Re: [FW-1] Block Networks by country

Mon, 02 Jan 2006 08:31:36 -0800

Create a dynamic object (network object) and use dynamic_objects command line utility to put the cider blocks of the countries you want to block. Create a rule (like rule 1) that has this dynamic object as the source and drop as action, maybe even log them if you want to see how much traffic you are blocking. Sort of like a static Storm_Center implementation. 

Roger Herr

WhyNot? Consulting Services
24165 IH 10 West Suite 217-183
San Antonio, Texas 78257
210-860-3990
Some men see things as they are and say why?
I dream things that never were and say "Why Not?"
                                               -Robert F. Kennedy
----- Original Message ----- From: "Tahir Khan" <[EMAIL PROTECTED]> 
To: <[email protected]>
Sent: Monday, January 02, 2006 9:20 AM
Subject: [FW-1] Block Networks by country



Is there a way to at least block some of the major offenders? Asia?
Eastern Bloc Countries? We only have US traffic, and 90% of our spam,
probes come from those countries. Does anyone have any idea how much
overhead this would add?

Thanks!

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
FW-1-MAILINGLIST automatic digest system
Sent: Saturday, December 31, 2005 3:00 AM
To: [email protected]
Subject: Possible Spam:FW-1-MAILINGLIST Digest - 29 Dec 2005 to 30 Dec
2005 (#2005-358)

There are 9 messages totalling 584 lines in this issue.

Topics of the day:

 1. Another Connectra on SecurePlatform Question Part III... Please
help (2)
 2. Duplicate entry in local.ft error when pushing a policy
 3. Backup rules - Fix for enter issue on 'upgrade export'
 4. Block Networks by Country? (2)
 5. Cannot connect with SecuRemote (SR) (3)

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

----------------------------------------------------------------------

Date:    Fri, 30 Dec 2005 04:30:53 -0800
From:    cisco4ng <[EMAIL PROTECTED]>
Subject: Re: Another Connectra on SecurePlatform Question Part III...
Please help

Hi Reinhard,

 That's exactly what I am talking about.  If i use the primary IP
address for my portal service (192.168.15.104) and the secondary IP
addres for my SNX-service
 192.168.15.103) and they both used tcp port 443, does it mean that I
need to public
 IP addresses to static NAT these to make it work?  Is it possible with
port redirect
 with just a single IP and both portal and snx service to use tcp port
443?

 About the second point, how do I get it to work in application mode?
can you show
 me how?  Thanx.

 TIA

Reinhard Stich <[EMAIL PROTECTED]> wrote:
 hi,

at the moment you need to separate the SNX-service and the
portal-service.

default this is done using 2 ports on the same IP (443 and 444). what
you can do is to use 2 IPs and the same port on 2 different IPs.

cheers
reinhard

At 05:08 30.12.2005, you wrote:

thanks to Reinhard, I can connect to my connectra, via port redirect,
which sit on  my dmz network behind a cisco IOS router running firewall



feature  set. I can connect  to the device via SNX mode fine and
everything is working great.

However, as a beginner with this device, I have the following
questions that I need help from gurus in this forum:

1) I would like to tunnel everything including snx via tcp port 443.
Currently, SNX is using the default port of tcp 444. I can accomplish
this using a secondary IP address on the primary NIC. My currently IP
address of the connectra is
192.168.15.104 and
I am thinking of using 192.168.15.103 for the secondary IP address of
SNX. However, because this is my home network and I only have 1 public



IP and that IP is being used by the Cisco IOS router/firewall, I can
redirect port 443 from the router to connectra primary IP but I don't
think I can redirect another tcp
443 from the router
to the secondary IP address of the connectra. Is there a working
around for this with simply only 1 public IP? Does it mean that if I
want to use tcp 443 for both portal and snx, it is not possible with
port redirect? this is what I have on my cisco router configuration:

ip nat inside source static tcp 192.168.15.104 443 interface
FastEthernet0/0 443 ip nat inside source static tcp 192.168.15.104 444
interface FastEthernet0/0 444

As you can see I can NOT nat port 443 on the router to a different
internal address.
How can I get everything to work via tcp port 443?

2) when using SNX network mode, the snx extender client is installed
on the local machine. Sometimes, it is not possible because the local
does not have privilege to do so. The solution is to use Application
mode (aka java download).
When I create a network application, I specifically specify "this
application CAN be used with SSL Network Extender Application Mode".
However, after successfully authenticated to connectra, I can NOT
access any resources via connectra. What other settings am I missing?
Please help.

TIA
cisco4ng


---------------------------------
Yahoo! for Good - Make a difference this year.

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================


--
Reinhard Stich ASSIST [EMAIL PROTECTED] Internet Security AG,
1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

------------------------------

Date:    Fri, 30 Dec 2005 08:23:17 -0500
From:    "Simpson, Brett" <[EMAIL PROTECTED]>
Subject: Duplicate entry in local.ft error when pushing a policy

Whenever I go to push a policy I get the following error message from my
enforcement modules fwd.elg log.

local.ft, line 8334: Duplicate entries in table

When I check the local.ft file I can see that line 8334 is listed under
spii_proto_tab. I'm guessing this is related to VPN since when I remove
line 8334 I can do a fw fetch from the enforcement point and the
installed policy no longer has a VPN tab.

Any ideas on how I can tell what specifically is the duplicate entry?

Thanks,
Brett Simpson

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

------------------------------

Date:    Fri, 30 Dec 2005 09:03:52 -0500
From:    Tahir Khan <[EMAIL PROTECTED]>
Subject: Backup rules - Fix for enter issue on 'upgrade export'

upgrade_export requires an enter key to be pressed. The following
command will work:

echo | upgrade_export <FILENAME>

Tahir

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

------------------------------

Date:    Fri, 30 Dec 2005 10:29:01 -0500
From:    Tahir Khan <[EMAIL PROTECTED]>
Subject: Block Networks by Country?

Is there a way to block all countries but the US on the firewall for
incoming traffic?

Thanks,

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

------------------------------

Date:    Fri, 30 Dec 2005 10:54:00 -0500
From:    Chris Moore <[EMAIL PROTECTED]>
Subject: Cannot connect with SecuRemote (SR)

Hello,

I'm having difficulty getting my users connected with SR.  I'm running
NG-A= I R55, and the clients are R56, Build 615 or 619.

The problem began when I could no longer get into the SmartDashboard
GUI.
Searching for the solution, I discovered I needed to reset SIC, which I
did.  In doing so, I created a new Internal CA and invalidated all my
users.  I instructed everyone to update their sites which worked for the
majority, however others needed a complete reinstall or upgrade.

Nevertheless, I still have a select few users that cannot connect to the
server.  The errors are "Update failed" or if creating a new site, they
get timeouts.  Strangely in the logs, I don't see any activity of the
attempt t= o connect which leads me to believe something is blocking it
on their site or somewhere in the middle.  One particular user has both
cable and DSL connections and could not connect while on DSL.  Switching
to cable did the trick.  Now that the site has been created, he can
successfully reconnect over DSL.  Unfortunately most of my users have
only a single broadband connection.

I consider myself an advanced Check Point admin.  Can someone give me
any clues as to where to investigate now, either within the GUI, CLI, or
on the client end.  Of course, all the unsuccessful users left are
Directors and VPs!!

Thanks in advance,
Chris

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D

------------------------------

Date:    Fri, 30 Dec 2005 19:45:56 +0200
From:    Charalambos Klitiropoulos <[EMAIL PROTECTED]>
Subject: Re: Cannot connect with SecuRemote (SR)

Hello,

if I had to choose one component of FW-1 that I trust the most, it would
be its logging facility. Having said that, if you do not see a log entry
in your logs it can mean only two things: a) the packet never reached
your firewall, or b) you do not log what you searching for. Obviously
the first case is the most difficult to troubleshoot, as you are almost
blind, since on most occasions you can only check your border gateway's
access lists.
Check your rulebase for relevant rules where tracking is disabled. Also,
if you use any of the implied rules, enable logging for them.
Personally, I always enable that option even on cases where I have
disabled all implied rules.

SecuRemote uses the TCP/264 port in order to communicate with your
firewall and create or update a site. An easy way of testing if your
firewall is reachable from your external network is to do a telnet on
that port.

There is a workaround though if you have a secure way of giving your
users the config file they need (from my experience Directors and VPs
can be a bi= t hasty and tend to demand fast results). Install
SecuRemote on a system and create the site topology. A file called
userc.C will be created in the database subfolder of SR's installation
folder. Distribute this file to you= r users and have them copy it to
the right folder. Then all they need to do i= s restart SR's services
(if their system account has such priviledges) or reboot their computer.

On 30/12/05, Chris Moore <[EMAIL PROTECTED]> wrote:


Hello,

I'm having difficulty getting my users connected with SR.  I'm running



NG-AI R55, and the clients are R56, Build 615 or 619.

The problem began when I could no longer get into the SmartDashboard

GUI.

Searching for the solution, I discovered I needed to reset SIC, which
I did.  In doing so, I created a new Internal CA and invalidated all
my users.  I instructed everyone to update their sites which worked
for the majority, however others needed a complete reinstall or

upgrade.


Nevertheless, I still have a select few users that cannot connect to
the server.  The errors are "Update failed" or if creating a new site,



they get timeouts.  Strangely in the logs, I don't see any activity of



the attempt to connect which leads me to believe something is blocking



it on their site or somewhere in the middle.  One particular user has
both cable and DSL connections and could not connect while on DSL.
Switching to cable did the trick.  Now that the site has been created,



he can successfully reconnect over DSL.  Unfortunately most of my
users have only a single broadband connection.

I consider myself an advanced Check Point admin.  Can someone give me
any clues as to where to investigate now, either within the GUI, CLI,
or on the client end.  Of course, all the unsuccessful users left are
Directors and VPs!!

Thanks in advance,
Chris

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D

To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D

To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D

If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
3D=

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D




=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D

------------------------------

Date:    Fri, 30 Dec 2005 21:39:53 +0100
From:    Lars Troen <[EMAIL PROTECTED]>
Subject: Re: Block Networks by Country?

I guess you could do that, but I'm not sure if that's a perfect solution
even if you're dealing only with US companies. I guess you can find the
relevant IP blocks here: http://www.blackholes.us/

Good luck!

Lars


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Tahir



Khan
Sent: 30. desember 2005 16:29
To: [email protected]
Subject: [FW-1] Block Networks by Country?

Is there a way to block all countries but the US on the firewall for
incoming traffic?

Thanks,


=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

------------------------------

Date:    Fri, 30 Dec 2005 21:58:50 -0500
From:    Ray <[EMAIL PROTECTED]>
Subject: Re: Another Connectra on SecurePlatform Question Part III...
Please help

Do you see the SNX window pop up and start to load? it will say whether
it's running in network or application mode.

If you're on XP, I suspect you may not have the Java Runtime Engine
installed since it's not there by default anymore on XP unless you have
a real early version of XP. http://java.sun.com

Ray


From: cisco4ng <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] Another Connectra on SecurePlatform Question Part

III...

Please help
Date: Thu, 29 Dec 2005 20:08:36 -0800



  2) when using SNX network mode, the snx extender client is installed



on the local
  machine.  Sometimes, it is not possible because the local does not

have

  privilege to do so.  The solution is to use Application mode (aka
java download).
  When I create a network application, I specifically specify "this
application CAN be
  used with SSL Network Extender Application Mode".  However, after
successfully
  authenticated to connectra, I can NOT access any resources via
connectra.   What
  other settings am I missing?  Please help.

  TIA
  cisco4ng


=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

------------------------------

Date:    Fri, 30 Dec 2005 22:15:54 -0500
From:    Ray <[EMAIL PROTECTED]>
Subject: Re: Cannot connect with SecuRemote (SR)


Nevertheless, I still have a select few users that cannot connect to
the server.  The errors are "Update failed" or if creating a new site,
they get timeouts.  Strangely in the logs, I don't see any activity of
the attempt to connect which leads me to believe something is blocking
it on their site or somewhere in the middle.


If you're using Implied Rules to accept the remote access connections,
make sure you're logging the Implied Rules. I think it's off by default.


One particular user has both cable and DSL connections and could not
connect while on DSL.  Switching to cable did the trick.  Now that the
site has been created, he can successfully reconnect over DSL.
Unfortunately most of my users have only a single broadband connection.


This is almost always a MTU problem. ADSL using PPPoE adds eight bytes
to the packet, pushing it over the 1,500 byte limit and causing
fragmentation.
I don't know if SR does automatic MTU adjustment, but SC does.

I've also seen this exact problem caused by junk home routers. "Junk" as
spelled "DLink." They could hook their computer directly to the Internet
modem, create the site and then go back behind the router and all would
be well.

Is your firewall object specified with the internal interface or the
external interface IP address? It really needs to be the external IP
address.

You don't happen to have SC, do you? Visitor Mode, which tunnels all of
the IPSec protocols over TCP 443, is a real life-saver in situations
like this.
We've had many a hotel where they block all outbound traffic except 80 &
443 where Visitor Mode saved the day.

Another fix, if they are semi-technically inclined and have admin
access, is to email them a copy of the userc.C file from a computer that
works. They will need to stop both CheckPoint services, save the file in
the correct folder to overwrite the existing one and re-start the
services. If you do this while the services are running, it won't work.
I've used this procedure on a few computers that were behind junk
routers but we could not risk exposing them to the Internet.

Ray

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

------------------------------

End of FW-1-MAILINGLIST Digest - 29 Dec 2005 to 30 Dec 2005 (#2005-358)
***********************************************************************

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
================================================= 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to