That is a good question, and I am not sure of the answer. It is my
understanding that the connections in the connections table will timeout
eventually. I guess the question is how different people view that as a
security issue. Maybe someone else can shed some light on this.
Scott
|--------+------------------------------>
| | "N. Endgirgli" |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | firewalls-admin@list|
| | s.gnac.net |
| | |
| | |
| | 10/18/2001 08:20 AM |
| | |
|--------+------------------------------>
>------------------------------------------------------------------------------------------------------------------------|
|
|
| To: "Ben Nagy" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
|
| cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
|
| Subject: Re: Citrix client disconnections
|
>------------------------------------------------------------------------------------------------------------------------|
Thanks, I haven't tried it yet but I'll try it over this weekend.
Just wonder if there any security threat as a result of keeping all
connections? Should I adjust memory assigned to connection tables in this
case? Should I decrease TCP timepout in properties of the policy?(I changed
it from default to 900 regardles , but should I decrease it further in this
case?)
Thanks.
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "Ben Nagy" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "'N.
Endgirgli'" <[EMAIL PROTECTED]>
Sent: Monday, October 15, 2001 10:35 AM
Subject: RE: Citrix client disconnections
>
> If you add the "keep" option to table.def, it will not flush the
table
> on policy install. Here is what the section should look like.
>
> connections = dynamic refresh sync expires TCP_START_TIMEOUT
> expcall KFUNC_CONN_EXPIRE kbuf 1
>
> #ifdef SECUREMOTE
> implies userc_verified_connections
> #else
> implies ftp_restrictions
> #endif
> hashsize 32768 limit 25000 keep;
>
>
> Notice the "keep" option on the hashsize line. I successfully used
> this to keep our VPN Citrix sessions from being dropped during a policy
> install.
>
>
> Scott
>
>
>
> |--------+------------------------------>
> | | "Ben Nagy" |
> | | <[EMAIL PROTECTED]> |
> | | Sent by: |
> | | firewalls-admin@list|
> | | s.gnac.net |
> | | |
> | | |
> | | 10/12/2001 08:11 PM |
> | | |
> |--------+------------------------------>
>
>
---------------------------------------------------------------------------
---------------------------------------------|
> |
|
> | To: "'N. Endgirgli'" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> |
> | cc:
|
> | Subject: RE: Citrix client disconnections
|
>
>
---------------------------------------------------------------------------
---------------------------------------------|
>
>
>
>
> AFAIK there is nothing that will fix that. Installing a new policy
> flushes all the sessions. If it didn't it would be a bug - you could
> have a situation where there was traffic still flowing through the
> firewall that was agaist the current policy.
>
> Cheers,
>
> --
> Ben Nagy
> Security Guy
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of N. Endgirgli
> > Sent: Saturday, October 13, 2001 5:13 AM
> > To: Jay Wehring; [EMAIL PROTECTED]
> > Subject: Re: Citrix client disconnections
> >
> >
> > Clients are not disconnected after inactivity period of time.
> > THEY ARE DISCONNECTED WHEN I INSTALL POLICY IN THE FIREWALL.
> > So I just wonder if there is anyting that can fix that (CP
> > solution I mentioned in earlier doesn't work)
> [...]
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
>
>
>
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
