SecurePlatform makes a great management server and install is fast and easy... It's even supported: http://www.checkpoint.com/products/supported_platforms/platforms_appint_r55. html
Eric. ----------------------- Date: Sat, 26 Feb 2005 08:39:20 -0500 From: Rob Schrack <[EMAIL PROTECTED]> Subject: Re: Best OS on management station. Re: [FW-1] Best OS on management station.Even less in an academic = environment! Of course, it's also likely that a Windows server license = is going to come with whatever server hardware you purchase. Remember, Checkpoint only supports Red Hat 7.x and RHEL3. Red Hat 7 = hasn't received an update since Dec 2003. Checkpoint doesn't specify = which version of RHEL3 to use, only a kernel version, so you could = probably get away with the WS version. That'll still cost you $179 US = from Red Hat. If you want OS updates beyond the first year, you're = going to have to pay a renewable subscription fee on top of that. Free? = Not quite.. Solaris is free. You just have to buy SPARC hardware to run it! = Checkpoint doesn't support Solaris x86. You could always run SecurePlatform on an x86 box too. That's the only = free linux supported. Having said all that, we use Win2k boxes for our management servers. If = I want another pair of eyes to look at something flakey with the OS, = it's a lot easier to find 'em. Rob ----- Original Message -----=20 From: Ray=20 To: [EMAIL PROTECTED] Sent: Friday, February 25, 2005 8:00 PM Subject: Re: [FW-1] Best OS on management station. Of course, but it's a one-time cost of around $650 US. Averaged over = the=20 five year life of the OS it comes to thirty six cents a day. It all = depends=20 on your situation.=20 Ray=20 >From: cisco4ng <[EMAIL PROTECTED]>=20 >Reply-To: Mailing list for discussion of Firewall-1=20 ><[email protected]>=20 >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] Best OS on management station.=20 >Date: Fri, 25 Feb 2005 03:44:03 -0800=20 >=20 >If you run the management station on Windows 2k, do you have to pay=20 >licensing fee to=20 >microsoft as well? Is linux FREE? That's another reason to go with = linux=20 >instead of=20 >Microsoft or Solaris.=20 >=20 >My .02c=20 >=20 >Ray <[EMAIL PROTECTED]> wrote:=20 >I use Windows 2000 because I can have the GUI on the box in the data = center=20 >but mainly because I can use my standard disk imaging software for DR = >backups. We use ICA certificates for remote access, so it's kind of=20 >critical=20 >that I always have a good DR backup.=20 >=20 >I can restore the Windows image to any hardware and the Check Point = stuff=20 >keeps right on ticking once the OS handles the hardware differences. = In=20 >fact, I'm doing that tomorrow.=20 >=20 >Mine runs OK on a 667 MHz P-III with 256 MB of RAM, but I need to up = the=20 >memory because it's sitting right at 260 MB used when nothing is open = and=20 >the box I'm on has a max of 256 MB installed (it's an old desktop = that I=20 >added mirrored drives into).=20 >=20 >If there's any chance you will be using an Edge box, make sure your = OS can=20 >manage an Edge. The Windows ones can but I know an IPSO SmartCenter = can't.=20 >Don't know about the other OS versions, though.=20 >=20 >Ray=20 >=20 > >From: Scott Kellerman=20 > >Reply-To: Mailing list for discussion of Firewall-1=20 > >=20 > >To: [EMAIL PROTECTED] > >Subject: [FW-1] Best OS on management station.=20 > >Date: Thu, 24 Feb 2005 19:07:03 +0000=20 > >=20 > >Hi all,=20 > >=20 > >Quick question. Right now I'm running two Nokia IP530's with vrrp, = and=20 > >about 12 Nokia IP130's in international offices. My management = station is=20 > >also running on a Nokia 530, and I'm going to replace the = management=20 > >station=20 > >with a different server so I can use the 530 somewhere else. The = question=20 > >is. What do you all think is the best OS to put on the management = station=20 > >?=20 > >=20 > >Thanks in advance.=20 > >=20 > = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 > >To set vacation, Out-Of-Office, or away messages,=20 > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add:=20 > >set fw-1-mailinglist nomail=20 > = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 > >To unsubscribe from this mailing list,=20 > >please see the instructions at=20 > >http://www.checkpoint.com/services/mailing.html=20 > = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 > >If you have any questions on how to change your=20 > >subscription options, email=20 > >[EMAIL PROTECTED] > = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >=20 = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >To set vacation, Out-Of-Office, or away messages,=20 >send an email to [EMAIL PROTECTED] >in the BODY of the email add:=20 >set fw-1-mailinglist nomail=20 = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >To unsubscribe from this mailing list,=20 >please see the instructions at=20 >http://www.checkpoint.com/services/mailing.html=20 = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >If you have any questions on how to change your=20 >subscription options, email=20 >[EMAIL PROTECTED] = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >=20 >=20 >---------------------------------=20 >Do you Yahoo!?=20 > Take Yahoo! Mail with you! Get it on your mobile phone.=20 >=20 = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >To set vacation, Out-Of-Office, or away messages,=20 >send an email to [EMAIL PROTECTED] >in the BODY of the email add:=20 >set fw-1-mailinglist nomail=20 = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >To unsubscribe from this mailing list,=20 >please see the instructions at=20 >http://www.checkpoint.com/services/mailing.html=20 = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 >If you have any questions on how to change your=20 >subscription options, email=20 >[EMAIL PROTECTED] = >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 >D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = To set vacation, Out-Of-Office, or away messages,=20 send an email to [EMAIL PROTECTED] in the BODY of the email add:=20 set fw-1-mailinglist nomail=20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = To unsubscribe from this mailing list,=20 please see the instructions at=20 http://www.checkpoint.com/services/mailing.html=20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = If you have any questions on how to change your=20 subscription options, email=20 [EMAIL PROTECTED] = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ------------------------------ Date: Sat, 26 Feb 2005 12:47:01 -0500 From: "Covington, Chris" <[EMAIL PROTECTED]> Subject: Re: How to auto-authenticate Win2k and Mac OS10 VPN to FW. You can certainly create a tunnel between the FW-1 and a non-enterprise firewall. We have about 10 VPNs between our datacenter firewall (a super-SPLAT box) and at our sites little $500 Cisco 831s that work perfectly. --- Chris Covington IT Plus One Health Management 75 Maiden Lane Suite 801 NY, NY 10038 646-312-6269 http://www.plusoneactive.com -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Alan Choyna Sent: Saturday, February 26, 2005 12:04 AM To: [email protected] Subject: Re: [FW-1] How to auto-authenticate Win2k and Mac OS10 VPN to FW. Thanks for your response Ray (you have been prolific today). One of the sites runs FW1, but l don't as yet know which version they are running. l have set up tunnels between 2 FW1 firewalls, but am not sure whether l could create a tunnel between FW1 and a non-enterprise (more limited functionality) Firewall? l will get more info on Monday to determine which type of Firewall they are running. Certificates not an option? It's oly 1 server per site l am interested in connecting. Thanks, Alan At 07:13 PM 2/25/2005, you wrote: >This sounds more like a site-to-site activity. Is that possible? You >could limit the source and destination IPs in the rule. > >Ray > >>From: Alan Choyna <[EMAIL PROTECTED]> >>Reply-To: Mailing list for discussion of Firewall-1 >><[email protected]> >>To: [email protected] >>Subject: [FW-1] How to auto-authenticate Win2k and Mac OS10 VPN to FW. >>Date: Fri, 25 Feb 2005 17:42:14 -0600 >> >>We are running SPLAT R55 HFA9 with securemote R56. >> >>We have some Win2k servers that need to push info to a server behind >>our gateway from an affiliate company 24/7 reliably. >> >>We installed Securemote, and the users authenticate via user id and >>password, and have configured securemote to auto authenticate. This is >>not entirely reliable though, and every few days (2-3) securemote asks >>for manual re-authentication. Is this a known problem? >> >>Any suggestions of how to make the auto authentication more reliable? >> >>Would authentication via certificate be more reliable in this manner? >>If so, how do we set it up? >> >>Thanks in advance for any advice or input. >> >>Alan. >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, send an email to >>[EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your subscription options, >>email [EMAIL PROTECTED] >>================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ------------------------------ Date: Sat, 26 Feb 2005 17:38:41 -0500 From: Ray <[EMAIL PROTECTED]> Subject: Re: How to auto-authenticate Win2k and Mac OS10 VPN to FW. I don't know if certificates would stop the asking for reauthentication. Probably only one way to find out for sure. If they have anything from the 21st century, they should have an encryption license. Ray >From: Alan Choyna <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] How to auto-authenticate Win2k and Mac OS10 VPN to FW. >Date: Fri, 25 Feb 2005 23:03:55 -0600 > >Thanks for your response Ray (you have been prolific today). > >One of the sites runs FW1, but l don't as yet know which version they >are running. > >l have set up tunnels between 2 FW1 firewalls, but am not sure whether >l could create a tunnel between FW1 and a non-enterprise (more limited >functionality) Firewall? l will get more info on Monday to determine >which type of Firewall they are running. > >Certificates not an option? It's oly 1 server per site l am interested >in connecting. > >Thanks, > >Alan > >At 07:13 PM 2/25/2005, you wrote: >>This sounds more like a site-to-site activity. Is that possible? You >>could limit the source and destination IPs in the rule. >> >>Ray >> >>>From: Alan Choyna <[EMAIL PROTECTED]> >>>Reply-To: Mailing list for discussion of Firewall-1 >>><[email protected]> >>>To: [email protected] >>>Subject: [FW-1] How to auto-authenticate Win2k and Mac OS10 VPN to FW. >>>Date: Fri, 25 Feb 2005 17:42:14 -0600 >>> >>>We are running SPLAT R55 HFA9 with securemote R56. >>> >>>We have some Win2k servers that need to push info to a server behind >>>our gateway from an affiliate company 24/7 reliably. >>> >>>We installed Securemote, and the users authenticate via user id and >>>password, and have configured securemote to auto authenticate. This >>>is not entirely reliable though, and every few days (2-3) securemote >>>asks for manual re-authentication. Is this a known problem? >>> >>>Any suggestions of how to make the auto authentication more reliable? >>> >>>Would authentication via certificate be more reliable in this manner? >>>If so, how do we set it up? >>> >>>Thanks in advance for any advice or input. >>> >>>Alan. >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, send an email to >>>[EMAIL PROTECTED] >>>in the BODY of the email add: >>>set fw-1-mailinglist nomail >>>================================================= >>>To unsubscribe from this mailing list, please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your subscription options, >>>email [EMAIL PROTECTED] >>>================================================= >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, send an email to >>[EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your subscription options, >>email [EMAIL PROTECTED] >>================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ------------------------------ Date: Sat, 26 Feb 2005 22:22:01 -0500 From: mastergg <[EMAIL PROTECTED]> Subject: Re: FW: [FW-1] High Avalability Question Hello David, Saturday, February 26, 2005, 10:02:58 PM, you wrote: RD> Without using a dynamic routing protocol you would be forced to run RD> a long distance VRRP connection to make both firewalls exist in a HA RD> cluster. RD> Long distance bridged connections general cause problems with RD> latency that affect state synchronization. RD> If you must use static routing then you will be forced to bridge RD> your two firewalls together and build a HA cluster. Not good. RD> Better to bite the bullet and go to dynamic routing. RD> Advertize a NATed range to your partner and fail over by routing to RD> your alternate site. RD> Better still, advertise two ranges. One production, one contingency RD> and that way you can always test contingency without affecting RD> production systems. RD> Mike Hawkins RD> -----Original Message----- RD> From: Mailing list for discussion of Firewall-1 RD> [mailto:[EMAIL PROTECTED] On Behalf Of RD> [EMAIL PROTECTED] RD> Sent: Friday, FeEbruary 25, 2005 4:59 PM RD> To: [email protected] RD> Subject: [FW-1] High Avalability Question RD> All RD> I have 2 sites Production and DR. Currently my production site has a RD> firewall back to bank to another firewall (our partner) and all RD> routing is static. I am in a middle of building a DR site and would RD> like to have the same functionality and be able to fail over with RD> out manual intervention, still keeping static routing from the RD> firewall to our partner. Internal Network has static routes for RD> partners network is available via VRRP address of the firewall. RD> Internally i am running OSPF. RD> any one here has done this ? or have any suggestions ? RD> ================================================= RD> To set vacation, Out-Of-Office, or away messages, send an email to RD> [EMAIL PROTECTED] RD> in the BODY of the email add: RD> set fw-1-mailinglist nomail RD> ================================================= RD> To unsubscribe from this mailing list, please see the instructions RD> at http://www.checkpoint.com/services/mailing.html RD> ================================================= RD> If you have any questions on how to change your subscription RD> options, email [EMAIL PROTECTED] RD> ================================================= Mike Thank you very much for responding, but i just want to clarify that my partner doesn't want to run a routing protocol with me, and i run clusters in production and Disaster recovery. If i loose a pair of firewalls in Prod location (my firewalls directly connected to my partner I am colo at my partners site) i want to fail over to the disaster recovery site that is also directly connected to the same partner. -- Best regards, mastergg mailto:[EMAIL PROTECTED] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ------------------------------ End of FW-1-MAILINGLIST Digest - 25 Feb 2005 to 26 Feb 2005 (#2005-56) ********************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
