I apologize if I have upset you in some way, I was curious as to if anyone had run into this before.
In ICMP I have no advanced button or tab and have never seen one there to allow me to get to match for any. I have a ticket open with checkpoint when I find out what the problem is I will post. I have created a new CMA and Installed a IP-130 and I have the same issue. I am using Provider-1 but I do not have any Global groups. I will look through my objects file. Thank You for all your help. Tom ----- Original Message ----- From: "Rajeev Gupta" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, March 08, 2005 9:21 AM Subject: Re: [FW-1] ICMP going through the any service > Stala, if match for any for all of the ICMP pre-defined services is > unchecked in the respective services advanced tabs, and your global stateful > inspection is unchecked as well, it is strange that the rule with 'any' > services is still allowing traffic through. It is possible that you have > some user defined ICMP services (just to check in case it is defined?) which > have 'match for any' selected. > > If everything is bewildering as you seem to have found, I would recommend > going through $FWDIR/conf/objects_5_0.C file that has a property for each > service as ':include_in_any' with 'true/false' flags. You will generally > find many simple services such as HTTP will say ':include_in_any (true)' > whereas SIP will say ':include_in_any (false)' and there are large number of > complex services that are set to false by default. You may like to check the > file for flags set on ICMP services and you can perhaps test in case there > is some other service that is causing the ICMP to go through because of it > being set to 'true'- may be a bug? > > hth, > > Rajeev > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Stala > Sent: Monday, March 07, 2005 6:05 PM > To: [email protected] > Subject: Re: [FW-1] ICMP going through the any service > > in smartdashboard set your view to objects list. > > objects tree select services and then ICMP, it list all ICMP services as No > for match on any. > > I am under the impression that it is not supposed to match for any service. > > ----- Original Message ----- > From: "Hill, Lindsay, VF-NZ" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Monday, March 07, 2005 3:04 PM > Subject: Re: [FW-1] ICMP going through the any service > > > Global properties just affects the implied rules - if you have it turned > on, ICMP is allowed through via an implied rule. Turn on implied rules > to see it. > > Effectively it's just another rule - it doesn't impact any rules that > you might add yourself. Icmp requests match for any, so of course it's > going to be allowed through. > > - LH > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Tom > Stala > Sent: Tuesday, 8 March 2005 7:32 a.m. > To: [email protected] > Subject: [FW-1] ICMP going through the any service > > > I have a couple of firewalls that allow a icmp request through under the > any service. > > like my-net to this ip any-service accpet > > I am getting ICMP through this rule. > > > Under global properties I have ICMP un-checked. > > I am running R55 hfa-8. > > hsa anyone ran accross this before? > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -------------------------------------------------------------------------- -- > ------------------- > Have you seen our website?.... http://www.vodafone.co.nz > > Manage Your Account, check your Vodafone Mail and send web2TXT online: > http://www.vodafone.co.nz/myvodafone > > CAUTION: This correspondence is confidential and intended for the named > recipient(s) only. > If you are not the named recipient and receive this correspondence in error, > you must not copy, > distribute or take any action in reliance on it and you should delete it > from your system and > notify the sender immediately. Thank you. > > Unless otherwise stated, any views or opinions expressed are solely those of > the author and do > not represent those of Vodafone New Zealand Limited. > > Vodafone New Zealand Limited > 21 Pitt Street, Private Bag 92161, Auckland, 1020, New Zealand > Telephone + 64 9 357 5100 > Facsimile + 64 9 377 0962 > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
