address. So does
it means that there is no address translation ?
Cordially
Emmanuel Lucas.
- Original Message -
From: Jim Brown <[EMAIL PROTECTED]>
To: 'Emma
SOURCE - DESTINATION - SERVICE -ACTION
internal-net any and 6699 allow
anyinternal-network and 6699 drop
That should do it.
Joel Eames
--
Texas Children's Hospital
Information Services
Data Security Analyst
Based on the existing code of Checkpoint, I have implemented as an example a
stateful version of ping.
Stateful ping mean that an ICMP echo-reply will be accepted *only* if the FW-1
have seen before an ICMP echo-request, if the src<>dst match the dst<>src and
if the icmp-id and icmp-seq matc
Yes, you can have defferent rule base for each boxes.
Take care on Install On Field on Security Policy Tab
Victor Barrientos
Security Engineer
Tivoli certified Consultant
RSA Security Certified RSA ACE/Server Engineer
Tel: 54-11-4819-3903
Faxl: 54-11-4811-7103
> Telefónica
> unifon
> www
You can have an individual rulebase for each firewall and, yes, you can
share the objects.C contents.
You create a rulebase with a specific firewall in mind and then push it to
the firewall in question. Repeat this for each firewall saving each
rulebase with a different name.
Alternatively you
You're problem is most likely tied to the probability that your cable modem
is performing some type of NAT on the client's IP address. Unless you can
map those inbound UDP packets from the firewall to your client you will
never be successful using SecuRemote.
There is probably no address transla
Hi everybody:
Probably we all know how to block Napster for internal users, but how I can
let the users to download from Napster but block Napster users to come in to
our network.
Thanks
Sam Ghannadi
To u
According to Irene Cai:
>
> I am running FW-1 4.0 Build 4156 on Solaris 2.6 (SUN Ultra-60)
> platform. Currently I have memory leak problem, the system free memory drop
> significant daily. Does anybody there has similar problem. Please post
> information or resolution.
hoi,
Build 4156 me
I am using SR Client build 4003 and my Firewall is v4.0 sp2 but It works
using RTC or ISDN line ! The problem comes with cable modem.
Cordially
Emmanuel Lucas.
- Original Message -
From: Dallas Bishoff <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 06, 2000 4:26 PM
Sub
I'm happy to say that my upgrade yesterday was sucessfull. We upgraded to a
new hardware platform and from checkpoint 4.0 SP1 to 4.1 SP1.
old firewall = Solaris 7 (x86) checkpoint 4.0 SP1
new firewall = Solaris 7 Sparc checkpoint 4.1 SP1
here was the process i followed (in case your interested
I am setting up to manage three IP440's and one IP330. Can I have
different rules.W files for each box or does it all need to be in one
rules.W? I would assume it's one big inclusive objects.C
Any pointers?
John E. Hahn
Sr. Distributed Products Analyst
Fiserv CBS - Arlington Heights
847-956-575
Okay, I've given up hunting for a solution. Likely I can't even do what I am
trying to do. Here are the facts.
I have a management server version 4.0 build 4094. It is using s/key between
itself and two firewall modules (also version 4.0 build 4094). Everything is
working fine.
I am trying get
Hi,
I am running FW-1 4.0 Build 4156 on Solaris 2.6 (SUN Ultra-60)
platform. Currently I have memory leak problem, the system free memory drop
significant daily. Does anybody there has similar problem. Please post
information or resolution.
Thanks in advance,
Irene
==
I just re-read res. 1988 on the nokia site and iut states that you'll always get a
logswitch failed if the PFM is configured to log to another machine, eg. the
management server. [which mine is - apologies]
regards
"Dameon D. Welch-Abernathy" wrote:
> > I have never been able to get fw logswit
This is my biggest gripe with NT. You do not have
any of the remote management capabilities. With
NT you can't even telnet and access system resources
let alone export the GUI to your local X server.
Then there's the performance thing, and the frequent
reboot thing, and the Micro$oft Monopo
Hi,
I have FW-1 installed on an NT box. I have an SeuRemote client installed on
win98. When I connect to my Firewall using ISDN line or anologic modem all
works fine (logon to NT domain, access network shared ressources and
applications etc ...).
Now I try to connect my FW using a cable modem.
I'm not an expert,
but I already had some troubles because I had chosen the internal interface,
I've changed this to the external, and all was going better !
> Francis THELLIER
>
> -Message d'origine-
> De: Uy, Alex [SMTP:[EMAIL PROTECTED]]
> Date: jeudi 6 juillet 2000 14:52
> À:
I have a question about the volatility of data on a Nokia box. I know that
there are files that should only be edited from the Web-based GUI, such as
the /etc/hosts. But there are many things that I wish to do that are not
covered by the Web-GUI.
For example, I have created a shell script tha
It's in the beta program at checkpoint's website. I'm sure you could get it
if you signed up.
Joel
> -Original Message-
> From: Chambers, Steven [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, July 06, 2000 6:52 AM
> To: '[EMAIL PROTECTED]'
> Subject: [FW1] secure rm w2k
>
>
> Is th
Still in beta. I haven't seen an anticipated release date.
-Original Message-
From: Chambers, Steven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 06, 2000 7:52 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] secure rm w2k
Is there a securemote client for windows 2000 yet,
And if so whe
Hoang, what happens if you license your primary and secondary firewalls with
an internal private address as oppose to a public real address? Could this
be the reason why I'm having problems implementing VPN??
Alex Uy
Net2000 Communications, Inc.
Senior Network Administrator
Phone Number (703)65
I manage 7 gateways from one management station.
The NT based gateways are the hardest to work with.
The primary reason is the NT design which expects a
keyboard, monitor, and mouse attached to each station.
Everything is fine as long as everything is fine.
Anything unusual requires a phone con
It is a two step process.
First I do a logswitch and then a log export on the firewall machine. This
gives me a comma delimited text file.
Second, I ftp the files over to my database machine and load them into the
database. All of this is automated. Check phoneboy's site for my scripts
Hop
Is there a securemote client for windows 2000 yet,
And if so where can I get it
Thanks
sc
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/servic
Sorry, but since FW 4-0 I think there's no longer an immediate reason to associate the
license with the external IP address. The technical problems arising from usage of
another address in earlier versions have been resolved.
So a more precise answer would be: The primary address is the one yo
You need to add a hostname to IP address mapping into the hosts file..
DON'T do this by editing /etc/hosts your self! (it's a read only filesystem)
Use the "Host Address Assignment" section of voyager.
Tom
> -Original Message-
> From: Lau, Leng Fong [mailto:[EMAIL PROTECTED]]
> Sent: T
Todd,
Sorry if the message was confusing. My NT server was svc pk 4.0, I
moved it up to 5, a requirement for Firewall-1 svc pk 6. I had been running
the initial build of the firewall, but had to upgrade to svc pk 6 to solve a
known issue. I will never place svc pk 6 on any of my server's
Hi,
I am new to this mailing list and the checkpoint fw. Pls pardon me if this
problem has already been discussed.
While installing fw ver4.0-SP4 on my Nokia VPN220, I always get the
following error message:
fw_ipaddr: cannot get my ipaddr
Anyone knows what could be the cause o
Hi
the Primary IP address is the IP that will be IP address of external
interface. This is IP address do you license.
For your solaris system the Primary IP address is the first IP you
defined while installed your system.
Regards
Hoang Ha
At WEB site, http://www.phoneboy.com/fw1/,
in QA ar
Hello Fang,
For the server running FW-1, you should use Solaris 7, 'coz Solaris 8 isn't
supported by checkpoint yet. It'll be later in this year, as I read !
Firebird
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 06, 2000 4:39 AM
Su
[EMAIL PROTECTED] wrote:
> Hi, all gurus:
>
> We are going to buy two Sun servers used for checkpoint FW-1 V4.0 and
> Netscape proxy3.5. Anyone can tell me which OS version is better,
> Solaris6, 7, 8? And we also want to install websense and antivirus
> software on Prox
I am receiving following error on SUN Solaris;
Failed to load object in Setup.C"
"Setup.C", line 25: error cannot use : not in scope
Any body has any idea HOw to solve this ?
Azeem Usman Bharde
To unsu
Hiya,
The reason I want to use Radius authentication rather than the ACE agent
type thingy is that if you use the ACE authentication from the Firewall it
Borks the VPN capabilities for secure remote users if you use ISAKMP which I
want to use. The Radius authentication should work cant figure ou
The reason I was worried is the /var/log/fw.log was 20MB and had a modified date of
yesterday. I think the bulk of the log came from when we played around with the
ip440 in a standalone setting (ie. not in HA mode and not with a separate mgmt
module).
BTW, the remote logswitch also failed. I tri
Hello
We want to move the existing config(objects, rules, policies etc...) on our
FW-1 to a newer machine and wondered if anybody any recommendation. I
am planning copying files from the conf directory on the old to new well as
updating the license.
(:=)Think Globally Act Loc
Hi alls,
Does anyone have a check list or criteria list on selecting a FW.
thank you
chiam
***
[This e-mail is confidential and may also be privileged. If you are not the
intended recipient, please delete it and notify us immediat
I have managed to find out what the problem was with private address space through the
firewall. My anti-spoof setup did not take into consideration that the 172.16 range of
addresses was internal to my network, so the traffic was dropped silently by Rule 0. I
picked this up when trying to und
Dear All,
I m are facing problem which is below;
I have upgraded FireWall 4.0 to 4.1 on VPN-1 RL500 Appliance.
Also the Management Console which is on different NT machine is upgraded to
4.1.
All exisiting services are working fine , such as Internet breowsing ,ftp
etc.
I am trying to confi
Hi,
How can i increase the Telnet port timeout to 40 minutes?
Thanks
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
=
85 matches
Mail list logo