Hi,
How can i increase the Telnet port timeout to 40 minutes?
Thanks
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Dear All,
I m are facing problem which is below;
I have upgraded FireWall 4.0 to 4.1 on VPN-1 RL500 Appliance.
Also the Management Console which is on different NT machine is upgraded to
4.1.
All exisiting services are working fine , such as Internet breowsing ,ftp
etc.
I am trying to
I have managed to find out what the problem was with private address space through the
firewall. My anti-spoof setup did not take into consideration that the 172.16 range of
addresses was internal to my network, so the traffic was dropped silently by Rule 0. I
picked this up when trying to
Hiya,
The reason I want to use Radius authentication rather than the ACE agent
type thingy is that if you use the ACE authentication from the Firewall it
Borks the VPN capabilities for secure remote users if you use ISAKMP which I
want to use. The Radius authentication should work cant figure
[EMAIL PROTECTED] wrote:
Hi, all gurus:
We are going to buy two Sun servers used for checkpoint FW-1 V4.0 and
Netscape proxy3.5. Anyone can tell me which OS version is better,
Solaris6, 7, 8? And we also want to install websense and antivirus
software on Proxy
Hello Fang,
For the server running FW-1, you should use Solaris 7, 'coz Solaris 8 isn't
supported by checkpoint yet. It'll be later in this year, as I read !
Firebird
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, July 06, 2000 4:39 AM
Hi
the Primary IP address is the IP that will be IP address of external
interface. This is IP address do you license.
For your solaris system the Primary IP address is the first IP you
defined while installed your system.
Regards
Hoang Ha
At WEB site, http://www.phoneboy.com/fw1/,
in QA
Hi,
I am new to this mailing list and the checkpoint fw. Pls pardon me if this
problem has already been discussed.
While installing fw ver4.0-SP4 on my Nokia VPN220, I always get the
following error message:
fw_ipaddr: cannot get my ipaddr
Anyone knows what could be the cause
Todd,
Sorry if the message was confusing. My NT server was svc pk 4.0, I
moved it up to 5, a requirement for Firewall-1 svc pk 6. I had been running
the initial build of the firewall, but had to upgrade to svc pk 6 to solve a
known issue. I will never place svc pk 6 on any of my
It is a two step process.
First I do a logswitch and then a log export on the firewall machine. This
gives me a comma delimited text file.
Second, I ftp the files over to my database machine and load them into the
database. All of this is automated. Check phoneboy's site for my scripts
I manage 7 gateways from one management station.
The NT based gateways are the hardest to work with.
The primary reason is the NT design which expects a
keyboard, monitor, and mouse attached to each station.
Everything is fine as long as everything is fine.
Anything unusual requires a phone
Hoang, what happens if you license your primary and secondary firewalls with
an internal private address as oppose to a public real address? Could this
be the reason why I'm having problems implementing VPN??
Alex Uy
Net2000 Communications, Inc.
Senior Network Administrator
Phone Number
Still in beta. I haven't seen an anticipated release date.
-Original Message-
From: Chambers, Steven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 06, 2000 7:52 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] secure rm w2k
Is there a securemote client for windows 2000 yet,
And if so
I'm not an expert,
but I already had some troubles because I had chosen the internal interface,
I've changed this to the external, and all was going better !
Francis THELLIER
-Message d'origine-
De: Uy, Alex [SMTP:[EMAIL PROTECTED]]
Date: jeudi 6 juillet 2000 14:52
À:
Hi,
I have FW-1 installed on an NT box. I have an SeuRemote client installed on
win98. When I connect to my Firewall using ISDN line or anologic modem all
works fine (logon to NT domain, access network shared ressources and
applications etc ...).
Now I try to connect my FW using a cable modem.
This is my biggest gripe with NT. You do not have
any of the remote management capabilities. With
NT you can't even telnet and access system resources
let alone export the GUI to your local X server.
Then there's the performance thing, and the frequent
reboot thing, and the Micro$oft
I just re-read res. 1988 on the nokia site and iut states that you'll always get a
logswitch failed if the PFM is configured to log to another machine, eg. the
management server. [which mine is - apologies]
regards
"Dameon D. Welch-Abernathy" wrote:
I have never been able to get fw
Hi,
I am running FW-1 4.0 Build 4156 on Solaris 2.6 (SUN Ultra-60)
platform. Currently I have memory leak problem, the system free memory drop
significant daily. Does anybody there has similar problem. Please post
information or resolution.
Thanks in advance,
Irene
I am using SR Client build 4003 and my Firewall is v4.0 sp2 but It works
using RTC or ISDN line ! The problem comes with cable modem.
Cordially
Emmanuel Lucas.
- Original Message -
From: Dallas Bishoff [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, July 06, 2000 4:26 PM
Yes, you can have defferent rule base for each boxes.
Take care on Install On Field on Security Policy Tab
Victor Barrientos
Security Engineer
Tivoli certified Consultant
RSA Security Certified RSA ACE/Server Engineer
Tel: 54-11-4819-3903
Faxl: 54-11-4811-7103
Telefónica
unifon
Based on the existing code of Checkpoint, I have implemented as an example a
stateful version of ping.
Stateful ping mean that an ICMP echo-reply will be accepted *only* if the FW-1
have seen before an ICMP echo-request, if the srcdst match the dstsrc and
if the icmp-id and icmp-seq match
As I said above on my first append, I have tried with 2 IP addresses in
195.x.x.x and the firewall log show me the good client IP address. So does
it means that there is no address translation ?
Cordially
Emmanuel Lucas.
- Original Message -
From: Jim Brown [EMAIL PROTECTED]
To:
I'd like to see what was fixed / changes / broken.
Thanks,
Joel Eames
--
Texas Children's Hospital
Information Services
Data Security Analyst
--
(713) 770-4441
-Original Message-
From: Eames, Joel E.
Sent: Thursday, July
If you have your firewall set up like most people, you have already done it.
Most people are very careful about what they let in, only allowing certain
services to certain machines and blocking everything else coming in. If
this is the case, you have already blocked an external person from
Can someone please point me to the release notes
for 4.1? I am having trouble locating them on Checkpoints
site. Also any whitepapers on migration/upgrade issues
and procedures, if available.
TIA
Hal
Hal Dorsman
Data Network Engineer
Blackfoot Telephone Cooperative
Missoula, Montana, USA
Check Point is usually pretty good about backwards compatability, but
I've never seen a software manufacturer do firewards compatability
Check Point would definitely say that your management console must be
the most current - regardless of authentication, moduels change, object
formats
Hi all,
I've recently been getting alerts from our firewall that pert 33435
through 33454 are being scanned repeatedly. Does anyone know of a site that
lists ports used by Trojans and backdoors that I can use as a reference to
check these out?
Thanks for your response. I have upgraded to SP5 (Build 4094). This did
not effect the problem in any way unfortunately. Any other ideas?
Thanks,
Tracy
To unsubscribe from this mailing list, please see
Folks,
Any ideas why I am getting these error messages on my Solaris, sparc, IOS 2.6
FW-1 v 4.0 with 256M memory. See error message below.
excerpt from /var/adm/messages file...
Jul 6 16:40:55 mcfw unix: FW-1: fw_init_xlation_tables: fw_xlate_set_tables
fai
led
Jul 6 16:40:55 mcfw
The nokia platform is FreeBSD unix that is thinned out a bit. The HA option
is using VRRP. I have implemented it and it works fine.
Moving from Solaris to Nokia is not that difficult and will provide you with
a few benefits. The Nokia platform tends to be slightly easier to config
(for
Carl,
On my site, http://www.wittys.com/files/all-ip-numbers.txt is probably
the list you're looking for. Off the top of my head, what you're seeing
is traceroute (so long as it's UDP). Hope this helps!
Jason
"Truszynski, Carl G." wrote:
Hi all,
I've recently been getting alerts
I use this one...
http://www.simovits.com/nyheter9902.html
HTH,
Karim
"Truszynski, Carl G." wrote:
Hi all,
I've recently been getting
alerts from our firewall that pert 33435
through 33454 are being scanned repeatedly. Does anyone know
of a site that
lists ports used by Trojans and backdoors
You've run out of kernel memory for the firewall state table. I'm
guiessing your CPU load just wnet nuts too, right? Anyway,
www.phoneboy.com lists the fix for this, which is to add the line:
set fw:fwhmem=0x400
to your /etc/system file and then reboot. Actually phoneboy suggests a
I'd suggest that you get Suns and a more scalable HA product, such as,
oh, I don't know, Rainwall :-)
Nokia's VRRP solution bears some very close resemblances to the HSRP
protocol that it's descended from. It's a master/slave relationship which
requires that one box be passively listening for
Nokia's HA is VRRP (free), with a Monitored Circuit option (also free) to
cause any/all interfaces - you choose which ones - to fail over whenever
any one of them does. In my tests, it fails over in about 3 seconds, and
fails back in about 6 seconds - not long enough for anyone to really
Hello Carl,
TCG I've recently been getting alerts from our firewall that pert 33435
TCG through 33454 are being scanned repeatedly. Does anyone know of a site that
TCG lists ports used by Trojans and backdoors that I can use as a reference to
TCG check these out?
this is probably just
As mentioned in several of the replies to your post it was noted that Nokia's HA
solution relies on VRRP, which provides failover, but not
load sharing in an of itself. You can, as mentioned, configure "static" load sharing
(i.e. one subnet uses one firewall as primary, and another
subnet
I have gotten it to work either way, but CheckPoint may not support you if
you do not license the external interface.
ie- Best Practice would be to use external.
Internal is obviously easier, especially if you may change ISP's...
Thomas Poole
-Original Message-
From: Uy, Alex
Since Telnet is a tcp based service, the default timeout for TCP is 3600
seconds (60 minutes)
This is under policy/properties/tcp session timeout.
Thomas
-Original Message-
From: Scott Becker [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 06, 2000 4:12 AM
To: [EMAIL PROTECTED]
I have a question about the put key command. We
recently inherited several firewalls being managed by
one management server/firewall. Two of the sites are
having timeout connections. Looking into the phoneboy
faq: Failed to Install Security Policy, it explains
that the module doesnt recongize
I want to be able to back up the NT firewall, since it is on it's own little
domain etc, I can not use regular NT permissions to give the backupexec
program access. Can I run the Backupexec agent on NT and give special
permission to ONE server to access it via IP?
Anyone have any other
I have a network admin who would like to connect via their cbale modem to
our network. what would the process be for that? I looked over a few Faq's
but am unsure of the exact steps needed, does all the VPN stuff come with or
is downlaodable from Checkpoint? Is there an extra cost? What else
Hi,
our customer needs to use the service 'dcom' for same application.
This service uses a dinamic assignation of ports.
Can someone help me for the definition of this service?
thanks a lot
regards
manus
Aren't these "scans" really traceroutes ?
--- Karim Amrani [EMAIL PROTECTED] wrote:
Date: Thu, 06 Jul 2000 19:20:20 +0200
From: "Karim Amrani" [EMAIL PROTECTED]
Reply-to: [EMAIL PROTECTED]
Organization: Cogelog
To: "Truszynski Carl G." [EMAIL PROTECTED]
CC: "'Checkpoint Maillist'" [EMAIL
Hi
all
is anyone using the
ArcServ backup agent for Unix to back up Checkpoint ?
Ryan V.
FinneseyNetwork Administrator @tmosphere Interactive 1375 Broadway, 11th floor New York, NY 10018 212 827 2507 phone 212 827 2525 fax [EMAIL PROTECTED]
Yep, can be from service providers that, when someone hits a webpage they
host, they traceroute back to you to find out your physical location, then
point you to the closest mirror of that site.
Still worth a follow up email to the originating site if the scans are
annoying you. I consider such
My firewall is sending pings to 149.1.1.1 on a periodic basic. 149.1.1.1 IP
address points back to PSINet ISP. Any ideas why?
Thanks,
Jaime
To unsubscribe from this mailing list, please see the
Dear All,
someone please give me their opinions
Our rule base has been left unattended for a little while...I know the in's
and out's of creating rules and stuff like that...but I was thinking of a
reorganisation
Is it better to put all the accept rules at the top so that these are
Does anyone know if the Nokias support UDP Broadcast forwarding or, in Cisco
terminology, a "helper addresses" for braodcast addresses?
Here's the background info. Our Nokia 650 FW has a VPN DMZ, after the
traffic is decrypted, it is routed throught he FW to the internal network.
We are
Hi,
Can someone please tell me what rule that I have to set to enable my mail
server (Exchange Server) to send/receive mail to/from the Internet? My mail
server is in the DMZ, with a valid ip. I have set a rule that allow from any
to the mail server through smtp, and vice versa. My default
Norman,
Has anything been entered into the DNS for the mail server? You will most
likely need an A, PTR and MX record. Something like:
Domain. IN MX 10 smtpserver.domain.
Smtpserver.domain. IN A legal-IP-address
And for the reverse DNS lookup
The rules you have set should be sufficient.
The default gateway for the mail server should point to the firewall's
DMZ nic, not the internal nic.
e.g. If you have 192.168.1.x as the internal network (with 192.168.1.1 as
the internal gateway) and 192.168.2.x as the DMZ network (with 192.168.2.1
Gang,
Thanks to everyone who replied to my RADIUS question. In the interest of
summarization for all involved, basically, from the folks out here in the
list, it looks like NT "Option Pack" RADIUS will work PROVIDED you have SP4
or less on the host with Option Pack on it. If you apply
Brian,
can't remember if I passed this info on or not, but I have got some good
support from MS people at the newsgroup microsoft.public.internet.radius
and they definitely recommend going to sp6a
cheers
deanc
install both IAS updates from link below mcis first then sp6a
Hello
We want to move the existing config(objects, rules, policies etc...) on our
FW-1 to a newer machine and wondered if anybody any recommendation. I
am planning copying files from the conf directory on the old to new well as
updating the license.
(:=)Think Globally Act
The reason I was worried is the /var/log/fw.log was 20MB and had a modified date of
yesterday. I think the bulk of the log came from when we played around with the
ip440 in a standalone setting (ie. not in HA mode and not with a separate mgmt
module).
BTW, the remote logswitch also failed. I
57 matches
Mail list logo