I seem to have lost the option to choose a policy server when setting up
a profile with this client. This causes an issue when the policy server
is not located on the VPN gateway. Has anyone experienced this same
problem? Thanks, Gary
=
To
Correct. If you read the VPN-1 .pdf for r-55 you can see the
restrictions imposed for doing VPN routing.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Lyle
Dove
Sent: Friday, September 24, 2004 1:00 AM
To: [EMAIL PROTECTED]
Has anyone ran into these errors on the Nokia platform? [LOG_CRIT]
kernel: FW-1: fwconn_get_bits: failed to get bit value of bit category 6
=
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of
Automatic arp is only for automatic nat rules. This does not work for
manual nat rules.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Phil
Wang
Sent: Wednesday, October 06, 2004 7:42 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1]
Hi Rienhard, thanks for the reply. I really wish I could take your
statement below and put this one to rest, but...even after changing the
settings listed in the resolution below I see no change in this
behavior...
And yes I entered false not faulse. Maybe I should try faulse? :)
-GS
What to do
PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] split DNS with office mode
Sure, isn't that how it's supposed to work? The internal DNS is a
superset
of the external DNS.
Why is this a problem for you, Gary?
Ray
From: Gary Scott [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
This is not true with secureclient/office mode but it is true with
securemote or secureclient. With secureclient/office mode all DNS
request are sent to the internal DNS server regardless of domain suffix.
Hence the problem.
When you define the domain for office mode you do not have the option to
supposed to work? The internal DNS is a
superset
of the external DNS.
Why is this a problem for you, Gary?
Ray
From: Gary Scott [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [FW-1] split DNS with office mode
Date: Wed, 1
You can do a cpstop then delete or move the entire contents of the log
dir.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Robare
Sent: Thursday, December 02, 2004 12:52 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] NG-1 -
You use only the state sync piece of Checkpoints clusterxl with Nokia
vrrp or IP clustering. This does require that clusterxl is enabled.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Roger P
Herr
Sent: Wednesday, December 08,
Incorrect, Checkpoint has changed this so you do not need a license to
do clusterxl HA but you do if running clusterxl load sharing.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Will
Zegeer
Sent: Wednesday, December 08, 2004
I have to concur. The new 4[1].5.64x solved this problem for me on a edge x box.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Behalf Of Jake
Hildreth
Sent: Wednesday, December 08, 2004 10:52 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1]
1. yes
2. depends on the version of ipso, in ipso 3.8 you have an option to monitor
the fwd process under the vrrp settings, careful with 3.8 it has its own r-55
build.
3. with ha only you do not need the clusterxl license, however you will need an
additional FW lic for the failover box.
-GS
The connection tables are at the FW not the MC.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Jean-Christophe Valiere
Sent: Thursday, December 09, 2004 7:50 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] fw tab error
Hello,
Let's me
We all stand slightly corrected. The fw tab command can be run on a
management console, however when you specify a hostname this hostname
must be that of a FW module. Even if the fw tab command is run on a FW
with the hostname or IP of a defined non-fw module object you will
still get unknown
length,
ours is like 1k or something. It will be lowered asap.
HTH,
Ron
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Behalf Of Gary
Scott
Sent: Monday, December 13, 2004 12:21 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Invalid Content
I do not fully endorse this butyou can go to the pre-defined http
service/advanced and set the protocol type to none. It appears that we are
getting AI built in even if you have all the AI stuff disabled. I just tested
this and all the images on the page pulled. Thanks for providing the url
are the implications of setting http to none?
Thanks,
Ron
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] Behalf Of Gary
Scott
Sent: Wednesday, December 15, 2004 7:37 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Invalid Content Length
Ron, I don't think
Straight from CP...
To resolve the error:
1) In SmartDashboard, click the SmartDefense Tab.
2) Under Application Intelligence, click to open the Web menu tree.
3) Click HTTP Protocol Inspection.
4) If Configurations apply to all connections is enabled, choose
Perform optimized protocol
You can use the audit feature within the log viewer.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Chandraprakash Suryawanshi
Sent: Tuesday, January 18, 2005 5:57 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1]
This is detailed in the FP3 vpn user guide in the chapter on vpn
routing. You are much better off running r-55 if you want to do hub
mode/route all traffic through gateway, much cleaner setup.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On
The default port of the Web interface in SecurePlatform is HTTPS 443.
The default port can be changed in from the command line in Standard
mode, as follows:
1) Login to SecurePlatform in Standard mode, either locally or in SSH
session.
2) Type the command:
webui enable https_port_number
The
You have to do manual proxy arps. If there is an interface flap and you
are using automatic proxy arps they will disappear. CP claims to be
fixing this in the next major release.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Kai
Try going into manage/users and administrators/actions/install you
should see the secondary MC as well as the primary. Install the
user/object database to both. The secondary MC should then start
accepting the logs it is being sent.
-GS
-Original Message-
From: Mailing list for
Only r-55 is supported with win2003
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Saliba
Sent: Monday, February 07, 2005 11:59 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Upgrading Server OS on
this
needs to be done. Much appreciated.
Regards,
Phil
-Original Message-
From: Gary Scott [mailto:[EMAIL PROTECTED]
Sent: Thursday, 3 February 2005 11:24 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Not receiving logging on the secondary Management HA
Server
Try going
r55, r55w and r55p all have their own upgrade_export utility. The one
for download on CP's site is for r55. You should be able to use the one
that gets installed in the $FWDIR/bin/upgrade_tools.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL
Have you set the 3rd party HA options for Nokia clustering for the
cluster object/installed policy? Are you running 3.8? Forward or
multicast?
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Neil
Kemp
Sent: Thursday, February 10,
You can get all the current details here...
http://pricelist.checkpoint.com/sections/main.asp
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Simon Desmeules
Sent: Monday, February 14, 2005 9:00 AM
To:
You are running CP express. With this you do not get the persistence
option.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Satana
Sent: Tuesday, March 01, 2005 7:12 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject:
I log on to a win2k domain with the r-56 client using SDL and I have no
inbound allowed rules on the client. I use the same desktop policy that
is listed below.
I believe what Richard has listed below is needed for the inbound FW
rule, I take the easy road here and say any.
-GS
-Original
, March 01, 2005 11:57 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Connection Persistence
Ok. So my options are
1 - Define it per single service
2 - Upgrade to Enterpirse product
is this correct ?
Thanx a lot
Lorenzo
- Original Message -
From: Gary Scott [EMAIL
I see this too when a network has a DHCP scope that is larger than the
limited license, or a WAN is connected and the remote IP's are seen by
FW-1, or you are doing server sided static NAT..which causes the natted
IP to be seen as the source on the internal interface.
When you do an fw lichosts
Try a detach and re-attach. If you do a cplic print on the FW what license do
you see? Before and after the detach/reattach.
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Satana
Sent: Thursday, March 03, 2005 2:18 PM
To:
Are you referring to how NG does stateful ICMP inspection, as opposed to
4.1 where you had to add the return rules for ICMP to work?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Hill,
Lindsay, VF-NZ
Sent: Monday, March 07,
You are correct Ray, you can also use the command fwm dbload module to
get it installed.
Matt, you are also correct installing just the user database has been
problematic for some time.
CP is aware and has issued an sk stating
Installing only the User database is not recommended in NG, since
through the any service
no these are all R55 HFA-8
ICMP works fine but it is being passed under a rule that has service set
to
ANY.
I am trying to limit what can be reached by ICMP.
I guess I could just negate ICMP.
- Original Message -
From: Gary Scott [EMAIL PROTECTED]
To: FW-1
on the SPLAT box and it let me run the
command
fwaccel on; however when I run the fwaccel stat, it tells me that
the VPN acceleration
card is not installed.
Are we talking about the same thing here?
Gary Scott [EMAIL PROTECTED] wrote:
Yes, securexl
-Original Message-
From: Mailing list
On this note, for those who are not aware, the current r-55 wrapper
bundle downloadable from CP now contains HFA-12.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
cisco4ng
Sent: Wednesday, March 09, 2005 6:11 AM
To:
NGX requires a new license.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of C. L.
Martinez
Sent: Tuesday, June 21, 2005 4:54 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] SmartPortal license
Hi all,
I
license_upgrade or I need to buy a specific license.
On 6/21/05, Gary Scott [EMAIL PROTECTED] wrote:
NGX requires a new license.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of C. L.
Martinez
Sent: Tuesday, June 21
Do the clients have a desktop policy installed?
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Deanna
Miller
Sent: Wednesday, July 06, 2005 5:06 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Cannot access
This is doable, some also manually define internal WINS servers. But why
not define a securemote DNS server for the securemote clients. With this
you can limit the queries to specific domains.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL
-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Gary
Scott
Sent: Wednesday, July 06, 2005 4:53 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Cannot access Laptop running Secure Remote from
internal network
Do the clients have a desktop
Is the traffic making it to the FW? Are you having arp issues? Just a
thought.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie
Saliba
Sent: Tuesday, July 19, 2005 12:21 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Yes, just create it.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
Baker
Sent: Tuesday, July 26, 2005 10:58 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] SecurID Authentication
Do you know what
Anyone know why you can not add any additional remote access
communities? It appears to be grayed out within the smart dashboard.
However using guidbedit you can add new remote access communities and
they do show up in the dashboard. Thanks, GS
In r-56/r-60 this is defined under the site profile. However you should
not need to force udp encapsulation unless you are behind a nat device
that does not do port translation. The translated port will cause the
client to use udp encapsulation without having to force it. Either way
the FW needs
that some user
groups can connect to one Internet gateway and the rest to another (in a
MEP
configuration), by defining to which firewall each rule is installed.
You
can also have different authentication schemes for different users.
On 7/28/05, Gary Scott [EMAIL PROTECTED] wrote:
Anyone know why
What do you see from a tcpdump and an fwmonitor?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Chad
Ingram
Sent: Wednesday, August 03, 2005 8:25 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Problems
Partial will not work for https. Go to edit the client auth action then
click on help for a full explanation of the difference between the
methods.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Rajeev
Gupta
Sent: Thursday,
- by the way, the first
rule works in my case for https but it is the other two rules that do
not
work - if you take a fresh look at my first message where I gave details
on
my rules configuration.
Rajeev
On 8/4/05, Gary Scott [EMAIL PROTECTED] wrote:
Partial will not work for https. Go to edit
I too had this problem and did not have the solaris expertise, time or
money to spend with CP. I re-installed solaris 2.9 from CD, checked for
the required patch, which was already present, then installed P-1-R55
with no problems.
-GS
-Original Message-
From: Mailing list for discussion
Boot manager comes on the 8m sandisk on the 530's, you can write the
.bin to it using a linux box. As long as you can find a hard drive that
is compatible with the MB the boot manager and partitioning should not
be a problem.
-GS
-Original Message-
From: Mailing list for discussion of
Trying to install a policy from an r-55-hfa-14 manager yields the error
below. Has anybody else seen this or have a possible fix? Checkpoint
support is clueless. Thanks, GS
Policy Status Details
Adv. Security Error Compilation failed
Adv. Security Error
Antonio, what is the exact error that you see when you enable malformed
png?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio
Costa
Sent: Friday, November 18, 2005 5:36 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Slightly off track but since we are talking logging and NGX I was
wondering if anybody else is seeing the same problem I am. Whenever auto
static NAT is defined for a management console that sets on a local
subnet to a pair of spalt boxes running clusterxl I loose logging from
the local cluster.
CP is calling r60A a hotfix per the release notes. Can the entire r60a
version be downloaded or ordered on CD? Has anyone seen the r60a release
for windows? Would you apply hfa-01 for r60 to r60a? I have to agree
with reinhard; it appears that all you get from r60a is a new tab for
CI, the ability
I too have got away with adding multiple IP's to the internal interface
in certain circumstances but external is a different story. If you add a
secondary IP externally then the FW may start using that IP as the
source causing a wide array of problems. The official way to add IP's to
an interface
I've done this with NGX-splat to a cisco router with no problems.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Reinhard Stich
Sent: Thursday, December 29, 2005 4:49 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
To follow up on this thread. The problem below which I also had Warning:
Can't find:::CPMP-SMPO-U-NGX in cp.macro. License Version might
not be compatible.
Was solved be Checkpoint re-doing the license string, the one I had initially
contained CPVP-VEE-U-3DES-MGMT-NGX CPMP-PRO-U-NGX
Check the vpn-1 pdf. You can get this from CP's site from the
configuration doc downloads or if you have the cd look for a folder
called docs.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Lindsay
Hill
Sent: Friday, January
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The client has no way to know what IP you are natting the FW too since
it is natted by a different device. I do not know if this works in NGX
but with 4.1 you can change the IP here... : (VPNHome.isildur
:obj (
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Better yet check out CP res. sk11682
- -GS
- -Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of chkp
tech
Sent: Friday, February 17, 2006 2:41 PM
To:
to fw, userc.c is overwritted.
gary, i find this morning this solution from checkpint's website, but
I can not have enterprise acces. Can somebody send me please this
solution via email??? At this moment, this problem turns very urgent.
Thanks.
Gary Scott wrote:
-BEGIN PGP SIGNED MESSAGE
Granted CP has had its issues with auto proxy arp but I have this working on
win2k sp-4 r-55-hfa-11. You need to do one or the other, local.arp or auto, it
is not until NGX that you can merge manual and auto proxy arps. If you can't
get the proxy arp function to work then add a simple static
This sounds like the good ole ike_use_largest_possible_subnets. What
kind of error messages do you see?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
cisco4ng
Sent: Monday, February 27, 2006 12:46 PM
To:
Do you have pre-share selected under the gateway props/vpn/traditional config?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of sin
Sent: Friday, March 03, 2006 2:44 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject:
Vlan is the only supported method for adding additional IP's to
interfaces. If that is what you mean by alias. You can get by in some
cases by just adding an additional regular IP to an interface, I have
several I do this with on test machines but...I have seen where an alias
was added for an
In most P-1 deployments I deal with there is no NAT for the CMA's. I
would have to say don't NAT if possible. No SIC, fetch, push or logging
issues.
There is a problem with NGX and natting the manager in a standard
distributed environment, haven't tested this with P-1. I have posted
this to the
For the pre-share to be used you must have the auth type for the user undefined.
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Philippe Blavier
Sent: Sunday, March 05, 2006 6:18 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Has anyone been successful getting dynamic interface resolving for
securemote to work when the manager is NGX and the gateway r55? Setting
the link selection to probe works only if the gateway is NGX. Thanks,
-GS
=
To set vacation,
Thanks Jeremy, but this only seems to apply to site to site vpn's. Even
with this selected I do not see the remote clients sending RDP packets
to any interface of the FW as it should with the probing/dynamic option.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
) and there
you have the choice of static or dynamic.
Jeremy Lieb CCSE-NG CCSE+ NG
Firewall Administrator
Open Text Corporation
847-267-9330 ext 4395
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Gary
Scott
Sent: Tuesday, March 07, 2006 6:00
What drops are you seeing?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Brooks,
George CTR
Sent: Wednesday, March 08, 2006 11:29 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Disable SmartDefense
I
) and there
you have the choice of static or dynamic.
Jeremy Lieb CCSE-NG CCSE+ NG
Firewall Administrator
Open Text Corporation
847-267-9330 ext 4395
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Gary
Scott
Sent: Tuesday, March 07
4 hours last I checked.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Andres
Duffour
Sent: Friday, March 10, 2006 2:03 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] refresh time for dynamic arp table
hi,
Me too. I am managing r55-hfa-17 FW's with a NGX-hfa-02 manager and I
still see the 995 drops when trying to join a machine to the domain
through a FW, 2003 hf-1 DC. I've tried modifying every dcerpc.def file I
could find and doing the dcerps_hfa.def replacements. Noticed you got a
new
I found a fix thanks to Nathan! I do not use smartdefense and have not updated
it in about 5 months. After all the failed attempts with the CP resolutions the
suggestion to do a smart update was done. Once done I no longer see any 995
drops. So go figure! If I did not have the SD subscription I
You may want to try getting your license manually and perform the upgrade
bypassing the license upgrade part. You can apply your license after the
upgrade. If that still gives you problems you can to try the upgrade
/export/import method on a clean install.
-GS
-Original Message-
Make sure you have the destination network defined under the topology
for the interface it is leaving.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
Louis
Sent: Monday, April 10, 2006 9:55 PM
To:
Integrity clientless uses browser based SSL.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Felix Bueltmann
Sent: Wednesday, April 12, 2006 9:01 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Antwort: [WW
You will see this also if you do not have a route defined for the new networks.
Which platform is this? Thanks,
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of cisco4ng
Sent: Friday, April 21, 2006 2:44 PM
To:
Audit log.
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Leist
Sent: Wednesday, May 10, 2006 10:04 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Is tracking policy changes easier in NGX?
Is it easier to
I have got away with this by doing an upgrade_export/import of the CMA
to a stand alone manager, both the stand alone and CMA were able to
install policies to the same modules at the same time due to the SIC
stuff being identical. I don't think this is supported and the correct
way would be to do
With NGX it is no longer an add-on, it is installed with the FW.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Caballero Carlos
Sent: Tuesday, June 20, 2006 9:33 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject:
Check out Solution ID: #sk31267
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Jeremy R Morrill
Sent: Friday, June 30, 2006 11:19 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Gotomeeting.com
Has anyone
This used to work, haven't tried this with the newer versions...
http://www.spy-hunter.com/SecureClienttoaNATedFWfinal.pdf
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
cisco4ng
Sent: Tuesday, July 18, 2006 6:08 PM
To:
Try fw unloadlocal
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Lamblot, Alain
Sent: Thursday, July 20, 2006 3:42 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] fw unload localhost on NGX ?
Hello,
I
You may be defined as a host; you can convert this to a gateway by right
clicking on the object.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Roberto
Lauriola
Sent: Saturday, July 22, 2006 3:37 AM
To:
fw unloadlocal , does SIC check out good? When you try to install a policy what
error(s) do you see. Are you getting logs from this module?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On
Behalf Of Crist Clark
Sent: Monday, July 24,
Has anyone been able to block Windows Live Messenger..aka.. MSN
messenger by using the header rejection within web intelligence with
NGX-hfa03? If I setup a manual header rejection using MSN-Messenger as
the header name and a resource rule for http traffic I can get it
blocked. If I have a regular
Can you connect after doing an fw unloadlocal?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Yang
Xiao
Sent: Thursday, August 03, 2006 5:42 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Smartdashboard
Yes, with NG you can have up to 256 interfaces; NGX (at least on splat)
supports 1024. Make sure you do a get topo after adding the interface.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Moon,
Curtis
Sent: Friday, August
You have an option in NGX smartdefense to block file transfer with MSN
messenger over MSNMS and SIP. I haven't tested this. I don't see this
option for the other messengers.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
Yes. UDP 8116 broadcast are necessary for cluster-status health checks,
when a Check Point ClusterXL clustering solution is implemented.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Clive
Luk
Sent: Tuesday, August 15, 2006
You can also run the history command, then !history number to get that
command to run.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Deniz
Cevik
Sent: Wednesday, August 16, 2006 10:33 AM
To:
Is the user part of the user group you are using? Do you have any restrictions
on source or destination for that user? If you use the all user group does it
still fail? Do you see this with all users?
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL
.
Check Point support can offer a HotFix (new CPinfo package) to resolve
this issue.
Gary Scott
Sr. Security Engineer
Vigilar, Inc.
900 Ashwood Parkway, Suite 290
Atlanta, GA 30338
phone: 866-365-8401
fax: 770.481.2101
email: [EMAIL PROTECTED]
Your Trusted Partner
I can confirm, but I can't tell you which .def files are changed, I
think this may vary depending on whether or not the hfa contains changes
to that particular .def file. Yes CP does leave you hanging here, here
is a clip from a KB solution, note the word may.
Any .def file modification may not
1 - 100 of 337 matches
Mail list logo