Gary and all, fw ver -k gives:
This is Check Point VPN-1(TM) & FireWall-1(R) NG with Application Intelligence (R55) HFA_11, Hotfix 304 - Build 001 kernel: NG with Application Intelligence (R55) HFA_11, Hotfix 304 - Build 001 Weird, 'cause like we've discussed, using regular http *is* our workaround. But, then again, we've got the header length value bumped up really high. What are the implications of setting http to none? Thanks, Ron -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Gary Scott Sent: Wednesday, December 15, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Invalid Content Length Ron, I don't think this will help but it's worth the mention. With r-55-hfa11 using just regular http the link below would not display most pictures within, would get the red x for most, and I would see drops due to content length, setting the http protocol to none did allow the total page to be displayed with no drops. I also tested this site with a default install of r-55 no hfa and no modification to the http service and the web page was displayed properly. So there is definitely a difference in content inspection of the http service between r-55 no hfa and r-55 hfa11. The release notes for all the hfa's do not contain any information for http content inspection. Just curious, which version/hfa are you running? Thanks, -GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ron Jack (Systems Network) Sent: Tuesday, December 14, 2004 3:06 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Invalid Content Length This reminds me. We only see the error when using http with a websense ufp resource. Also, the pre-defined http could not be changed to "none" while it's being used with a resource. I guess I could tear everything apart, set http to none and add the resources back, but we're not quite to that point yet. Our current workaround is to send traffic to an increasing list of networks straight out on port 80, bypassing the resource. Finally, if the above workaround is dependent on a large http header length, ours is like 10000k or something. It will be lowered asap. HTH, Ron -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Gary Scott Sent: Monday, December 13, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Invalid Content Length I do not fully endorse this but....you can go to the pre-defined http service/advanced and set the protocol type to none. It appears that we are getting AI built in even if you have all the AI stuff disabled. I just tested this and all the images on the page pulled. Thanks for providing the url so we all could see this. -GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ron Jack (Systems Network) Sent: Monday, December 13, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Invalid Content Length -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Eric Gomes Balcone Sent: Monday, December 13, 2004 11:03 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Invalid Content Length I increased size, but didn�t solve my problem. Eric Same here. This site generates the error pretty reliably: http://editorial.gettyimages.com If one finds a length (or other fix) that addresses the problem, please share. Ron ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
