Hi all,
Dont forget this is a newbie's question... :-)
1- I have simply net like this:
PrivateNet---my_FW---ISP_FWInternet
My webserver is on ISP's DMZ. And it should talk to my
database server, which is on my private_net, to do
something :-)
How can i set up a secure communication
Dear all,
I try to do a fw logswitch since the log file size is very large (about
300M), but it fail, it display Log switch failed.
Then, I run fwstop and try to rename the log file, but it display The
Process cannot access the file because it is being used by another process.
while I run the
Title: Vpn to Netscreen 5xp.
Hello.
Have any one tested to do a VPN between a FW1 v4.1 to a Netscreen 5xp?
On the netscreen.com support site they have a description on how to get it to work but i can´t.
I use Screen OS 3.0r2 on the Netscreen FW.
The Log says:
reason Client Encryption:
Hello again,
On Thu, Nov 29, 2001 at 09:59:50AM +0900, Tan Tit Keat wrote:
HI, Nico:
I remeber you posted an email to the Check Point Mailing List asking about the NG
Upgrade.
HAve you successfully install/upgrade NG in your system?
Can you pls. share your experience with me?
If you
The differences between a single gateway end the enterprise edition are
only about the installation and the management, not about the features of
FW-1.
Just implement your VPN normally, you aren't request to do or install
anything else.
I suggest you to read the SECADMIN manual. I'm sure you
Billy Chan schrieb:
Dear all,
I try to do a fw logswitch since the log file size is very large (about
300M), but it fail, it display Log switch failed.
Then, I run fwstop and try to rename the log file, but it display The
Process cannot access the file because it is being used by another
Hi Billy,
This is not a solution to your immediate problem, but just a suggestion to
help organise your logs a bit better.
cron or at
$FWDIR/bin/fw logswitch /dev/null 21(Replace $FWDIR with it's
appropriate value.)
every night at midnight. This will help organise your log files.
Title: RE: [FW-1] Too large log file
I have heard people mention cron for the log files before. how do I use this?
I would like to automate saving the log and then ftping the log to another machine each day. Also it would be beneficial if the log was deleted after ftping across to another
Title: MD5 or SHA1 ?
Hi,
Can someone explain me the differences between MD5 and SHA1 in the user encryption tab ? (BTW: I'm using IKE..)
Thanks
Eitan Lugassi
http://www.camelot.com
Network Secure. Go Play
Hi,
I eventually got the VPN working, but I had to modify the Firewall-1 cluster
object ip address to be the same as the primary firewall in the cluster. No
VPN failover, but it works.
Regards,
Miles.
-Original Message-
From: Katsumi, Fred [mailto:[EMAIL PROTECTED]]
Sent: 28 November
Hello
I can connect to the ftp-server and can also go in the directory where the
files are located which I want to download.
But when I start the get command I only receive some points and after that
the ftp-prompt receive.
Have anyone a solution for this problem.
I have FW 4.1 SP2 on Solaris.
You can learn about the differences in the hashing algorithms by reading RFC
1321 and RFC 3174.
Chris
-Original Message-
From: Eitan Lugassi
To: [EMAIL PROTECTED]
Sent: 11/29/01 7:32 AM
Subject: [FW-1] MD5 or SHA1 ?
Hi,
Can someone explain me the differences between MD5 and SHA1 in
First you have to block SMTP relaying on the Notes Box and
if you use a SMTP Security server (Like for CVP) you need
to block those on the FW-1 in a SMTP Security ressource too
because by default the FW-1 SMTP Security server is wide
open to SMTP relaying. I have a SMTP/POP3 post.office server
How can it impact Securemote users if I'll change their user properties to
SHA1 instead off MD5 ?
Eitan.
-Original Message-
From: Chris Arnold [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 29, 2001 3:31 PM
To: 'Eitan Lugassi '; '[EMAIL PROTECTED] '
Subject: RE: [FW-1] MD5 or SHA1
Hi Sam,
Below are two scripts which are located in the /firewall/bin directory
and subsequently called via cron.
These are scripts I developed, they work but could be better.
The script should be started 1 minute before they are required this
is to allow for date changes at night.
Cron calls
Hi,
there could be numerous problems. Is there any entry in the logs ?
First I would try to edit lib/base.def
#define FTP_ENFORCE_NL
to
//#define FTP_ENFORCE_NL
Pls let me know if this helped.
--Joerg
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Just one more remark:::
try
lib/base.def
#define FTPPORT_MATCH (0x2)
alter to
#define FTPPORT_MATCH (0x0)
--Joerg
-Ursprüngliche Nachricht-
Von: Joerg Fritsch
Gesendet: Donnerstag, 29. November 2001 15:37
An: 'Mailing list for discussion of Firewall-1'
Betreff: AW: [FW-1]
I've had this also. I don't know the specs, but the logswitch command must need
temp space to perform. I usually make sure I have lots of unused disk space (I
delete temp files), and then the log switch may work.
Thank you,
Cathy Tebo
Reply Separator
Hi,
I may be OT but I do not know who to ask.
I succesfully have some FW-1s running and now a distant site of ours wants
to get its own internet access with maybe borderware (www.borderware.com). I
never heard of this and therefore do not know anything besides the marketing
crap on the website.
Title: FW-1 NAT: 3rd Interface
Hello,
Currently we have 2 Interfaces in our FW-1 (NT4.0, Ver. 4.1 SP6). I want to put a third Interface into the Firewall, to connect a settlement in another country. The third interface is connected to a router, which knows the routes to the destination
Title: RE: [FW-1] Too large log file
Hi
Sam,
Visit http://www.redhat.com/support/resources/tips/cron/cron.htmlthis
will tell you all about the crontab.
cheers
Leon.
Securing Cisco Routers
http://www.cisco.com/warp/public/707/21.html
http://www.cisco.com/warp/public/707/3.html
http://www.cisco.com/warp/public/707/4.html
You should block RFC 1918 addresses at your perimeter routers.
I used to have a list of the reserved addresses, but cannot find them right
Hi.
We were using a Borderware firewall 6.1 until we changed to Checkpoint
Firewall-1. The Borderware runs well in general, but we had several strange
problems with disappearing routes and proxies so we had to restart the
Borderware regularly (approx. once a week). The Borderware firewall is not
Hello!
We have to enable VoIP inbound and outbound connection, and I would like to
understand how could I define this connection
between specific hosts via firewall-1 ?. Is there any special security
problems which VoIP connections create ?.
Thanks,
Arie Gilboa.
Anyone know the ports need to allow VNC through a firewall? I have tried
the ports you setup, 5800, 5801, etc. and this does not seem to work. What
am I missing?
Thanks,
Wayne Roan
Systems Engineer, Information Technology
Capitol Broadcasting Company
919-890-6293
On my box, Port 5900 is working fine for VNC.
best regards,
Joachim Holzapfel
TOSHIBA
Joachim Holzapfel
IS Division - PC Network
Toshiba Europe GmbH
Hammfelddamm 8 Tel.: +49-2131-158-572
41460 Neuss - GERMANYFax: +49-2131-158-501
Mail: [EMAIL PROTECTED]
Roan,
I had this same problem once and my problem was the fw\bin and fw\log
directories were not in my path statement. Check your path statement to see
if this may be your problem.
Hope this helps,
Bobby
-Original Message-
From: Billy Chan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November
Title: Message
I was
thinking "man crontab" ???
-Original Message-From: Mailing list for
discussion of Firewall-1 [mailto:[EMAIL PROTECTED]]
On Behalf Of Leon NobleSent: Thursday, November 29, 2001
10:58 AMTo:
[EMAIL PROTECTED]Subject: Re: [FW-1] Too
large log file
Title: RE: [FW-1]
Port 5900
-Original Message-
From: Roan, Wayne [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 29, 2001 11:04 AM
To: [EMAIL PROTECTED]
Subject: [FW-1]
Anyone know the ports need to allow VNC through a firewall? I have tried
the ports you setup, 5800, 5801,
For a good list of what to block inbound on your serial interfaces, see Rob Thomas'
excellent
Secure IOS Config page:
http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html
See access-list 2010 specifically. Lots of other great tips and tweaks in there as
well.
Only things to be
We have budget to purchase an IDS and would like to get suggestions from you
fine folks. We are looking at SNORT since it is free (except for the
equipment costs) and ISS Real Secure. We are open to other suggestions as
well. Also where do you guys have your sensors? We were thinking that
I'm working on setting up Encrypted DNS for SecuRemote in preparation for
setting up Split DNS. However, I haven't had any success so far. I don't
see any domain-udp decryptions showing up in my log viewer, so I'm guessing
there is a problem with the encryption (or lack thereof) on the client
Dear all,
I need to setup a Checkpoint NG (NT) for a network but the external
interface has only 1 IP. There are two servers behind the NG, one
mail server and one file server.
A, External securemote users will access the internal file server,
provided
internal file server will not do any
UNSUBSCRIBE fw-1-mailinglist
---
This mail was scanned for viruses by
DFCC Bank virus wall
---
UNSUBSCRIBE fw-1-mailinglist
vnc defaults to 5900, tried that?
[EMAIL PROTECTED] 11/29/01 10:04AM
Anyone know the ports need to allow VNC through a firewall? I have tried
the ports you setup, 5800, 5801, etc. and this does not seem to work. What
am I missing?
Thanks,
Wayne Roan
Systems Engineer, Information
Hi,
don't take RealSecure. They (still) have bandwidth issues, you can't write
your own signatures [which is rather critical for an IDS] and you can't do
any forensics [there's no recording of the raw packets for retrospective
investigation], which may be even more critical for an IDS.
But I'm
Setup one sensor outside firewall, set it to log verbosely but not to
page you.
This will provide forensic evidence that might prove usefull.
Setup another sensor inside your dmz OR on the inside leg of your
firewall.
Carefully setup rules for filtering of alerts on valid flows, and set
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Borderware is a proxy firewall and runs on an Intel based platform.
It is sort of a software appliance in such you don't need to
install an OS. However it runs on either open or free BSD. As far
as the firewall itself it has from what I know a
Here is a suggestion:
If you need to know what ports are being used by a particular
application, launch the app and then try looking at netstat -a
before/after to see which ports are in usewon't help you if the
application uses several ports and only opens some of them on rare
occasion...
Use both of these products in conjunction. As they both have strengths
and weaknesses, use the strengths of one to cover the weaknesses of the
other. Having two IDS systems, one inside your network and one outside,
is like using two different vendors for anti-virus...use one product at
the
Matthew Brown
Information Technology
Chick-fil-A, Inc. - www.chick-fil-a.com
404 305 7669
===
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
Title: Host question
Hi all,
We are running 4.1 sp2 on an nt 4 sp6 box. Occasionally during the day, our log will fill up with the following messages:
fw_xlate_forw: failed to initialize the connection
fw_xlate_set_tables: Id_set to fwx_back_tables failed.
When this happens, we cannot
Better yet, open your log viewer and LOOK. You know the source and
destination, right? Very few people seem to bother trying anything on their
own any longer. Sigh
Chris
-Original Message-
From: Carl E. Mankinen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 29, 2001 14.21
Hi together
We have a Nokia IP440 with IPSO 3.4.1 running FW 4.1 SP5 with a separate
Managementsever running on a W2K machine (also SP5)
For setting up this device I used the rule and objects of the prior SUN
FW4.1 SP4.
After this replacement we still used the old certificate for SecuRemote
Hi together
We have a Nokia IP440 with IPSO 3.4.1 running FW 4.1 SP5 with a separate
Managementsever running on a W2K machine (also SP5)
For setting up this device I used the rule and objects of the prior SUN
FW4.1 SP4.
After this replacement we still used the old certificate for SecuRemote
Try intrusion.com appliances ...they have open source exploits DB and
runs on linux ...not that expensive .
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]] On Behalf Of
Steven Schuster
Sent: Thursday, November 29, 2001 2:32 PM
To: [EMAIL
I've been using snort for a while and really like it. Sensors in the DMZ(s) as well as
behind the FW. Nice way to audit your FW to make sure what you think is going is IS
what's going on.. Stable, quick, free.. easy to use too. I use the ACID interface
running on an Apache server. It has also
A 12:00 29/11/01 -, Leon Noble écrit:
Hi Billy,
This is not a solution to your immediate problem, but just a suggestion to
help organise your logs a bit better.
cron or at
$FWDIR/bin/fw logswitch /dev/null 21(Replace $FWDIR with it's
appropriate value.)
every night at midnight.
Greetings!
My company is in a situation where we need to back out of a Provider-1
installation and downgrade to a Checkpoint 4.1 Management Console
(basically, we didn't grow quickly enough in this dot bomb economy and we
need to sell off Provider-1 to another division within our company).
The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
If you are comfortable with UNIX go with Dragon from Enterasys
Networks. If you need pretty pictures go with RealSecure. If you
are looking for the best product (commercial) Dragon is far more
superior in the game. Get this book
Hello. We are running CKPfw 4.0 build 4303 on Solaris 7.
Recently, we have noticed many syslog messages of:
Nov 29 14:48:02 nsmmfw02 unix: FW-1: fw_init_xlation_tables:
fw_xlate_set_tables failed
Nov 29 14:48:02 nsmmfw02 unix: FW-1: fw_xlate_forw: failed to initialize the
connection
After doing
Try the FAQ. That should give you some initial guiding.
http://www.uk.research.att.com/vnc/faq.html
/Mattias
[EMAIL PROTECTED] 11/29/01 10:04AM
Anyone know the ports need to allow VNC through a firewall?
I have tried
the ports you setup, 5800, 5801, etc. and this does not seem
Howdy folks. If you are a Perl guru or just want to hear my Rant for 2001
Q4, read on!
My case got closed (Subject: Resolution 9772 will not function (Nokia Case
77960,)
but not resolved. Actually, the fix is that the resolution now/today begins
with a disclaimer:
This script is provided
I have a SecuRemote user with a very odd problem.
Maybe someone else has seen something similar.
Since installing SecuRemote on a Win2k box (SP2), he
says that anytime the SecuRemote client is active, the
screen goes blank at 1 minute intervals. This
happened with build 4176 and now with build
Hi guys,
Recently I installed a SP5 in my Nokia IP440 and let me tell you that
everything was ok until I opened my Policy Editor and I found that all my
rules were gone. So I had no option and finally I returned to my old SP1.
Does anybody know how can I keep my rules running on my SP5, because
Try Internet Security Links:
http://www.rtek2000.com/Tech/InternetSecureLinks.html#ids
**
Roman Zeltser,
@National Computer Center,
RSIS DNE
-Original Message-
From: Tim Anderson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 29, 2001 12:16 PM
To:
56 matches
Mail list logo
