Mazen
Maybe someone out there has a way but we have had no success with FW-1 4.0 VPN to either Cisco PIX or Nortel Contivity. I am hoping 4.1 will change that but we will see
Tim
Mazen Chehaiber [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
07/09/01 21:49
To:[EMAIL
We had problems with Windows 95 clients that would not release DHCP address on net/modem card - this cause problem as SR thought we were still on internal network (!).
There was a fix specifically for Win95 (probably works for Win 98 also) but I was hoping that Windows 2000 wouldn't present
Camille
Yes please - could I have the info.
I am curious as to why a 3rd party can come up with a solution but not CP ? (!) - there is an obvious answer but suffice it to say it may be worth a look through the FW Mailing list archives for unfixed CP problems..
Thanks
Tim
Camille
Lisa
Thank you - and thanks to everyone who replied - I have a quite few ideas on how to get the most out of this now.
Cheers
Tim
Lisa Lorenzin [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/08/01 14:42
To:[EMAIL PROTECTED]
cc:
Subject:Re: [FW1] Why is log
I agree that VPN is more or less skimmed over. So is interoperability.
In my experience on CP courses minor details that are quite easy to understand are poured over meticulously and then it's..
...oh and by the way you can do VPN...here are a couple of screens...now that's the end of the
My experience was that it did eat up a little extra CPU but not too bad - BUT our main problem was with the other affects of using these rule - namely some web sites (especially newer ones) not working properly - workaround was to uncheck Use HTTP 1.1 in IE.
This hasn't worked for every
Maybe there are advantages whilst switching over to use M$ DNS as this give 'nice' feature of WINS integration -although maybe 3rd party products like MetaIP can do this also ?
Tim
Rocky Stefano [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/08/01 04:47
To:Chris Happel
Mike
You are in Israel ? - can't you just drive to the CP office and demand your CD ? ;-)
Seriously though - I can see why they protect the software version upgrades etc. but I see no reason why service packs require an id/password. This seems completely out of step with standard practice with
I agree and as other posts have said in the past, if you do need ping for occassional testing - then have the rules disabled by default and only enable them when someone has a genuine need - and disable the rules again when they are finished.
TH
Dean Cunningham [EMAIL PROTECTED]
Sent by:
Scott
Pardon me if am teaching you to suck eggs but...
Are you sure this is being resolved from your Internal DNS and not a local hosts file on your PC ?
Tim
Scott Kellerman [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
04/17/01 07:27 PM
To:[EMAIL PROTECTED]
cc:
S/MIME Cryptographic Signature
I too have this problem and am due to start testing soon. I will let you know how it went.
Hopefully someone has been through this problem before and will post (please...!)
My intent is to follow the usual sr install routine, test that, install Nortel VPN client and see what happens ! It will
Hi
Setup:-
FW-1 4.0 SP4 on NT 4.0 SP4
Was:-
NET A - -(non-VPN, internal leased line) - - NET B - -(non-VPN, internal leased line) - - NET C
All was working between all sites.
Now:-
NET A - -(VPN - ISAKMP/OAKLEY ESP/DES/MD5)- - NET B - -(non-VPN, internal leased line) - - NET C
Now NET A
Hi
Be aware though that RealPlayer can redirect through port 80 (http).
In this case the only realistic way to block through FW-1 is to use an http-with-resource type rule (there have been various postings) e.g.:-
/cut/
How to block HTTP downloads
Fact: Firewall-1
Fact: HTTP Security
Hi
I thought it only fair to post this after my whinge about Comet Cursor.
I am still a little irked that RealPlayer doesn't give the choice of whether to install Comet Cursor or not and that Real washed their hands of the problem. Also that the add/remove doesn't work but at least Comet Cursor
Hi
Noticed an annoying message recently on a PC asking about Comet Cursor upgrade. Didn't recall loading it so did a search through registry - appears that it was related to RealPlayer. I was a bit annoyed that Real install didn't give choice on whether to install this or not.
Most of our PCs
Jason
Actually it was RealPlayer Basic 8 and I did look at what was included and Comet Cursor was not mentioned at all.
Tim Higgins
Jason Costomiris [EMAIL PROTECTED]
27/02/01 12:34
To:[EMAIL PROTECTED]
cc:[EMAIL PROTECTED]
Subject:Re: [FW1] A little
Larry
The problem only appears when I use an HTTP-with resource type rule to block (e.g. mp3) stuff in addition to the general http rule. If I disable the http-wtih resource rule everything works but as per the previous email - I don't want to do that so I have chosen to diable http 1.1 in the
Larry
I thought so too but I saw a posting from Bradley Wendelboe giving details of known problems.
I tried:-
1. Turn off transparent/proxy rule - this worked but is not practical for us to leave this way - I just wanted to prove whether this made a difference.
2. Turn off HTTP 1.1 support in
Hi
We have had several reports over the past few months of asp pages on Web sites being extremely slow.
The first few reports we put down to problems at the sites themselves but we still see frequent problems at a range of sites.
Does anyone know of any FW-1 issues (or anything else) that may
I thought that you HAD to run Floodgate on the same box as the firewall (?)
Tim Higgins
CryptoTech [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
19/02/01 14:38
Please respond to cryptotech
To:wacky user [EMAIL PROTECTED]
cc:[EMAIL PROTECTED]
Subject:Re: [FW1]
Hi
Thanks - its good to know it's not just a freaky problem of my own ;-)
FYI...we have run up the white flag for now and are buying a Contivity for this end - I am still hoping to get FW1-Nortel working in the long term otherwise we will need to buy a Nortel for each site to sit alongside our
Hi
Trying to setup VPN from CP FW1 4.0 SP4 to Nortel Contivity.
No success trying to follow the steps for FW1 4.1.
(Furthest I got was getting acknowledgement that IKE Phase 1 completed but failed on Phase 2 - invalid protocol).
Now I have more depressing information:-
...according to
Hi
Anyone know how to get a (FW-1 4.0 on NT) rulebase into text format (or ideally excel/access format) ?
Thanks
T
#**
This message is intended solely for the use of the individual
or organisation to whom it is addressed.
Is the local.arp setup on Nokia same as NT ?
TIA
Tim Higgins
#**
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information.
It's great to see that with Linux we are getting one unified Unix system instead of Solaris/AIX/HP-UX/SCO etc. (NOT!)... ;-)
Langa Kentane [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
23/01/01 09:50
To:Firewall-1 Mailing List (E-mail) [EMAIL PROTECTED]
cc:
Hi
Can't get license removed from Nokia
Doesn't seem to be a remove function - only an overwrite function - so I tried that but it doens't like it.
Questions:-
1. Is there a way to just BLAT the licenses without all this fw putlic *%! on a Nokia and start again ?
2. Is there a 'noddy' guide
(repost)
Anyone got a document How to Setup a Nokia FW-1 ?
I have got several different documentation sets for Nokia and Checkpoint which are not very helpful and it is not even clear in what order to do certain things.
It would nice to have just one set of steps from start to finish (at least
Hi
I am used to NT FW-1 setup I now have a Nokia IP330 to setup.
Initial problem due to unconfigured interface etc. - used lynx to set these up and connected interface s3 to test hub - also on this is a PC which will be GUI manager (Voyager ?).
However - can't seem to ping PC or vice versa -
Trying to setup VPN to Nortel Contivity box at Site B.
Site B want us to use Manual IPSec but I am really lost on this as we have been using IKE and FWZ- does anyone know if I HAVE to use Manual IPSec - if so how does this work ?
TIA
Tim Higgins
CP 4.0 SP4 on NT 4.0 SP4
Got a weird problem yesterday - web browsing suddenly just stopped working:-
1. Checked logs but they didn't show any drop/reject traffic.
2. Checked policy - looks fine
Reinstalled (same) policy and all was okay again but I would like to understand what may have
Point taken.
Tim Higgins
Jim Brown [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
07/12/00 16:56
To:'[EMAIL PROTECTED]' [EMAIL PROTECTED], Jim Brown [EMAIL PROTECTED]
cc:[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject:RE: [FW1] How do I shut
Has anyone managed to get a domain login with NT WS 4 or W2K ?
Or is everyone using Connect As or some cached info ?
Tim Higgins
Gaughan, Daniel [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
07/12/00 21:50
To:'Thomas Stala' [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL
Hi Daniel
How did you achieve this - got a magic wand or something ? ;-)
Please detail your setup steps to get this working.
Thanks
Tim Higgins
Gaughan, Daniel [EMAIL PROTECTED]
08/12/00 12:22
To:'[EMAIL PROTECTED]' [EMAIL PROTECTED]
cc:[EMAIL PROTECTED], [EMAIL
Or add a domain object in your firewall - I haven't used this too much so I don't know how well it works but - hey ! - CP have given the facility so it MUST work - right ? ;-)
Tim Higgins
Jim Brown [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
07/12/00 15:54
To:'Gino Guidi
Aren't we being unfair ?
What would expect to see from a fw-1 mail list ?
I think a few articles on 'cheeses of the world' or how to crochet a chair
would give more variety ;-)
Tim Higgins
|++|
|
Just use GUI - Manage-Network Objects-New-Domain
I can't remeber for sure but I think domain should appear as (e.g.) .ibm.com. (anyone else ?)
Then just add rule as previous email stated.
Tim Higgins
Vishal_Keswani [EMAIL PROTECTED]
07/12/00 17:13
To:'[EMAIL PROTECTED]'
Yes - the Alteon + Nokia appears a favoured offering from the VARs we have dealt with
Tim Higgins
Cihan Subasi (Garanti Teknoloji) [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
30/11/00 12:37
To:'Neil Pike' [EMAIL PROTECTED], [EMAIL PROTECTED]
cc:
Subject:RE:
I posted this one already but I am still struggling...
Setup:
Client = Win2K Pro, SR4166, No tweaks to lmhosts or userC.c stuff - only a full up-to-date hosts file (all that should be required ?)
Firewall = CP 4.0 SP4 on NT SP4
Problem:
Can't get an NT Domain login but can achieve firewall
I agree in principle but a little selling is okay to me as long as:-
1. Brief and no hype (potential solution to a technical problem)
2. 1 email only - i.e. after that further correspondence only between interest parties
If we get some technical information from organisations that have the
Yes - it works okay but you have to ensure that the correct WINS/DNS is setup as for any ISP connection. I created 2 DUN entries - 1 for work with Login to Network and 1 for home without.
I think this TCP/IP error has nothing to do with SR - I got this message on one of my reinstalls of BT
I asked a question about this recently - it appears that the confusion is
in that the Management Console for both fw and RS can reasonably reside on
same box (firewall) but the RealSecure engine needs to be on different box
? i.e.:-
Box 1 (NT/Nokia/Solaris(whatever):-
Software = 1.
Hi
Just trying Windows 2000 with SR 4166 - looked forward to not having loads of tweaks - e.g. DHCP release fix for WIn95 etc. ;-)
...but I can't seem to get a network login - I have enabled SDL and SSO, also tried without SSO.
The firewall auth comes up and is okay but no network login prompt
I thought that was one of the benefits of RealSecure - that you could run
on same box (e.g. Nokia) provided machine specification sufficient ?
Is the marketing blurb out of touch with reality on this one ?
Tim Higgins
Our parent company use Nortel boxes for VPN ONLY - they have explicitly
advised us NOT to use these boxes for firewalling (we will use mixture of
NT and Nokia platforms for Checkpoint FW-1).
Support/Pre-Sales sucks on the Nortel Contivity - in Europe anyway.
Tim Higgins
Hi
Just got a quote for ISS RealSecure - v. expensive.
We currently use add-on to our eTrust site-block package but this is not
integrated with fwall and gives too many false positives.
Advantage for us with RealSecure would be:-
1. Can run on Nokia platform (less boxes - important in remote
Hi
We need to add some more Static NAT and non-NAT machines onto our network.
Need sanity check on proposed solution:-
1. Get an additional subnet from ISP (already underway anyway)
2. Configure Internet router External Interface to have new secondary Ip
address from new range (from Step 1)
pls ignore
#**
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information. If you have received
this message in error, please
Hi
We have a CP 4.0 SP4 VPN-1 on NT 4.0 SP4 - moving to Nokia CP4.1 soon...ish
;-)
We use static NAT for a handful of boxes (mainly DMZ) and Hide NAT for
rest.
Now have a request outstanding to add a number of machines without NAT but
that can communicate accross Internet - i.e. need legal IP
Hi
We will probably be getting Floodgate fairly soon and also changing from NT
(CP 4.0) to Nokia (CP 4.1) - we were told that Floodgate-1 HAD to run on
FWall but what happens with a Nokia setup ?
TIA
Tim Higgins
#**
This
Great - that's keep things simpler - a bit anyway ;-)
Cheers
Tim Higgins
Frank Darden
Hi
Can't find GUI client on CP2000 CD.
Also - can 4.1 client run with 4.0 FW ?
TIA
Tim Higgins
#**
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
Can SR be used to create a pipe with NT login across a non-Internet link
(private leased line) ?
Our setup:-
FW1 SP4 on NT SP4
SR Client 4165 Windows 95 FWZ-DES
OurLAN - Leased Lined - TheirLAN - SR Client
[
FW1
[
Internet
I have some users trying to do this to get around the fact that they
Actually, if you'd searched through the archive ;-)
...this topic has been discussed many times before and the general
consensus appeared to be that for the small amount of FAQ type questions we
get the overall quality, openess and friendliness of the group is second to
none. I would like
We have been considering Nokia replacements for NT boxes running FW-1 and
it is worrying to see these comments on bugs, support and especially
longevity. Notwithstanding that some people probably had a bad experience
unique to themselves due to lack of training or bad VAR maybe, there
appears
Thanks
My VAR's standard offering is the Nokia box - we originally selected NT due
to cost but now have backup/admin/failover headaches.
My VAR has convinced me that they will continue sell and support these
products and don't see anything changing in the future.
Currently, Nokia still
Hi
I am little confused over this thread - I used SR 4153 (4.1) with FW1 4.0
SP4 without any change to the FW config whatsoever.
We are about to tryout build SR 4165 (to see if we can eradicate rebind and
other stability issues) - will this entail a change at the fwall ?
TIA
Tim Higgins
Hi All
We are using CP v4.0 SP4 on Dell NT Servers and use them for internet
access, site-to-site VPN and SecuRemote VPN across Europe.
Our mother company in the USA seem insistent that we use a Nortel solution
(I think it is the 'Contivity' box) to make a new site-to-site VPN
connection to
We have had SR 4153 (on Windows 95 Dell laptop clients) working with a CP
VPN-1 4.0(SP4) NT 4.0(SP4) firewall for some time now but with SR bound to
dialup adapters ONLY.
Recently requested to get it working on network connections so that our
personnel can connect from remote networks via the
Hi
Yes - ISS is one the leading packages (we are using eTrust from CA).
But I wonder if ISS has the same problem as most of these packages - too
many False Positives ?
Tim Higgins
Yes - the DHCP fix worked for us and has cleared up most problems. People
with manually fixed IP still have to manually change though :-(
Tim Higgins
Hi
We have SR running across Internet DIALUP okay but we need to get it
running from remote LANs that have Internet access.
Some of our guys have tried with no problem - others cannot.
Could someone give me a run down of confi needed (SR and networking) to
make this work ?
I thought that all
Hi
I have started to get errors in browser (IE5) from a couple of sites in the
past few days.
Error
FW-1 at firewall_name: Failed to connect to the WWW server.
(firewall_name was the host name of our firewall)
Now - I don't know if we have been really lucky not to have come across any
Hi
Using VPN-1 4.0 SP4 on NT and SR 4153, got a few sites with FW-1 VPN and 1
with a non-CP fwall - all using NAT.
Using ISAKMP/DES for FW1 to FW1 links (nothing setup for non-CP firewall)
and FWZ-DES for SR dial-in.
Question:-
Want SR users to be able to get back into HQ network from remote
Hi
We use SessionWall-3 (now renamed eTrust Intrusion Detection after buyout
by Computer Associates).
Very good, easy to use.
Downsides:-
1. User id don't always get picked up by ADCP Agent (sits on your PDC/BDCs)
2. CA takeover resulted in some poor support for a while but things are
Hi
Anyone know if multi entries in Path for resource works ?
Also - syntax ? - (*.mp3, *.ram ?? - comma separated ?)
TIA
Tim Higgins
#**
This message is intended solely for the use of the individual
or organisation to
Hi
Haven't used URI before - please could you give an example setup ?
TIA
Tim Higgins
Michael Hernandez
Hi
Using CP 4.0 SP4 on NT (going to CP 4.1 SP2 in next month or two).
I am going to have to look at connection to 3rd parties soon (only had to
do internal stuff so far - so forgive my ignorance here) - and used
ISAKMP/OAKLEY for internal VPN and FWZ for Secure Remote.
Question:-
Can I use
Okay - regardless of how effective it is - it will stop some mp3 traffic
and I'd like to try anyway.
Could someone let me know the correct procedure.
Thanks
Tim Higgins
I've had too many hosts problem before on a remote fw.
Solution:-
Clear out cumulative host log and ensure you have a $FWDIR/conf/external.if
file with your Internet-side interface details in it.
Procedure can be found on:-
http://www.phoneboy.com/fw1/faq/0001.html
Tim Higgins
Looking for comments on various auth methods for web/ftp access.
We have locked down access by allowing only certain addresses/protocols
etc.
However, we do not authenticate outbound web surfing/ftp.
Now I have heard various comments in the past:-
"Don't auth outbound - you will only have
Morten
You were correct about the reverse rule - I had a some rules hidden
(masked) which I hadn't taken off - including the reverse network2-network1
(doh !) ;-)
(I really need a holiday, or a few beers - or preferrably both)
Even so, there is no seperate rule for Accept - just encrypt
And
Just curious...
What are you using to back up the actual firewall itself ?
Tim Higgins
"Arie Gilboa"
I loaded SR 4153 onto NT WS 4.0 SP5 recently and bound SR to all cards.
Now NT WS login is very slow. (install to dialup only is okay).
Any ideas what's wrong ?
TIA
Tim Higgins
#**
This message is intended solely for
Nokia box...mmm...got a big wallet ?...easy to setup but not to tweak for
weird situations ? ;-)
Tim Higgins
"Jarmoc, Jeff"
Hi
Thanks but I just tried this - didn't work either :-(
Tim Higgins
Ville
Hi All
Thanks to everyone for their suggestions on my Log Viewer details missing
problem.
My VAR just called and told me that there was sometimes a problem with FW-1
4.0 SP4 and SP5 with Policy names over 31 chars.
Resaved the policy with short name and - bingo - it works now !
Just thought
Hi
(VPN-1 4.0 SP4 on NT SP4)
Got a strange problem - logviewer suddenly not showing all details:-
No. , Date, Time, Interface, Origin, Type, Action are all okay - as is end
column Info.
Tried fwstop/fwstart and restart GUI and hide/unhide columns - no good.
Actually - just noticed that some
Hi Mike
Already tried that - no good. Column headings are there just no details.
Have seen something interesting on CP site about this being caused by hosts
file and objects.C file not having same ip/name ?
Checking it out right now - haven't made any recent changes but our remote
firewall
Hi
Tried fw logrotate - command doesn't exist - is this on a different version
of fw or OS ?
Tim Higgins
Sid Van den Heede
Hi
Tried logswitch (NT equiv - thanks Jason) and fwstop/fwstart - didn't fix
it though.
Tim Higgins
Sid Van den Heede
Bags of memory, disk and CPU left - doesn't appear to be the problem.
logswitch didn't work
Only thing I haven't done is reboot main fwall.
Tim Higgins
Update:
Reboot main fw didn't work either, or restart GUI.
Tim Higgins
[EMAIL PROTECTED]
BT are doing a similar thing in the UK for their ADSL service in terms of
server usage not being allowed unless you have a business connection.
Haven't seen anything banning VPN usage though and I hope not to. Are we
going to have a crazy situation where people who already have consumer
I see this performance issue as a potential security risk.
(Why ?!) - The log viewer performs so badly that it is tempting to only use
it when looking for known issues that have been raised or when testing
rather than using it proactively and for regular security reviews.
Now, sure, there are
There is at least one occasion when Reject is better - for the Ident
service.
In simple terms:-
It appears to speed up some email systems because they 'expect' to see back
some sort of response to an Ident query and a quick Reject will do just
fine.
(Previous posts detail more)
Tim Higgins
See:-
http://www.phoneboy.com/fw1/faq/0054.html
Tim Higgins
Ryan Finnesey
Hi Mike
We were getting this problem in Win 95/98 and fixed it as per your
instructions (thanks) but we have noticed that we get the same problem in
Windows NT WS 4.0.
Do you have any fixes for this ?
We tried the Win 95/98 registry hack (guessed at /DHCP/... as the path)
- it didn't
Hi
Does anyone else out there use SessionWall-3 (renamed eTrust) after CA
buyout ?
If so where are you getting FAQs, support, training from ? (neither CA or
Abirnet sites have a FAQ for this product yet).
The reason I'm asking is that whilst the US appears to be spoilt for choice
on
Webtrends seemed to be pushed the most by the VARs when we were looking
(but maybe they get a bigger cut on this ?!).
Anyway - we went for Verisign SecureView which (it turns out) is poor, not
user-friendly and has quite a few bugs so I would recommend staying clear
of this at least.
I too am
Roman
I have just looked at the Telemate web site and it talks about Telephone
usage monitoring !
Now, it does say it can report off firewalls as well but it seems to be
focussed around phone stuff ?
Do you buy different Telemate modules depending on what you want to use it
for ?
TIA
Tim
Hi
Maybe the Lucent product is good BUT Checkpoint FW-1 has about 52% or the
world firewall market (60% plus in Europe) will have better skill
availability and equipment/3rd party add-ons available.
I know that this is not exactly directly related but:-
For me running Lucent Systimax 110
Mike
Your IP release fix worked a treat and cured our "not authenticating"
problem caused by SR thinking we were already on the internal network due
to the DHCP'd IP addr on the PCMCIA card - thanks very much.
Just another question - if your PCMCIA card has a fixed IP address would
this cause
Hi
I still have intermittent problems with NT domain login from our Windows 95
Secure Remote 4153 clients to our FW-1 4.0 SP4 (NT 4.0 SP4) firewall.
Sometimes fw login screen does not appear at all.
I have tried:-
a. A full hosts files on the clients
b. An lmhosts files with 1 entry:-
Yes - the PCs have a DHCP address when connecting directly into our network
and a DHCP address on the dialup adaptor when dialling into ISP.
We ONLY have SR bound to Dialup Adaptor - so how can this network card
affect us ? - if despite my information you still believe that it is
related to
Hi
I think you are talking about a slightly different problem here.
Basically we have intermittent problems with SR clients (see start of
thread in this email) - they won't bring fwall login screen up.
On some a ping forces it but this is a bit naff anyway.
Now James has kindly suggested
Hi
Server 1 is PDC, Server 2 is BDC ?
TIA
Tim Higgins
[EMAIL PROTECTED]
Hi Mike
Yes please - I'd like to try the release stuff - although I am totally
flumoxed as to why this is affecting us now when the same setup worked a
couple of weeks ago !
Look forward to your fix.
Thanks
Tim Higgins
Using SR 4153 (CP 4000) Windows 95 laptops with CP 4.0 SP4 Firewall on NT
server.
Working okay BUT - NT domain login won't seem to work without WINS server
entry - I thought from other list entries you could add lmhosts file -
tried several permutations but ONLY if I specify a WINS server in
Thanks (sorry for not sending to majordomo originally) ;-(
Tim Higgins
[EMAIL PROTECTED]
1 - 100 of 134 matches
Mail list logo