This is the default setting in FW-1 (at least some versions). Checkpoint has
relased a "User Account Expiration" tool to change this setting on several
users at the time - useful for large organisations...
Jan-Ivar Hansen
Network Consultant
iTet System
-Opprinnelig melding-
Fra: Ian
Anders,
Yes it does, with the 1st rule you only allow the outgoing
'ping' packets ... but with no other rule, you'll never get a
reply I think. You should add a 2d rule to allow the replies :
Src DestService
InternetInternalecho-reply + (??
Hi guys,
Well I am testing out the SR behind natted device and it seems not to work
for me
I can download the topology just fine, and as far as I read I should not
make any changes, it should automatically.
Any suggestions ? after installing sp2 the vpn1_encapsulation is already
Something useful without having to justify it - wow ! - Take it before they
change their minds!
IDS's are great and have provided me with useful information on many
ocasions.
If it's outside your firewall then you can see whats trying to come in, what
the bad guys on the inside and outside are
Hello all,
is the way to copy/paste rules between the 4.0 and an
other 4.1 fw1, the same as between a 4.0 and an other
4.0 ?
Before making the tests, i'd like to have some
information to restrict them to a simple validation.
Thanks.
rle
Hello everyone. For those of you interested in a
search routine that will allow you to locate objects
in the fw-1 database checkout www.preceptsoftware.com.
During this introductory year all upgrades are free to
valid license holders. The program "Object Parser" is
the beginning of what I hope
Hi all,
is it possible to use ksh in nokia ipso? Thanks
***
Cihan Subasi
Garanti Technology-Istanbul
Work phone: +(90)(212) 4783426
Cellular : +(90)(532) 2211796
mailto:[EMAIL PROTECTED]
What are people using on Nokia's for HA solutions (FW-1 only, no VPN
needed). VRRP? Checkpoint HA? Stonebeat? Rainwall?
Neil Pike
Protech Computing Ltd
To unsubscribe from this mailing list,
Hello everyone. For those of you interested in a
search routine that will allow you to locate objects
in the fw-1 database checkout www.preceptsoftware.com.
During this introductory year all upgrades are free to
valid license holders. The program "Object Parser" is
the beginning of
I am using Alteon + Nokia
-Original Message-
From: Neil Pike [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 1:40 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Nokia HA options
What are people using on Nokia's for HA solutions (FW-1 only, no VPN
needed). VRRP? Checkpoint
Yes - the Alteon + Nokia appears a favoured offering from the VARs we have dealt with
Tim Higgins
Cihan Subasi (Garanti Teknoloji) [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
30/11/00 12:37
To:'Neil Pike' [EMAIL PROTECTED], [EMAIL PROTECTED]
cc:
Subject:RE:
Dima,
Am I to understand that the userid/cn for the cert reference is the
same as the object ID being used in the destination? This is obviously
a problem. This is one of a few scenarios that will yield the user
is not defined properly message. Usually, though, it is an encryption
level
I think it's great that there are people out here who work for companies that do
penetration testing/auditing. This at least ensures that we have people here who
know what they are talking about.
--- Didn't we have this same conversation about Rainfinity's valuable input (not
joking Mark, I'm
Dave,
Yes, the lmhosts file on the local system SHOULD be updated. I have seen this work,
but as you have noted, it is very syntax sensitive, one wrong space, one space
instead of a tab. It would be nice if check point would come out with a utility to
generate this file based on a gui or a
Well, working for a small security group, I have it on very solid ground (IDC,
Gartner) that 70-80% of hacks come from inside the network. Scotts initial
synopsis was dead on. If you really want to be secure, trust no one. But if you
are going to use an IDS, which makes more sense, to have
FW 4.1 provides 3 ways to specify port ranges.
1. New TCP service - fill in the PORT field with 41000-65535, but do not touch
source port range field
2. Create a Port Range object, flag TCP, then enter the proper starting port and
ending port on the designated lines.
3. Follow Roberts email
some additional info :
my network is ;
station A-firewall Afirewall B--station B
LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is 13.0.0.0.
I am trying from station B to get to station A.
Firewall B is hiding my station B ( HIDE NAT )
When I do site update I can authenticated
Perhaps key exchanges. Are you using Perfect Forward Secrecy?
CryptoTech
Chris H wrote:
Running IKE VPN to one of our overseas offices. 4.1
SP2 Enterprise server and management module in US 4.0
latest SP VPN-1 module overseas. The VPN drops for
about a minute every couple of days at
I use VRRP and it works great.
Kamran
-Original Message-
From: Neil Pike [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 6:40 AM
To: [EMAIL PROTECTED]
Subject: [FW1] Nokia HA options
What are people using on Nokia's for HA solutions (FW-1 only, no VPN
needed). VRRP?
I remember seeing something on phoneboy but can't find it. I need to create
a general rule to allow some services to go to any existing active Secure Remote
Client. Something for allowing connections to clients with active user state,
originating from encryption domain. Has anyone got any
I think we have beaten this thread to death guys and gals. We are all
saying the same thing.
IDS inside good.
Outside even better.
-Original Message-
From: Chilton Tim [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 4:42 AM
To: Pellowski, Tom; [EMAIL PROTECTED]
Subject:
Crypto,
I hate to impose but that would be very helpful. I would also like to thank
all those who responded !!
Thanks Crypto,
Dave
-Original Message-
From: CryptoTech [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 8:39 AM
To: Johnson, Dave
Cc: [EMAIL PROTECTED]
ChillDon't get so defensive. We all throw shameless plugs in from time
to time. Where else can we get business?
We all thank you for your valuable responses to our issues and we ask for a
little leeway too.
Just my humble opinion.
-Original Message-
From: Scott Schindler
[Tim Cullen]
Neil,
The products that work well
with Nokia and Checkpoint that I have been able to test are F5 Networks Big-IP
and RadWare for actual load balancing. If you just want failover, the VRRP
solution is great.
-Original
Message-From: Neil Pike [mailto:[EMAIL
This morning I came in and saw the System Status alert showing "firewall
switching from old state 'installed' to new state 'disconnected'. 16
minutes later, it showed switching from old state 'disconnected' to new
state 'installed'. The firewall in question is and was currently a hot
Hallo
I will install Secure-Remote or Secure-Client!
What System is the better choice.
I think the Secure-Remote-System haven´t enough security for use or is it
possible to increase the security on these clients with a software or same
settings!
Thanks
manfred
That WAS Scott, and it was NOT you Shindler. Look just below my response.
Just a note, there are many decaffinated brands on the market that are just
as tasty as the caffinated kinds.
(couldn't resist)
-Original Message-
From: Scott Schindler [mailto:[EMAIL PROTECTED]]
Sent: Wednesday,
What kind of machine is this on, I have done it on a Nokia IP440.
-Keith
-Original Message-
From: rle xxx [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 5:05 AM
To: Fw-1-Mailinglist (E-mail)
Subject: [FW1] Adapting rules from 4.0 to 4.1
Hello all,
is the way to
It is
not only HA also LB...and works perfect so far
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Thursday, November 30, 2000 3:20
PMTo: Cihan Subasi (Garanti Teknoloji)Cc:
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]Subject:
Agreed,
Thanks to all for your inputs and refernces.
Alas to no avail. See my second message 7 hours after my first one.
Thanks again.
Tom
-Original Message-
From: Tim Cullen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 09:53
To: [EMAIL PROTECTED]
Subject: RE: [FW1]
Scott Schindler wrote:
To everyone, regarding the CISSP and security certifications.
* The CISSP is a security-officer level program. It is what CSOs and high
level Consultants need to know. It is based upon information above the
"implementation" level. ISC2 does not necessarily
I talked with CheckPoint and this is a known problem.
Currently, there is no known fix.
Yim
--- Idan Dolev [EMAIL PROTECTED] wrote:
some additional info :
my network is ;
station A-firewall Afirewall B--station
B
LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is
I have a question regarding this, also. I went ahead and took the IP address
off and it worked wonderfully. Thank you very much, Dan. However, now what
do we do when the people are back in the office and need to be on the
network with an IP address? Is there a way to make this work without
Hi all,
I'm going to make the changes in CP's doc regarding hybrid mode auth for SR
users using IKE as the encryption scheme tonite. Anybody done this before
that wants to share any tips or problems they had while making the change?
Thanks,
Ian
I went to phoneboys FAQ and read a question concerning how to use FW-1 as a
store and forward SMTP server. The rule it shows has a service called :
SMTP-Store_and_Forward
When I display my resources, in my rule base, there is no resource that
looks like this. Where do I get one?
I, too, have a question about the install on Solaris. When installing on
Solaris 2.7, it (CP2000) complains that it won't run with the 64bit kernel.
Does anyone know how to disable that and run 32bits?
Bill
-Original Message-
From: Alonzo Vera [mailto:[EMAIL PROTECTED]]
Sent:
Why don't you put them on DHCP in the office?
Andrew Bagrin
Secure-1
865-803-2748
www.secure-1.com
- Original Message -
From: Kimberly Newton [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Thursday, November 30, 2000 5:21 PM
Here's the Kixtart code in my login script (nothing confidential, I actually
got the idea from one of the list-servs (not this one))
; **module to change default VBS double-click to Notepad instead
of WScript.exe
Existkey("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell")
To change modes, enter the following at the "ok" prompt:
To set up booting 32-bit mode:
setenv boot-file kernel/unix
To set up booting 64-bit mode:
setenv boot-file kernel/sparcv9/unix
Or, after booting Solaris, login as root and enter the following:
To setup booting 32-bit mode:eeprom
We are in the midst of a controversy and would like to hear some opinions.
Should we install a FW-1 on an NT or a Unix machine? Why?
Thanks for all of your opinions.
To unsubscribe from this mailing list,
All,
Can someone please post the build number for 4.1 SP2? It's not on
Phoneboy's site yet. All he has is:
Build V.SP
-
30833.0b SP8
30963.0b SP9
40314.0 SP1
40344.0 SP2
40564.0 SP3
40644.0 SP3 + hotfix
40664.0 SP4
40944.0 SP5
41439 4.1 SP0
Flamebait! LOL Kidding of course... I would choose Solaris, if for nothing
else because of IP forwarding.
-Original Message-
From: Jack Klein [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 11:04 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] NT or Unix
We are in the midst of
Disable 64-bit mode
An easy way to do this would be to cd /platform/sun4u and edit the boot.conf
file. You would just comment out the line for 64-bit mode and reboot the
machine.
As for IP forwarding, if you do not disable IP forwarding in the OS the
system has a window when the firewall is
Not using perfect forward secrecy.
--- CryptoTech [EMAIL PROTECTED] wrote:
Perhaps key exchanges. Are you using Perfect
Forward Secrecy?
CryptoTech
Chris H wrote:
Running IKE VPN to one of our overseas offices.
4.1
SP2 Enterprise server and management module in US
4.0
latest
Nokia. Due to cost, ease of setup, Unix-based and somewhat armored when
shipped. Also, free HA and scalable system design. (oh and we sell it too)
;)
As Jeff mentioned, this is like asking Floridians who should be President.
Just pick the one your team is most comfortable with. Technical and
The build number for SP2 is 41716.
Marc Jacquard
SR. Systems Engineer
Fujitsu America, INC.
Hilo Office
email: [EMAIL PROTECTED]
Telephone: 808-934-4103
Pager: 888-787-5814
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Jason Witty
Sent: Thursday,
I saw the same issues. For me it was the link "across the pond". It would
hiccup every so often and make the tunnel go down. I tried turning the
renegotiate times down but still had the issue. Finally I got the provider
to own up to the link instability, he resolved his issue and it resolved
Good point...DHCP could make life much easier, but it could also make the
machine complain that it can't get an IP when it's remote.
Dan Guinn
NetStar Communications
-Original Message-
From: Andrew Bagrin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 1:39 PM
To: Kimberly
IMHO:
Both NT and Unix/Linux are viable platforms, mainly it's just which one you
feel more comfortable administering. There are pros and cons for both, but
I have installed several FW-1 machines on Linux, and several on NT4. Both
seem to work about the same (unless you put them under a lot
Thats how all Regals users are setup and we don't have any complaints
Andrew Bagrin
Secure-1
865-803-2748
www.secure-1.com
- Original Message -
From: Dan Guinn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, November 30, 2000 3:02 PM
Subject: RE: [FW1] Securemote issue
Good
I can vouch for Dan on this point. I've seen several different
benchmark results that give Unix a 20-40% advantage over NT on max
throughput, depending on the Unix flavor. Solaris performance is hard
to compare fairly because the HW platforms used to test are always
different, but you can do a
We use a 10.x.x.x network internally per RFC 1918. Up until today I've used
a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to all of my
internal hosts. It has been very convenient to use this in my rules, for
example "internal any http accept". I now have a need to "partition
I'm having the exact same problem. A sample posted to this list would be
great! Thanks,
-Original Message-
From: Johnson, Dave [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 9:53 AM
To: 'CryptoTech'; Johnson, Dave
Cc: [EMAIL PROTECTED]
Subject:RE:
Well, I just had a problem on NT installation that I have seen a couple times now.
I am running CP2000 SP2 at this site and what happens is that I install the policy
via the GUI client. It shows that it has complied it successfully and supposedly
installed ok.
However, my old rule base is
IMHO, if you are going to be running in a distributed environment, run the
management portion on the NT box and the gateways on UNIX (either Solaris or
Nokia). The UNIX boxes will give a more stable environment for the
filtering.
Steve Schuster, CCSA, CCSE, CCSI, CCNA
Midwest ISO
Security
Hi all,
We've got Provider running here with all clients logging to the
provider box. Everytime our link goes down (thankfully not often) the
clients start logging locally. Is there anyway to get the client to
restart logging to the Provider box without restarting FWD? We had
some success
Too easy is bad. We don't want easy security configurations. ;) (sarcasm
for those that do not possess it)
Yes you can get around this but the only way I know of other than
re-networking and re-subnetting your network is to use another RFC 1918
network.
Too many people think that using
Can anyone point me to a contrast or comparison of the HA features in FW-1
4.1 vs. Nokia's VRRP implementation?
To unsubscribe from this mailing list, please see the instructions at
No it doesn't work between the two GUI's, but
does work while within the same GUI and moving
between two policies.
It's not like the Windows cut--paste.
Robert
Hello all,
is the way to copy/paste rules between the 4.0 and an
other 4.1 fw1, the same as between a 4.0 and an other
4.0 ?
Before
The linux version has been recently ported , which has ment some
stability/installation issues. It will settle down, as did other ports like
NT.
If performance is not an issue then NT/linux is fine. If your are expecting
to use say 4 100MB cards with NAT and get high throughput then Sun or
I had that problem, unfortunatly bouncing the service didn't help. I had to
clear the state dir.
Andrew Bagrin
Secure-1
865-803-2748
www.secure-1.com
- Original Message -
From: Carl E. Mankinen [EMAIL PROTECTED]
To: Jeff Quinonez [EMAIL PROTECTED]; 'Jack Klein'
[EMAIL PROTECTED]; [EMAIL
Thanks,
all of you who answered, though I
think I didn't really make my qestion clear.
What I wondered was if the two different ways
of allow outgoing echo-requests (forget the replies)
would cause FW-1 to treat the packets any differently.
Anyway, I thought about it, and I'm pretty sure now
Suh weet. What type of hardware are you speaking of on the Linux side? Also
what flav of Linux? We have a Redhat box, um 6.2 (for shites and giggles)
running on an lowend HP E60 and it hauls. I always bring up Linux solutions
to my IT Director, but he like others, fear the penguins.
If you want to "partition off" a piece of that
10.x.x.x net, you will have to change the
subnet mask internally.
That sort of answers it, doesn't it?
Go with the 192.168.x.y ...
Cheers,
Anders :)
-Original Message-
From: Greg Winkler [mailto:[EMAIL PROTECTED]]
Sent: 30. november
Yup, use 172.16.0.0 or 192.168.0.0. The easy way wins.
-Original Message-
From: Greg Winkler [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 12:32 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
We use a 10.x.x.x network
Thanks, guys (and dolls).
I got good descriptions of the workings of
traceroute from several of you.
My biggest surprise in blocking ICMP,
was that Linux appears to succeed in it's
traceroute even though the packet's never
reach their destination (reject).
Stupid little thing, that... :)
From: "Greg Winkler" [EMAIL PROTECTED]
Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net
We use a 10.x.x.x network internally per RFC 1918. Up until today I've
used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to
all of my internal hosts.
God I can't
The apples-to-apples benchmarks I mentioned were performed on Penguin
Computing boxes (700Mhz Intel processor, 128MB RAM) using FireWall-1
v4.1. Tests were run with both Red Hat Linux with the 2.2.16 kernel,
and with NT 4.0 SP6. The Linux throughput numbers were more than 40%
higher than the
sounds like bad putkeys to me
-Original Message-
From: Andrew Bagrin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 30, 2000 4:18 PM
To: Carl E. Mankinen; Jeff Quinonez; 'Jack Klein';
[EMAIL PROTECTED]
Subject: Re: [FW1] NT or Unix
I had that problem, unfortunatly bouncing the
I just saw a bunch of entries in my log generating from my internal mail
server. The log show drop connections to 3.0.0.2 on UPD port 1090 and 1257.
Those entries are created every minute for the whole day. I have OWA on my
server, and only allow SSL and SMTP to go thru. Once I restart the
Hello,
I am trying to get a VPN working betweena
Solaris Firewall-1 system running v4.0 SP5, and a site running FreeBSD and
racoon, using ISAKMP. I was told there wasa Checkpoint option
"Support key exchange for subnets" but cannot see it anywhere within the
GUI.
Is there such an option?
Has anyone done any VPN benchmarking (especially 3DES)? I think for those of
us with T1 or slower connections, that's the only place we're going to see
practical performance differences, unless you're on some really old
hardware.
In our case, average CPU utilization was around 5% until we
A couple of hours ago my network got scanned for FTP servers, and promptly
after the FTP scan ended, all of my FTP servers were probed for SunRPC.
Nothing happened, of course, but I've not seen this combination before.
It this some new exploit/vulnerability that I've missed hearing about,
I
think that you need Firewall-1 v4.1 for that.
-Original Message-From: Elaine Lolos
[mailto:[EMAIL PROTECTED]]Sent: Thursday, November 30, 2000 4:06
PMTo: [EMAIL PROTECTED]Subject:
[FW1] subnet option?
Hello,
I am trying to get a VPN working betweena
Solaris
Hi,
I am planning to move the firewall (Checkpoint ver 4.0) to a different machine.
Basically I am moving the firewall from Utra-1 to a E250 machine. Is there any
documentation to move Firewall from one machine to another machine.
I am planning to do the following steps:
1. Install
I'm running this exact configuration with no troubles at all. I have the
internal side of the CacheFlow plugged intop the internal FDRY switch, and
the external leg of the CacheFlow plugged into my publically IPed DMZ.
Then I just had to allow the CF's external IPs to leave the network via a
This all assumes you are only concerned about throughput to/from the
Internet.
If you have an internal segment and a DMZ segment, you may care more about
throughput since traffic between those two would be bottlenecked at the FW-1
box(es).
-Original Message-
From: Mark Decker
Hello
We are running FW1 4.0 SP 6 on Solaris 2.6.
We are having ftp problems connecting to oracle-ftp.oracle.com. The
problem is related to the large welcome banner that the ftp site has.
The banner is split over several packets. Thus the first packet
containing the banner doesn't end
I have one config with Sun/Foundry switches/OSPF, one config with
Nokia/VRRP/OSPF+FDRY for Server load bal., and am toying with one just
using Nokia/VRRP/Static routes.
All of them could work great, but as usual, it depends on what you're
trying to accomplish, how large your budget is, the
Greg,
Create a network object for the 250 network with
the appropriate mask. Then place a new rule with the
250 network object before the general 10 object.
You shouldn't need to make any routing changes,
since all traffic for the 10.x.x.x that comes to the fw,
will be sent to the appropriate
Title: Need help
Hi,
Need help asap.
1. Firewall-1 4.0 (NT based)
2. Web Server - NAT
3. Mail server -NAT
I can ping the public ip to MailServer from firewall and also from outside world BUT I cannot ping the webserver from outside world, only can ping from firewall.
Thanks.
Deny
The "Support key exchange for subnets" checkbox can be found in the
firewall workstation object properties.
Firewall object - VPN Tab - Edit IKE - Right below in the corner
Regards, Andre
--
From: Elaine Lolos[SMTP:[EMAIL PROTECTED]]
Sent: Friday, December 01, 2000 1:06 AM
To:
Have you configured the web/mail server to use
your firewall as your default gateway ?
Regards, Andre
--
From: Deny Fahruddin[SMTP:[EMAIL PROTECTED]]
Sent: Friday, December 01, 2000 5:46 AM
To: '[EMAIL PROTECTED]'
Subject:[FW1] Need help
File: ATT00012.html
Hi,
Need
Title: RE: [FW1] Need help
Thanks for all those help..it solve now
Thanks,
deny f
Hi,
Depends. Do you need to preserve active connections when switching occurs ?
Emmanuel Bailleul
Ascom Adilan SA
Parc des Glaisins
14, Rue du Pré-Paillard
74940 ANNECY-LE-VIEUX
Tel. +33 (0)4 50 64 02 49
Fax. +33 (0)4 50 64 09 98
WEB: http://www.adilan.fr
"S'il n'y a pas de solution, c'est
85 matches
Mail list logo
