Thanks for all the answers, the problem turned out to be the fact that the
firewall was running while I certified the fw object and the SP1 client has
the Hybrid checkbox in the IKE properties panel.
As soon as I stopped it and recertified, all worked fine.
1. fwstop
2. fw internalca create
Where can I download the latest build of secureremote for Win2K Pro?
Thanks,
Leonard Lee
Sr.Network Administrator
Furniture.com
-Original Message-
From: Tigges, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 04, 2000 3:01 PM
To: '[EMAIL PROTECTED]'
Subject: [FW1] Sec Rem for
I wish it were that simple, I did some testing and noticed the external cisco had
routes from my internal network ( subnets) via two paths ( the Nokias ), this is
during normal vrrp operation. I guess this makes sense becuase they are equal cost
routes. I figured I could tweak this by
We need to use a FQDN, instead of IP address, to access a ftp server. It is
because there are a number of hosts/ip addresses behind the FQDN for
fail-over. The ftp server operator refuses to update us if there is any IP
address change for that FQDN.
How can I construct a FW-1 rule to
I don't see FQDN changing much, so just do an nslookup and put
the ip range in your rules.
Once a month or if users complain do an nslookup and put the
new ip in or remove dead ones.
Or just put a single ip, if it goes down or is busy tell the
ignorant admin to fix his machine or run a real
Could someone please offer some advice here.
Nokia 440 with IPSO 3.2.1 and CHKP V4 SP4 running Websense.
Firewall is configured as proxy for IE5 clients to browse the web most of the
time works OK.
Some addresses work spordaically and I don't know why...
There is one good example,
Title: Client Auth/Redirect on Fail
You
must do user authentication + client authentication together. I have several
customers that are doing this.
Basically, if you use user auth by itself, it will authenticate on every
new URL, although using http proxy will allow this.
If you
use a user
You'll need to do an nslookup for the FQDN, then create separate
workstation objects for each of the site's load balanced IPs. Then allow
access to all of the objects. Otherwise it will work for your users
sometimes but not others.
I've also heard of some people having success at specifying
What VRRP does is actually shut down the interfaces themselves... it won't
matter if the routing daemon dies or not. When that route goes away,
traffice should take what WAS the higher cost route.
- Original Message -
From: "John Gesualdi" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; "fw"
My guess is that there is a single external IP address that is used for
several of his internal addresses. Perform an nslookup a few times and see
the results.
Thomas Poole
-Original Message-
From: Ivan Fox [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 23, 2000 5:41 PM
To:
Let me add another perspective to this. I am in the situation you are
comtemplating, all my users have unrestricted access to the Internet thru
the firewall. I have spent the last 6 or 8 months trying to get my hands on
what they need to have open in order to do their jobs and what is just
Joe,
this is no reason to open up all outgoing TCP ports. I suggest making a
group like "standard services", containing things like http, ftp asf. and
as far as I know FW-1 is able to handle the re-direction to a high-numbered
port by an ftp server to a client still in a secure, statful
Joe Delsol wrote:
What are the reasons against opening all port access to the internet
from my internal users?
A whole bunch of reasons against opening this up have been proposed,
which are all valid.
One good reason *for* opening it up however is this:
1) Your users can get work done.
This is my second attempt for a solution from this board, so if you can help
at all, please give me a hand.
I have FW14.0 on NT4.0 with three interfaces I want to route between. The
interfaces I want to route are: my external interface (valid Internet
address), my MZ (172.x.x.x) and my DMZ
Hello all,
Currently wrestling to understand what is going on. I am running NT
SP6a, with FW-1/VPN-1 4.1 SP2, and SecuRemote 4165
Everything is working correctly except browsing through netowrk
neighborhood, which I have info on how to set up so I am not worried. But
what I notice is
Derek,
if I understand you correctly,
you have your network set up like this:
Internet
|
FW - DMZ (192.x.x.x)
|
Internal
(172.x.x.x)
There is no reason to use NAT between the internal network
and the DMZ.
All you need is the proper routes (in NT), and a FW-1 security
policy
Dear Friends:
I have the next configuration:
1 VPN-1 Module 4.1 SP 1( Firewall-1 ) running in a Nokia IP440 box
1 Management Console 4.1 SP1 running in a NT server
This is working fine.
I have a problem with the LOG VIEWER
In my configuration I have 35 rules in the Policy Editor
When I open
Thats how we feel. We monitor logs and bring up issues with management,
but being a dictator from the get go doesn't make our network anymore
secure or make our people work harder.
Frankly, letting people go check there stocks, follow there retirement
funds and check the news seems to keep
ICMP is not stateful unless enabled within the Properties menu. I'm assuming
you do not have it enabled there which is why you need an explicit rule to
allow the echo-reply back, basically FW sees an echo-reply as a net new
connection. All TCP and UDP protocols have state (assuming you've
Looking for comments on various auth methods for web/ftp access.
We have locked down access by allowing only certain addresses/protocols
etc.
However, we do not authenticate outbound web surfing/ftp.
Now I have heard various comments in the past:-
"Don't auth outbound - you will only have
Can anyone please point me to where I can obtain SNMP MIBs for Nokia 440 running
IPSO 3.2.1?
Many thanks
Mike
-
DISCLAIMER:
This E-mail is strictly confidential and intended solely for the addressee.
It may
You should only need to install the 3DES version of
the SP2 patch, if I recall correctly. Yes -- be sure
to have your encryption license key *and* the licenses
for SecuRemote -- they are not the same thing.
Good Luck! -- Chris
--- Eyal Rif [EMAIL PROTECTED] wrote:
Hi,
I currently have
Hi,
I understand something is going to be made available by Nokia soon
Inti.
-Original Message-
From: Mike Anning
To: [EMAIL PROTECTED]
Sent: 9/8/00 3:20 PM
Subject: [FW1] MIBs
Can anyone please point me to where I can obtain SNMP MIBs for Nokia 440
running
IPSO 3.2.1?
Many
Hello Friends:
Someone know How can I look the NOKIA PERFORMANCE?
Memory and CPU?
Same to NT, with TASK MANAGER/PERFORMANCE?
Is there a option same?
Thanks..
To unsubscribe from this mailing list, please
Hello All,
Anyone have a fix/patch/resolution for the following:
CP 4.1, SP2 on NT 4.0 SP6a
VPN-1 Module and a Management Console.
When VPN is active - I get the following:
An Application error has occurred and an application log is being
generated.
fw.exe
Exception: access violation
Just installed FW1 4.1 SP1 with FW on Solaris and Mgmt Server on NT 4.0.
When FW starts up, it gets an error -
"Authentication for command fetch failed"
Any ideas?
Bill Steele
To unsubscribe from this
Greetings,
I am trying to implement Hybrid Mode IKE for Securemote authentication and
have followed all the instructions listed in the CheckPoints document
written by Joe Dipietro. While all steps checked, when I try to
authenticate with a user setup for IKE (DES), I get the following
fw putkey?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 5:37 PM
To: [EMAIL PROTECTED]
Subject: [FW1] fetch
Just installed FW1 4.1 SP1 with FW on Solaris and Mgmt Server on NT 4.0.
When FW starts up, it gets an error -
On the IP440 look at /etc/snmp/mibs/
-Original Message-
From: Inti Shah [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 11:23 AM
To: 'Mike Anning '; '[EMAIL PROTECTED] '
Subject: RE: [FW1] MIBs
Hi,
I understand something is going to be made available by Nokia soon
Charles:
Confirm that your client and server have common authentication
capabilities (encryption methods/algorithms); that sounds like your problem.
Earl Hartley
Sorry Tom, I should've mentioned that I was aware of the default ones... does
anyone know if there any additional MIBs available.
Cheers
Tom Sevy [EMAIL PROTECTED] on 08/09/2000 17:05:39
To: "'Inti Shah'" [EMAIL PROTECTED], Mike
Anning/WEY/EU/CHEP@CHEP, "'[EMAIL PROTECTED] '"
Yes, I did the putkey -p and also cleared out the authkeys.c files and did a
putkey -n as well.
Bill
-Original Message-
From: LEYMARIE Gerard [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 11:57 AM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [FW1] fetch
fw
Hello Friends:
Someone know How can I look the NOKIA PERFORMANCE?
Memory and CPU?
Same to NT, with TASK MANAGER/PERFORMANCE?
Is there a option same?
Thanks..
To unsubscribe from this mailing list,
Title: RE: [FW1] Hybrid Mode
I've seen this, actually, I just went through this myself. One little undocumented GOTCHA. If you look at your client encrypt rule, and go into the client encrypt action properties, you'll see a bright spanking new checkbox that wasn't there before. Apply Rule
welp u didnt do fw putkey on the firewall RTFM alittle about this function.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 5:37 PM
To: [EMAIL PROTECTED]
Subject: [FW1] fetch
Just installed FW1 4.1 SP1 with FW on Solaris and Mgmt
check $FWDIR/lib/control.map- ensure you are using the proper type of
authentication
if you want to force an auth type, you can put a comma-delimted line of the
remote modules IP addresses at the top
of this file.
x.x.x.x, y.y.y.y: */fwa1
redo the putkeys on the clients and server:
fw
Thanks to everyone who assisted.
Problem: checkpoint 2000 on solaris, installing policy from mgmt server
to firewall module would fail
with:
gz_file_compress: fopen failed for /etc/fw/tmp/mypolicy.lg: No such file or
directory
Solution:
Do not call your policy name the same as the
Dear All,
I wish to setup 2 Nokia box used VRRP for the high availability. Both of
boxes connected 2 different ISP, one ISP as the primary and the other is
backup ISP. If our primary ISP could not connect us to the internet, is
it automatically fail-over to the backup ISP ?
Your reply is
Thanks Jeff for your reply, When I saw the undocumented "GOTCHA"in your
response, my eyes opened up wide. Unfortunately, my client encrypt evil
little twit was already unchecked. Any other ideas?
Thanks in advance...Chuck
From: "Oxenreider, Jeff" [EMAIL PROTECTED]
To: 'charles kings'
Thanks Earl,
Basically, I had a user already defined for IKE utilizing a preshared secret
key and was working OK. To test the hybrid mode, I then changed the
authentication scheme for this user from undefined to VPN-1 firewall-1
password and assigned a password. Now, this user does not
I have two FW1 Enterprise firewall "clusters", a v4.0
Management Server controlling two v4.0 Firewall Modules,
and a new v4.1 Management Server controlling two separate
v4.1 Firewall Modules. I would like the new v4.1 Management
Server to control both the new v4.1 Firewall Modules and the
old
According to Checkpoint web site:
Solution:
How to make Management Module version 4.1 backward compatibility with
version 4.0 Inspection modules?
NT:
When installing management module 4.1, check the backward compatible option
and Install a 4.0 license on the management module in addition to
After clearing out both authkeys.c files again and rerunning the fw putkey
-n on both boxes, it is now working. Thanks for all the suggestions.
Bill
To unsubscribe from this mailing list, please see the
Hello
I would like to know if anybody had any problems installing firewall-1 on
windows 2000 professional edition, because I got an error message saying
"Service PACK 4 or better are required" how can I solve this matter?
Thank's in advance
Matias Siri
Has anyone successfully installed the GUI client on Win2k?
Scott J. Friedman
Senior Systems Administrator
Microsoft Certified Systems Engineer
Email : [EMAIL PROTECTED]
Phone : 313-253-3656
Cell Phone : 313-220-6916
AOL IM : SJF403
-Original Message-
From: [EMAIL PROTECTED]
Hello Matias,
Checkpoint FW-1 system requirements:
http://www.checkpoint.com/products/firewall-1/sysrequire.html
Regards,
Stephen
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 2:35 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Problem
I had
sent this note while spending two hours on the phone with
CP.
The
result of that call was that they have a problem with PASV FTP. I'm not sure
where it was introduced, but it affected out 4.1 sp2.
The KB
docs had the fix in there, but the reason for the fix did not sound as though
If Telemate did not change the way to track authenticated users you will
have to manually manage the database of users. I remember I created
departments a subdirectories and moved user names into the appropriate
department. Everything else was OK.
I run the 4.0 gui on my win2k laptop with no major problems. I think it has
crashed twice, but I've used it every day since June. For my computer
that's acceptable, for my car, it'd be a lawsuit, go figure.
HTH - Mark Ingles
At 02:51 PM 9/8/2000, you wrote:
Has anyone successfully installed
I've got the 4.1 GUI client installed on my Win2K Professional workstation
just fine. Have you run into problems installing on Win2K?
-Original Message-
From: Scott Friedman [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 1:52 PM
To: '[EMAIL PROTECTED]'; [EMAIL
Title: RE: [FW1] SecuRemote client with unrouteable ip address
Sounds to my like you are using IKE.
According to what I've read, you have to switch to FWZ. Try that if you haven't.
Title: [FW1] SecuRemote client with unrouteable ip address
I am experiencing a problem involving
Yes - did this without problems
It has run fine on both W2K and W2K SP1
--- Scott Friedman [EMAIL PROTECTED] wrote:
Has anyone successfully installed the GUI client on Win2k?
Scott J. Friedman
Senior Systems Administrator
Microsoft Certified Systems Engineer
Email : [EMAIL PROTECTED]
Yep. W2K Professional, Server and Server via a terminal server client. What
problems are you running into?
--- Gavin
-Original Message-
From: Scott Friedman [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 15:52
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: [FW1]
I am running the GUI client on a win2k desktop and have had no problems.
I did get a similar message at first. I bypassed the autorun feature then used Windows
explorer to drill down to the client directory and ran the install from there.
Bob Josephson
Information Support Specialist
I am running NT SP6a, with FW-1/VPN-1 4.1 SP2, and SecuRemote 4165
Everything is working as expected with the SecuRemote client, dnsinfo.c is
correct, etc...
I can browse the encdomain fine, ping machines in the encdomain fine, etc...
I have set up split horizin DNS; internal clients will
Okay, so I see now why local.arp is such a bummer.
#1 - It does not work correctly.
#2 - see #1.
Per postings over the last couple weeks (I've saved them all) and Checkpoint
docs, I have tried to create the local.arp using nearly all permutations of
space vs. tab between IP and MAC, dashes or
BTW, any tricks need to happen to get the router to do the ARP instead? I'm
imagining that all I should need to do is put in a static ARP entry, a la:
arp x.x.x.x .. arpa
Then, add a rule to accept the packets, a NAT rule, and a static route in
the NT routing table. Am I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I never had that much problem with it. Did you make sure your
antispoofing settings are correct. That tripped me up once or twice.
eric.
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com
If it were up to me, i would disable ALL your rules, enable ALL ALL
and get your forwarding/arp/routing working to your machines (i assume
natted machines).
Once you have clear communications, turn on your rules and find which
one breaks them.
Personally i run fw1 4.0 and my routes work just
Eric is right,
If the settings of local.arp is done correctly and it is still not working,
Try
setting valid addresses on Firewall interfaces are set to "Any" (Anti
spoofing).
Regards
Vijay Joseph
-Original Message-
From: eric [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08,
This is true and tripped me up also. Your FW's internal interface
anti-spoofing policy must treat as valid addresses the external range that
you're trying to NAT your internal stuff to.
Ian
-Original Message-
From: Vijay [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 1:58
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Besides the already mentioned anti-spoofing, there is something else
to check. I assume you created an object with the internal IP address
and set static NAt on it. Have you also created an object with the
virtual (external, natted) IP address and
(Thank you)^ to the many responders on this issue. The winning response
is included below (thanks to others who corroborated this). I had initially
configured anti-spoofing with "log" as the spoof tracking option. However,
when I added another interface to the firewall via "get", I failed
Hi,
has anyone ever ran into a problem where when installing a policy
from a management console to a firewall module, it gives you an
error of "Failed to install Security Policy on hostxxx: Broken
Pipe"?
I checked the connection and was able to get to the fw module
fine (using ping,
Title: Authentication Load on VPN-1 AIX
I tried to send this to the fw1-wizards list, which I'm a member, but it failed twice so.
We are running VPN-1 4.1 SP1 on AIX (read RS6000) The AIX box is pretty hefty. Even with a few VPN sessions and approximately 2200 users surfing the
I have had nothing but problems after upgrading to 4.1 SP2. So far CP has not been
any help in solving the problems. My major issue is that I have a distributed
enterprise with an unlimited firewall and a management server on different machines,
then 3 remote firewall modules, all of which
whoops, sent this to the wrong address... trying again...
Hello,
We have offices at three sites, NY, Boston and LA. Currently NY and Boston
are up and running FW-1, and they can communicate TCP/IP fine between each
other (FTP/Telnet/http). The rules allow all traffic (except for BOOTP and
We have two Nokia firewalls (v4 SP5 hotfix) in a VRRP configuration (master/backup).
All the interfaces on both firewalls were defined with anti-spoofing (2 interfaces -
this net, 1 "private" interface - specific, and 1 "public" interface - other). When
anti-spoofing was pushed, it seemed
We have installed CP v4.0 SP5 Hotfix on our Nokia firewalls.
Since that time, the log viewer (Show Null Matches) has revealed a suprising number of
fragmented packets. The message reads: router log: Virtual defragmentation error:
Timeout (...) - nn packets dropped during the last 60
I think this is what you're after:
http://support.checkpoint.com/kb/docs/public/os/winnt/pdf/SDL-Prep.pdf
Don't be thrown by the "NT" in the URL - the info you want is in there.
Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc. (formerly employeesavings.com)
425.456.3970
The work/life
Thanks, but I saw that one and on the bottom of page 2, 2nd to last
paragraph, last sentence it says an additional entry will be required on the
win98 client lmhosts file.
I think they just haven't updated the docs, but I can't find anywhere that
says what the new entry in the dnsinfo.C file
71 matches
Mail list logo