Title: Internal DNS
but
how does it know according to the name you that you are trying to reslove if its
in your internal or external dns,does it ask the internal first ? and only
if it does not know that asnwer it will ask the second one ?
-Original Message-From: Fowler, Gary
hello!!!
i need to know if anyone install esafe gateway build
36
bridge mode (pnp) after the fw1 station
if yes - did you have a problem while installing it.
lior arbel
IBM Israel
security Team
[EMAIL PROTECTED]
__
Get personalized email
Hi
Anyone know how to get a (FW-1 4.0 on NT) rulebase into text format (or ideally excel/access format) ?
Thanks
T
#**
This message is intended solely for the use of the individual
or organisation to whom it is addressed.
Good $daytime,
I am running Squid at my DMZ. Of course not all HTTP traffic is directed to
port 80. Specifying all possible HTTP port numbers is hardly worth, if at
all
possible.
To make things work I need to enable:
proxy Any Any accept ...etc
However, this one does not see the
Didn't try yet but it should.
After you have setup your Win2K CA server :
1. Create a CA server in your fw
2. Generate a certificate request for your fw object (manage network objects
- your_fw_object, in the certificate tab)
3. Install the generated certificate for the fw
4. Generate a user
Hi T,
try the fw logexport command as described in "FireWall-1 Architecture an
Administration" guide. With an delimiter like ; it's no problem to import the
resulting ASCII file in excel/access. But remember the excel limitation of
number of rows in an table.
Greetings from Germany
Bjoern
Hi
hello
if on the properties of the fire wall workstation
the ip address is the internal one.
on dialup the client can create the site and download
the keys but you get this :
"Error: No answer received from firewall at site
XXX"
you must put on the ip address the in the properties
the external
Hi,
Did somebody manage to deploy OWA on fw-1 4.1 SP3 on Linux ? with https or
http ? internal certificate or external ?
Some how it seems SP3 does not work with OWA ? if I download to SP2 it
does.
Idan
To
Hi,
Did anyone read "Chechkpoint Firewalls: An Administration Guide" from Marcus
Goncalves?
Is this book recommendable or just a copy of Checkpoint Administration
Guide?
What about the content? I need detailed information about Checkpoint VPN-1?
Thakn you.
Chris
It will be very kind of anyone to send me some solid technical comparison
between Cisco Pix and Checkpoint.
Thanks
Mustetab
Network Security Engineer
e-Secure Division
HCL COMNET Systems Services Ltd.
A-Block 207 , 2nd Floor , Swapnalok Complex
S. D. Road , Secunderabad - 500 003
Ph. No. :
I bought the book before doing CCSE and thought it was pretty good as it
covers the whole range of FW topics. It isn't OS specific, which helps for
a general view. However, the VPN stuff is far better covered in the course
notes (book 3 advanced). Depends what you want, but still a good book to
Yo have a script (in perl) in http://www.phoneboy.com/fw1/
called fwrules.pl
On Wed, 31 Jan 2001 08:18:55 +
[EMAIL PROTECTED] wrote:
This is a multipart message in MIME format.
Hi
Anyone know how to get a (FW-1 4.0
I have the following problem with a Nokia IP440 VRRP setup ...
This is the setup :
SiteA-| FWA|-|xDsl-modem|-- internet
|Cisco-router|--|Gateway-clusterB|-|MgmtB|SiteB
FWA = single gateway, v4.1SP2 on NT4
Gateway-clusterB = 2 Nokia's IP440 (FWB1 and
I'm trying to find a text outlining what the minimum set of packages
that needs to be present for FW-1 4.[01] to install happily, and not
more.
I'm also sure that this question must have been answered before (but i
can't find anything in any archive or on securityfocus.org about
this).
Title: RE: [FW1] Ike with radius authentication
Thanks
for the response, but with that configuration, SecuRemote reports that "IKE is
not properly defined for user" and FW1 reports that "User cannot use IKE".
RADIUS works fine for FWZ.
-Original Message-From: Ilya Akinfiev
eSafe Gateway(tm) has scanned this mail for viruses, vandals and
suspicious attachments and has found it to be CLEAN.
__
HI Folks
Friend of mine was installing a rather large rule base and during install
he got an error and the GUI
eSafe Gateway(tm) has scanned this mail for viruses, vandals and
suspicious attachments and has found it to be CLEAN.
__
HI Folks
Friend of mine was installing a rather large rule base and during install
he got an error and the GUI
When I try to set up a VPN between a Watchguard Soho|tc and a Firewall-1
v4.1 SP2, I get a message "invalid cookie" in the FW-log during phase 1
stage 2 of the key-exchange (using DES and SHA1).
Does anyone know what is happening in phase 1 stage 2 during key-exchange ?
What is the best way of testing whether my dnsinfo.C is working, dns view
and wins view ?
To unsubscribe from this mailing list, please see the instructions at
All,
I am using the Webtrends product in order build reports regarding Internet
usage etc, from my BM proxy/FW and the CP FW-1.
I noticed, that with Webtrends Enterprise, I can build logs that tell me how
long each person/object used the Internet for, but with the Webtrends for FW
Suite, I can
http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/cisco_ios_vpn.pdf
From: Satish Bhatt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [FW1] SOS!! Need HELP!
Date: Wed, 31 Jan 2001 09:44:12 +0530
Hi guys
I need the setup a VPN as stated below would be great if
I am having an issue with one of our secure remote users. They seem to be
able to authenticate to the firewall, but get kicked off. The log shows
their session with an action of "Deauthorize" and in the info field for a
reason it gives "No Policy". Has anyone seen this behavior??
Frank
Hi all,
Need your help again. I was experimenting with time restrictions and when I
installed the policy I got the following error
TestPol.W: Security Policy Script generated into TestPol.pf
TestPol:
Compiled OK.
Downloading Security Policy /opt/CPfw1-41/conf/TestPol.pf to localhost(fire)
SecureClient was designed to protect from that very scenario. SecureClient
has added functionality that the SecuRemote you know of. SecureClient has
the ability to download a desktop policy which limits what types of traffic
can come in and out of that laptop. Plus, you can force laptop users
Title: RE: [FW1] Ike with radius authentication
I found the solution to this one. See http://support.checkpoint.com/kb/docs/public/securemote/4_1/pdf/hybrid-2-10.pdf
-Original Message-
From: Scott Hunter
Sent: Tuesday, January 30, 2001 4:11 PM
To: 'key chavez'; [EMAIL PROTECTED]
It is supposedly possible to do with a static NAT on the Linux box.
Under 4.1 it should be possible to do over just NAT (at least I hope so
- I've been waiting for it).
there was docs somewhere on making it work - Check phoneboy maybe
-Original Message-
From: keychavez
Yes I have read it and it has the same issue that most technical books do.
By the time it gets through the printing/publishing process, it is at least
one release behind. If you consider it with the version that it was written
for it is a great book. Unfortunately, most of us are running much
Sounds like you're using Secure Client instead of Securemote ...
--
Philippe Verdonck
Sr System Engineer
Erudict Antwerpen NV
Desguinlei 250
B-2018 Antwerp
Belgium
I'm running FW1 4.1/SP3 on NT4.
I have a machine in my DMZ that runs FTP and OWA, with a 10.x address NAT-ed
to a valid external address. I can hit the external address with no problems
at all (ie: it does what it's supposed to do) but I can't ping it's LAN
address or see it in Network
When you use SecureRemote you are using SecureClient.
Check your Desktop Security properties and uncheck the appropriate boxes if
you dont want to enforce a policy...
Andy David
J. Muller International / Egis, Inc.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL
Although we believe that IDENT can cause more harm than
good,
it seems to be used between SMTP servers to verify the
destination
of e-mail.
Your choice...
David C. Diemer, CCSAEnterprise Security Firewall EngineerGeorgia
Department of Administrative Services (DOAS)200 Piedmont Ave.
Unfortunately, this still doesn't prevent a rogue application from
connection sniffing during the session establishment, and then reporting
passwords, IPs etc. later on when the VPN and SecureClient are down. Sort of
the same scenario that happened to Microsoft.
I'm starting to wonder if
Read the 3rd paragraph. It contains some great info on what you are looking
for.
http://www.enteract.com/~lspitz/armoring.html
Duke
-Original Message-
From: Alexander Hoogerhuis [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 31, 2001 6:35 AM
To: [EMAIL PROTECTED]
Subject: [FW1]
Running FW4.0 on SolarisUnix
No one can login to the security policy editor..My unix box has these error
messages..Has anyone encountered this? and if so, how to correct it?
Thanks in advance,
Larry Milliken
Error Messages:
Jan 29 00:08:22 guardian root: Solstice Backup Registration: (info)
Title: RE: [FW1] Windows 2000
Routing in Windows 2000 is much more complex than just
enabling IP forwarding. I don't even think there is an IP forwarding checkbox.
In order to get Windows 2000 to route you have to configure the machine as a
router using The Routing and Remote Access Service.
I was setting some filters in my logviewer when I noticed some "blank"
entries under Service Selection Criteria. When I highlighted these balnk
entries, the following services appeared in the left-hand window:
Cdf
Marimba_Netcaster
Microsoft_Channels
Pointcast
A
We are witnessing erratic performance from our FW-1 system. Before we give
up completely on this platform, can I ask if any of you have suffered from
(and hopefully corrected) the following.
We are currently running FW1 v4.0 build 4055, on NT4/SP5, but the conditions
we notice have been with us
Title: RE: [FW1] Windows 2000
Enabling IP Routing
By default, IP routing is disabled.
To enable IP routing, you must allow the computer to forward IP packets it receives.
This requires a change to the Windows 2000 system registry.
When you enable the Routing and Remote Access service
Title: RE: [FW1] Erratic Performance on NT
We have a box that is not currently in production yet, but we did notice something like this during testing. Ping latency was as high as 1000ms. I had to do something with IP Pooling. We totally disabled it and the problem was resolved.
Keyvan
Are you running out of physical memory? We have the same problem with NT4.0
SP6a FW 4.1 SP3. But one of the fw.exe is eating up all the memory. Most
of the time we can do an FWSTOP/FWSTART and that fixes the problemfor a
day or two.
I've had a couple people stat the same thing...
It's true you don't have a checkbox to enable IP forwarding in Windows
2000; you have to enable it in the registry :
To enable TCP/IP forwarding:
1. Use Registry Editor (Regedt32.exe) to view the following registry key:
Title: RE: [FW1] Erratic Performance on NT
You are not supposed to use FW1(4.1) on NT SP6. The last NT SP that is recommended by Check Point is NT SP5.
Keyvan Moussavi
PEC Solutions, Inc.
Systems Integration Division
-Original Message-
From: Steven Zimmerman [mailto:[EMAIL
Does anyone know of a list which describes every variable in the output of
`fw tab -s`?
Chris
To unsubscribe from this mailing list, please see the instructions at
Does anyone know of testing location(s) in So Fla.
I found one for $300.00, which appears excessive, when compared
to Cisco and others.
Also, I understand some changes about test delivery, etc. are coming
in March. Can anyone elaborate?
Thanks,
Gary Dore
Velasquez Venegas Jaime Omar wrote:
Anyone running sucessfully two fw-1' s and one Managment Module ?
[Manag.Module][FW1](Internet)--[FW2]
Me... :-)
--
Martin Humberto Hoz Salvador
Information Security Consultant (ISS ICU, Check Point CCSE)
C I T I
Title: RE: [FW1] Erratic Performance on NT
I
think 6a has been supported for a number of months now...
Andy DavidJ. Muller International / Egis,
Inc.
-Original Message-From: KMoussavi
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, January 31, 2001 12:06
PMTo: 'Steven
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I don't know of a list, but if do:
fw tab --help
You get the switches.
Another hint: do an fw tab and look at all available tables. For instance
if you wanted to count NAT'd connections outbound:
fw tab -t fwx_forw -s
Carric Dooley
Senior
I think this is a big thing with 4.1 sp2 and sp3. There are also issues (memory
leaks) with Solaris 2.6. Several others have noticed this (including us) and we were
able to slow it down but never eliminate it. There are no fixes for Solaris -
Checkpoint recommends keeping patch levels
We have a problem on our firewalls concerning FTP.
When transferring a certain amount of files through the firewall onto or
from the DMZ the transfer suddenly stop because the firewall blocks
eventhough the source-port is ftp-data.
On the ftp server we see that port 8169 is being used
Title: RE: [FW1] Ike with radius authentication
Hi,
I am
working on this right now. I think a
hybrid IKE mode is necessary from what I have read, and I am looking into the
use of Certificates too. I will post a
rough-draft of a how-to here when/if I get it working. Otherwise I will
I have user who have a SMC DSL router/firewall doing NAT at home. So he has
an internal network that connect to the router and there is only one
external internet ip address. If his laptop is sitting in the internal
network I can't get his secureremote client connect to the VPN. If I take
his
Did somebody manage to deploy OWA on fw-1 4.1 SP3 on Linux ?
with https or
http ? internal certificate or external ?
Some how it seems SP3 does not work with OWA ? if I download
to SP2 it
does.
RedHat 6.2
FW 4.1 SP3
OWA works ok on http (did not try https)
What I did at the moment is
I have Firewall-1 version 4.1 SP1. I have added #define ENCDNS to the
crypt.def file. I have created the dnsinfo.C file. I have made the
:dns_xlate and :dns_encrypt entries in the userc.C file on the client. I
have bounced the firewall, re-installed the security policy and downloaded
the key
Title: Erratic Performance on NT
I have to admit, I do not have any hard evidence regarding the NT SP6 issue. I was told that SP5 would be a better bet for FW1 4.1. I will try to locate the hard copies regarding this matter.
Thank You
Keyvan Moussavi
PEC Solutions, Inc.
Systems Integration
Title: RE: [FW1] SecuRemote and Split/Encrypted DNS
I had the same exact problem. Make sure you double check all your spacing and syntax in your dnsinfo.C (that's a cap. C). FW1 has a funny way of parsing this file. It is very picky. If the syntax is not correct, then the contents of your
Title: Microsoft CA ports?
Greetings all,
Working with integrating Microsoft's Certificate Server with FW-1. Do any of you know where I can find information on what ports Microsoft's Cert server (Win2K) uses? I can do a netstat -a and see them, but it is a trial and error thing that I don't
Paul said that the server "remains equally responsive throughout".
Paul, can you check the available memory on the server?
Could you be running out of available ports?
On Wed, 31 Jan 2001, Andy David wrote:
Sounds like a memory leak...
Any other apps running on this box?
Andy
I'm referring to a SecuRemote behind a IPChains doing
Ip Masquarade. I can change the key between them but
when I try to FTP nothing happens (no log in the
logviewer).
I'm using FW-1 4.1 with SP2 in a NT Server and
SecuRemote for Win 2k in a win 2k server.
key
--- Steven Lee [EMAIL PROTECTED]
Title: Multiple session agent rules
Does anyone know of a way to have multiple session agents rules in your rulebase? It seems that all session requests hit the first rule and then are either accepted or rejecting without further inspection. Is there a way to disable the implicit reject of
I am running FW1 v41 SP3 on a Unix machine,
and have a requirement to forward multicast
between 2 Cisco routers on opposite sides of
my firewall.
What is the best way to accomplish this -
in terms of technical ease and in terms of
security?
Should I run mrouted on my Unix firewall?
Or
Mike:
How do you have the policies defined on your FWs?. Using the FW Gui client
pull up your policy editor. Under the "Track" column is the value set to "Long
(or Short)"? You need to change this value to "Account and you should then be
able to see the information that you need.
Hello,
Configuration:
2 X Nokia IP440 VRRP monitored circuits
FW1 V4.1 SP2
Mgnt Server V4.1 SP2 Windows NT
Problem:
What can cause one of the firewalls to connect to the management server via
external interface and thus fail, while the other one successfully connects
to the management server
A eBusiness vendor proposes to have a Lotus Notes' "Pass Through" server in
front of firewall, but behind a router!
He argues that there is no data on the Lotus Notes server. Data are
transient/streaming to the server. To gain performance, it should be in
front of the firewall. In addition,
Does anyone know if it is possible to use ace authentication to access
the Nokia devices?
Chad:
You
cannot use the Ace auth to directly authenticate to the admin account on the
nokia. You can use user auth within your policy with a SecureID token to allow
ssh and telnet to the nokia though.
I hope
this helped.
Jimmy
James C.
Hanrahan
Intrasystems Inc. Network
Architect
If you are using IKE, then you do not need to define the Firewall-1
password.
Instead, enter the password under each individuals IKE properties...
Be sure to lockdown your firewall by dropping any packets that are destined
for the firewall after your user's download the site info.
I prefer to
How did you do the fw putkey and define the management console? Try
deleting the authkeys.c file and redoing a putkey on the firewall using
it's internal IP address. Something like
$fw putkey -p PASSWORD firewall internal address mgmt console
address
-Original Message-
From:
whilst I fo not have a solution
See
http://www.phoneboy.com/fw1/ and to cover that sp for what version see
http://www.phoneboy.com/fw1/faq/0359.html
Rahter than try and fix the problem on 4.0 upgrade to 4.1 , you have a few
potential security holes on your current system
-Original
Would VRRP works on switch network or it would only work on a hub network
environment? Thanks.
-raymond
To unsubscribe from this mailing list, please see the instructions at
I tested with both and it was fine. I wound-up just using a cross-over
cable between Nokias so as not to use two switch ports.
Chris
-Original Message-
From: Raymond N [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 31, 2001 6:20 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Nokia VRRP
Hi,
I have fw4.1 3DES,
I try to configure for remote access but getting "Authentication fail" in
secuRemote client (4.1 sp2 strong), and FW gateway log viewer should me the
problem is rejected at rule 0 (what is rule 0?), because of "Refused
Topology request. Password expired."
In the user
If the VPN is already in place and operating then the only problem is NT
configuration and not a firewalling issue
** Note - Firewallers - this goes off-topic towards NT setup ! **
Check :-
1. The Firewall rules bases - does the VPN allow all traffic through ?
- if not then you need
Correct. I don't think much will work. A simple port redirector, and you
have likely got a huge problem. You want to watch carefully the way you
administer SecureClient connections. Limit the users access either by rule
or with the per user configuration. Wherever possible, limit access :)
You
Steve,
When I used to run NT firewalls, I wanted to know the same thing.
Fortunately "tlist" from the NT resource kit came to the rescue. Just run
"tlist fw" from a prompt. It'll scroll by all kinds of info, including the
command line fw.exe was called with. That'll tell you what server is
Hi,
I had some experience on the same problem, before it runnig well after 1
month it slow, reboot after 1 week it slow , reboot after .
I call Checkpoint tech support you can try following:
*** NT 4.0 SP6a
Here is the document to increase kernel memory.
NT
==
1.Run regedt32 (the
75 matches
Mail list logo