RE: [FW1] Nokia & Floodgate

2001-01-29 Thread Samuel Wuethrich
Comments inside -Original Message- From: Robert A. Wallace [mailto:[EMAIL PROTECTED]] Sent: Montag, 29. Januar 2001 19:18 To: [EMAIL PROTECTED] Subject: [FW1] Nokia & Floodgate Does anyone have any information on running FW-1 and Floodgate on the same Nokia appliance (IP440 or IP650) i

RE: [FW1] FW's constantly changing state

2001-01-29 Thread Jeff Hochberg
Do you have a rule that allows for VRRP traffic to pass between the two modules? If not, that will definately cause a big problem for you. Through Voyager, go to the Checkpoint FireWall-1 options and turn off the "run ifwd to monitor interface changes". What version of IPSO are you running? -

Re: [FW1] Nokia IP650 - HA vs VRRP

2001-01-29 Thread James_E_Clukey
Raymond: Not sure. We have only been using the VRRP stuff with a cross-over cable between our FWs for the state-table syncronization. I just upgraded the IPSO and CheckPoint versions only recently and have not have a chance to dig into the CheckPoint HA stuff; so I do not know if we need

Re: [FW1] unknown established TCP packet

2001-01-29 Thread James_E_Clukey
Steve: The problem that I think that you are having is trying to edit the file with Notepad. Notepad, I believe appends CR/LF to the ends of the lines in the file that you are trying to edit and CheckPoint does not like it. Try using something like edit.exe and see if that doesn't fix you

RE: [FW1] SQL 2000

2001-01-29 Thread Dan Hitchcock
You will first need to ensure that your SQL server itself is accepting TCP connections for management (SQL 7.0 defaults to named pipes only; SQL2000 gives you a TCP option at install, but defaults to port 0). The default port on SQL7 is TCP1433. Once you have accomplished this, you simply need

RE: [FW1] unknown established TCP packet

2001-01-29 Thread Richard Parry
-BEGIN PGP SIGNED MESSAGE- Steve; We had the same problem, and regressed the firewall concerned back to SP2. Basically there was nothing we could get to work, on Linux or Solaris. I expect this is a major functionality problem with SP3. However, we've had no problems with SP2. Hav

[FW1] SQL 2000

2001-01-29 Thread Jeff Reinhardt
I need some help setting up the Service objects to allow SQL7 and SQL2000 Enterprise Manager access from outside the firewall. Thanks! Jeff Reinhardt ___ XFire Software http://www.xfiresoftware.com ==

[FW1] Nokia relay DHCP request?

2001-01-29 Thread Raymond N
Hi there, I am thinking to setup an internal firewall with the Nokia Firewall-1. One problem is workstation in network-a needs to go through the Nokia firewall-1 and gets Ip address from dhcp server in network-b. In a cisco router, I can use command like "ip helper" to get the dhcp relay. But

Re: [FW1] Nokia IP650 - HA vs VRRP

2001-01-29 Thread Raymond N
Thanks for the response. I don't have any on-hand experience on the Nokia 's VRRP, that 's why I don't know the differences between the CP 's HA and the VRRP. Now, it would appear to me that if I use Nokia, I don't need HA. -raymond At 10:02 AM 1/29/01 -0600, you wrote: > > > >Raymond: > >

[FW1] unknown established TCP packet

2001-01-29 Thread Partridge, Steve
Hi all, I am trying to stop logging 'rule 0 unknown established TCP packet' as per PhoneBoy's recommendations http://www.phoneboy.com/fw1/faq/0408.html . I can not get it to work. I am not trying to revert to the old behavior. I am only trying to sto

[FW1] When the firewall object is used in "Install On"

2001-01-29 Thread David
Can someone confirm for me that when you install a policy where the firewall object is used in the "Install On" column, that it will apply the policy eitherbound? I was told this would happen, even if you have inbound specified in the policy properties menu. I was told this to my by our vendor.

[FW1] StoneBeat mailing list available

2001-01-29 Thread Mark . Boltz
Hello, Since there's been discussion on this list in the past, I thought I'd announce that there is now a StoneBeat mailing list available. It is hosted through SecurePoint, with information, subscription info, etc. available at: http://lists.securepoint.com/listinfo/stonebeat This list also h

RE: [FW1] 'fw_xlate_backw_drv' error

2001-01-29 Thread Kain, Becki (B.)
Is this really the case, that these messages can be ignored? thanks becki kain -Original Message- From: Chris F [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 19, 2000 4:18 PM To: +Checkpoint (grupa dyskusyjna); CheckPoint Mailing List (E-mail) Subject: RE: [FW1] 'fw_xlate_backw_d

[FW1] Anyone using a fault tolerant Sun servers for FW-1?

2001-01-29 Thread Andy Welter
I haven't seen this discussed on this list before... Is anyone using the Sun fault tolerant Netra ft1800 system (or something similar) for their firewall platform? It seems to me like this might be a good alternative for some users. You get the benefit of fault tolerance without the cost of a

Re: [FW1] Where can I find this white papers?

2001-01-29 Thread Robert MacDonald
Iztok, Are you looking for the old Checkpoint/~Joe documents? These can be found at(may be wrapped): http://support.checkpoint.com/service/publisher.asp?id=55.0.4222079.2607206 Robert >>> "Iztok Umek" <[EMAIL PROTECTED]> 01/29/01 01:58PM >>> > >When I tried to find info for CP 2000 (And Wind

[FW1] problem with in.lhttpd

2001-01-29 Thread Pires, Michael
I keep getting the following error on my firewall module in the log file in.lhttpd. It keeps repeating itself until the /var partition is full.. Is someone keep trying to connect to it? or what can I do to stop it... on a solaris 2.6 Thanks fw: no license for 'connect' in.lhttpd: No License for

[FW1] 'Valid addresses on Interfaces' setting

2001-01-29 Thread Allan Pratt
Hi, Anyone have some thoughts on the interface setting: Valid addresses on Interfaces Should it be set to ANY? A specific network? Thanks, /ap _ Get your FREE download of MSN Explorer at http://explorer.msn.com =

[FW1] Shadow DNS domain slave MetaIP

2001-01-29 Thread Ed Davidson
So I have MetaIP running a domain we will call DOMAIN.COM. I have internal DNS servers which give out an internal IP address such as 192.168.100.1 for www.domain.com. I have split the domain and created another set of servers to handle the external address so that they resolve to the public IP

RE: [FW1] dnsinfo

2001-01-29 Thread Gregor Munro
Idan, be VERY careful with the placement of spaces etc. Also, what is the client that you are using? Win 9x or later? There is a different LMData portion required for win9x clients (that is undocumented). If any part of the file is wrong, then you will not be able to get it working. Please revie

[FW1] Removing objects using a command line ??

2001-01-29 Thread Sterling, Chuck
Using fw-1 3.0b on a Sun Solaris 2.6 system, is there a shell command that will remove a workstation object from the database? I'm looking for something like "fw remove_object object " where an object would be removed from the list of objects and all the rules and groups in which it occurs and

RE: [FW1] PC Anywhere version 9

2001-01-29 Thread Jose Vicente da Costa Machado Filho
Title: RE: [FW1] PC Anywhere version 9 Hi, I think that you restrict the source IP to the address of your partner should minimize the problem. The PC Anywhere  has the same problems that any other software has accessing your internal network from outside. Keep your version up to date and res

[FW1] Where can I find this white papers?

2001-01-29 Thread Iztok Umek
When I tried to find info for CP 2000 (And Windows 2000 servers/clients environment) I found this document (for NTs) but they direct you to other one I can't find. FAQ: Troubleshooting Hints for Browsing an NT Domain Version 1.0 NOTE: This document is obsolete as of CP2000. Please consult the S

[FW1] Cron not working on IPSO 3.3 !

2001-01-29 Thread Ralf Guenthner
Hi list I'm at my wits end here and could really use some insight: On a Nokia 330 with the latest IPSO 3.3, the cron daemon stubbornly ignores what I enter via the "crontab -e" command. A crontab file is surely created, containing exactly what I want (an fw logswitch, called every night before

[FW1] PC Anywhere version 9

2001-01-29 Thread Varnam, Gary
Hello, I am being forced to allow pcanywhere version 9 using a user defined port number thru the firewall from one of our contactors to support some nt based apps Have anybody on the list setup pcanywhere have any security loopholes or other snippets of info I should be aware of when installing

Re: [FW1] Reporting tools

2001-01-29 Thread Marc Dugre
I believe the product you're referring to here is Telemate.Net. Telemate was originally designed for Telco's that's why it display's everything in terms of cost ratios. The advantage that Telemate has over others is that it supports multiple data sources. Something the others don't do for the mo

[FW1] Nokia & Floodgate

2001-01-29 Thread Robert A. Wallace
Does anyone have any information on running FW-1 and Floodgate on the same Nokia appliance (IP440 or IP650) if so, what issues if any have you had? What IPSO version? What memory configuration? Nokia seem to shy away from this setup! Thanks, Rob Wallace begin:vcard n:Wallace;Rob tel;cell:703

RE: [FW1] Nat on securemote connections

2001-01-29 Thread Jeff Newton
Careful with IP Pool NAT. Users are unaware of what NAT'd ip address is assigned to their connection and as a result, can't use any tools which rely on their *real* ip address. Eg. Exceed doesn't work since the display variable is set to their *real* ip address. Cheers, >The closest thing I'

RE: [FW1] Nat on securemote connections

2001-01-29 Thread Dan Hitchcock
The closest thing I'm aware of is IP Pool NAT, which allows you to define a pool of addresses for use by inbound SR clients. This may fit your scenario; if, for example, you need to create ACLs to restrict SR users to certain resources, you would use the Pool addresses as your ACL. HTH Dan Hit

[FW1] Reporting tools

2001-01-29 Thread Milliken, Larry
Does anyone know of a Reporting tool/app that runs on a separate box (from the firewall) that will read/import the logfile from FW1-4.0 that's located on another machine(Unix Solaris)? Thanks in advance, LarryMilliken ===

RE: [FW1] Reporting tools

2001-01-29 Thread Adams, Gavin
Fwlogsum is one such tool. http://www.ginini.com.au/tools/fw1/ HTH, --- Gavin -Original Message- From: Milliken, Larry [mailto:[EMAIL PROTECTED]] Sent: Monday, January 29, 2001 12:37 To: [EMAIL PROTECTED] Subject:[FW1] Reporting tools Does anyone know of a Reportin

Re: [FW1] Reporting tools

2001-01-29 Thread James_E_Clukey
Larry: There are several: CheckPoint's Reporting Module ( www.checkpoint.com/products/reporting/ ), Webtrends FireWall Suite (www.webtrends.com/products/firewall/default.htm ), Websense, CheckPoint FireWall-1 Edition (www.websense.com/products/integrations/c

Re: [FW1] Reporting tools

2001-01-29 Thread Marc Dugre
Telemate.Net and WebTrends. Marc - Original Message - From: "Milliken, Larry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 29, 2001 11:36 AM Subject: [FW1] Reporting tools > > Does anyone know of a Reporting tool/app that runs on a separate box (from > the firewall

Re: [FW1] FW's constantly changing state

2001-01-29 Thread James_E_Clukey
Mike: Do you have at your disposal a sniffer? If not, try and run tcpdump on your FWs and look for Multicast traffic. If you see someone sending Multicast broadcast traffic on any of the networks that are connected to your Nokia's this would be the cause. Have you placed any new net

[FW1] dnsinfo

2001-01-29 Thread Idan Dolev
Guys, I am able to see my LMhost file updated but my hosts file stays the same, is it suppose to get updated from my dns server,what excatly is suppose to be writen there ? ( :dns_servers ( : (spock.firewall :obj ( : (10.10.1.100) ) :topology ( : ( :ipaddr (10.10.1.0) :ipmask (255.255.255.0) )

Re: [FW1] two IP650 running VRRP

2001-01-29 Thread James_E_Clukey
Glenn: CheckPoint some time back changed their stance as to when (or when you don't) need a second license. People on the list can correct me if I am wrong but... If I remember correctly CheckPoint says that if you have two FWs and one of them is a "Hot" standby (Nokia's using VRRP,

Re: [FW1] ftp connect thru fw1 takes alot of time

2001-01-29 Thread Robert MacDonald
Oliver, Is this inbound to you or outbound to another system? What FTP client are you using? Sounds like a resolution issue. How's your DNS resolution? Have you tried to connect using the IP address and not a name? I seriously doubt this, but do you see an 'ident' packet in your logs at the mo

Re: [FW1] Nokia IP650 - HA vs VRRP

2001-01-29 Thread James_E_Clukey
Raymond: Yes they are different. Think of it this way; The Nokia's are routers, therefore VRRP will fail-over what the router does. Whereas the CheckPoint stuff (of which is new for 4.1 SPx) will failover what CheckPoint does (services, connections, etc.) And you can use both at the same

Re: [FW1] Authentication via web on FW-1 using 900 stopedworking

2001-01-29 Thread Robert MacDonald
Mike, Is the NT system still listening on port 900? Not to take the easy way out, but have you tried to bouce the fw1 software(fwstop;fwstart) or the whole box? Robert >>> Mike Glassman - Admin <[EMAIL PROTECTED]> 01/28/01 10:08AM >>> > >All, > >I used to be able to authenticate to the FW usin

[FW1] Can anybody use Cisco 4840G ...

2001-01-29 Thread Serhat Erkan
or Local Director for FW Load balancing ? What about performance & cost effectiveness to other solutions (Stonebeat, RADware)? __ Serhat ERKAN __ ==

[FW1] FW's constantly changing state

2001-01-29 Thread MikeCC
Hello, I am running two Nokia 650's with FW 4.1 running VRRP. The issue I am having is that every couple of minutes both firewalls change state, from installed to disconnected and back from disconnected to installed. When I look at the VRRP status, both firewalls think they are the master.

[FW1] VPN-1 problem

2001-01-29 Thread Iztok Umek
I am trying to use SecuRemote. I get connection to the FireWall-1 and I can "Update site" ok and I get asked if I want to download security policy. Seems ok so far. Then it takes forever saying "Exchanging keys with firewall" then it errors with "Communication with site 216.189.74.34 has failed

RE: [FW1] two IP650 running VRRP

2001-01-29 Thread Luke, Jason (ISS Southfield)
I will assume that their 4.0 license was upgraded from their 3.0 license (i.e., it was not purchased for the full 4.0 price, but as an upgrade price.) You have a bunch of different options depending on what the customer wants. Currently, their license does not allow the ability to separate the FW

[FW1] Max distance for Stonebeat

2001-01-29 Thread Dickson, Peter
Has anyone got Stonebeat running over 80 Km ( approx. 56 Miles ). We are planning to use Dense Wave over this distance for running Stonebeat fullcluster. Any insights or advise would be much appreciated. Thanks Peter Dickson.

Re: [FW1] Unwanted NAT to DMZ from Internal

2001-01-29 Thread Chris F
You can create such rules in your Policy by manually adding non-NAT rules at the top as you desire. I do something similar, but not quite the same way you're inquiring about. I non-NAT between our internal LANs and our DMZ. HTH -- Chris --- John Qian <[EMAIL PROTECTED]> wrote: > Hi all, > I'm

Re: [FW1] VPN & Securemote & Encryption Domain Definition

2001-01-29 Thread Simon Hornby
Robert, Although this does not answer your exact problem, it provides a possible alternative solution for keeping costs down. Have a look at www.signify.net for low cost secure authentication. Cheers Simon Hornby >From: Peter Goodridge <[EMAIL PROTECTED]> >To: Robert Hough <[EMAIL PROTECT

RE: [FW1] Firewall-1 DMZ configuration.

2001-01-29 Thread James Edwards
I'm sure someone will correct me if I am wrong but it would seem to make more sense to move your WWW and other servers to the DMZ, give them the 111.111.111.0 network and NAT your internal network. I am assuming you only have one Class C network so are limited internally to the 256 addresses but

Re: [FW1] Service pack inf------------------------> ref : sec

2001-01-29 Thread Gill
run fw ver to get the build number that you're currently running. look up in http://www.phoneboy.com/fw1/faq/0385.html to see what SP that is. then go to http://www.checkpoint.com/techsupport to get service packs (you will have to register for a password which takes a few days). On Mon, 29 Ja

RE: [FW1] Firewall-1 DMZ configuration.

2001-01-29 Thread Paul Messer
James, thanks for this, however we actually have 8 /24 networks currently...but it would take a lot more work to NAT the entire 256 address than to assign the www et al illegal addressesbut I take on board what you've said and consider it a bit more fully...so thanks. My firewall current

RE: [FW1] Firewall to Firewall VPN

2001-01-29 Thread c_siddika
Thanks Michael and Mark, you guys were right on the money. Specifying all the interfaces on the remote gateway solved the problem. Kamran -Original Message- From: Michael Liberte [mailto:[EMAIL PROTECTED]] Sent: Friday, January 26, 2001 4:49 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]

Re: [FW1] General: Routing,(NAT) how is it working?

2001-01-29 Thread Brad Van Orden
Hi Kurt, FW-1 routes before it NATs. So, you need to make sure routes are set up for the packets to arrive at the correct port before NAT takes place. Hope this helps. Regards, Brad Van Orden Kurt Westermann wrote: > > Hi all, > We have a Firewall 1 4.0 > BTW I am new tofirewalling ... >

RE: [FW1] local.arp file and Windows 2000

2001-01-29 Thread Nate Roberts
Does anyone know of anymore "gotcha" w/ W2K and Checkpoint 2K SP3? -Original Message-From: J Michael Graham [mailto:[EMAIL PROTECTED]]Sent: Sunday, January 28, 2001 10:26 PMTo: Checkpoint FW-1 ListSubject: Re: [FW1] local.arp file and Windows 2000 Local.arp plain doesn

Re: [FW1] How to blok Napster dan MSN

2001-01-29 Thread Marc Dugre
Use a URL filtering such as WebSense. Cheers, Marc - Original Message - From: "Agung Samadi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 29, 2001 1:55 AM Subject: [FW1] How to blok Napster dan MSN > > Hi All, > > Any body know how to blok Napster and MSN ? > Any

Re: [FW1] VPN & Securemote & Encryption Domain Definition

2001-01-29 Thread Peter Goodridge
Hi Rob, Can't you have the firewall at site B check authentication by accessing the Securid server at Site A. You'll want to be very careful that all the traffic is encrypted. HTH, Pete Goodridge --- Robert Hough <[EMAIL PROTECTED]> wrote: > > I have two firewalls in two geographic locations

[FW1] Nat on securemote connections

2001-01-29 Thread Andrea Paita
Hi all, I need to nat all the connections from securemote clients, so that all connections appears to come from a single internal address (source nat). Have anybody something to suggest on this issue? Bye, Andrea --- Ing. Andrea Paita Consultancy & Projects Group Via della Camilluccia, 693 0013

[FW1] Firewall-1 DMZ configuration.

2001-01-29 Thread Paul Messer
Dear All, we here have a problem...in that we have no DMZ currently I want to move all our externally facing www and ftp etc servers to a DMZ and I'm considering the Nokia FW platform to do it with...currently we're running it on an NT server. All the FTP and www servers have the same cl

RE: [FW1] ftp connect thru fw1 takes alot of time

2001-01-29 Thread Chris Arnold
Could be the ftp server trying to do a reverse lookup of the client IP address and needing to time-out before a login prompt appears. Chris -Original Message- From: Oliver Jaeckel [mailto:[EMAIL PROTECTED]] Sent: Monday, January 29, 2001 7:36 AM To: '[EMAIL PROTECTED]' Subject: [FW1]

[FW1] General: Routing,(NAT) how is it working?

2001-01-29 Thread Kurt Westermann
Hi all, We have a Firewall 1 4.0 BTW I am new tofirewalling ... My Problem is we cant´t send mails to another net on the firewll. The wall has 4 connections, on to the Internet, on to the DMZ, on to our internal Net and the last to another internal Net. We created rules for both email Servers

[FW1] Allow access using pcanywhere version 9

2001-01-29 Thread Varnam, Gary
Hello, I am being forced to allow pcanywhere version 9 using a user defined port number thru the firewall from one of our contactors to support some nt based apps Have anybody on the list setup pcanywhere have any security loopholes or other snippets of info I should be aware of when installing

[FW1] unknown established TCP packet

2001-01-29 Thread Jörg Weber
Hello list, I've a funny problem with my FW-1. My logfiles are getting filled with entries like this: Source==some_ip Dest=Our_External_IP Proto=HTTP Drop: rule 0 unknown established TCP packet My clients are surfing the web with our external IP and hide-NAT. Someone got an idea? Thanks alread

[FW1] rule 0: unknown established TCP packet

2001-01-29 Thread Jörg Weber
Hello list, my logfile is getting filled with drops like this: source=some_source_ip dest=our_external_ip proto=http dropped by rule 0 because of unknown established TCP packet. Our external IP is the IP Address my clients surf the web with (they'r behind a hide-nat rule). Anyone got an idea?

[FW1] ftp connect thru fw1 takes alot of time

2001-01-29 Thread Oliver Jaeckel
hi all! using an active ftp connection does work but it takes up to three minutes until the client gets a reply and can login. the fw1 4.1 sp3 logs a correct "accept" for ftp. that's all. what could be the cause for such behaviour? Reagards, oliver jaeckel ===

Re: [FW1] FW-1 connection table size vs. RAM == No answer previously==

2001-01-29 Thread Carric Dooley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I guess my first question would have to be: if you are peakinga t 50K conns, why do you think you need 200K or 500K? I am working on a site currently with roughly 115K users. I am managing 6 pairs of firewalls (just got the new pair on-line). Our

Re: [FW1] Memory Leak

2001-01-29 Thread MICHELE RIVIERI
I've got the same problem (same configuration but with SP2), I checked the task manager and I found that the problem is related to "cpmad" task (it's the task performing Malicious Activity Detection). It's memory usage should be blocked under 75000 KB (by default), but as I see it is not. Waiti

[FW1] Service pack inf------------------------> ref : sec

2001-01-29 Thread security
Hi all,   I request you all , if you have any information for the following...   I have installed firewall ver 4.1.   1. I want to know what service packs comes with this ? 2. Is that I have to download service packs from website, if so installation procedure (in brief). 3. And also is that I

Re: [FW1] why not a bridge?

2001-01-29 Thread Roy G. Culley
Chris Arnold <[EMAIL PROTECTED]> write: > Linux can act as a bridge. There is a patch to allow the Linux bridging s/w to work with ipchains. A colleague of mine built what he calls a TuxScreen. It uses the bridging s/w with ipchains to create a stealth Linux firewall. Works very well and is nic

Re: [FW1] why not a bridge?

2001-01-29 Thread Roy G. Culley
[EMAIL PROTECTED] wrote: > I hate to say this, but... try thinking outside the box! Just because the > bridge you bought ten years ago doesn't have the functionallity that I am > suggesting doesn't mean that it shouldn't be done! Or tried atleast. > > I am not mistaking anything, I just think

[FW1] FTP Problems

2001-01-29 Thread Joe
We are using CheckPoint FireWall-1, the latest version with Service Pack 3 for Solaris 2.6. We have some problems with the FTP connection since we installed service pack 2. We have 2 kind of ftp servers running: the ftp of Microsoft IIS 3.0 and Ipswitch FTP Server 1.05. What

[FW1] I have some problem about CPfw1 and Lotus Domino return mail.

2001-01-29 Thread tchat
Hi All I have some problem about return mail from Lotus domino server to the sender. If someone send mail to my Lotus mail exchange server but there aren't receiver or receiver don't have permission to receive mail from outside, this mail was rejected by Firewall by the reason is "rejec