Very well said indeed. It is ok if someone is using smartcenter; however, I am using Provider-1 and I have over 500 CMAs so you can see how big of a task this can be. It consumes un-necessary resources on my end. Why can't checkpoint just make my existing *.def files backward compatible with the new HFAs. If I want to change to the new *.def files, that will be up to me to make that decisions. Like you said, it is basic programming techniques, not rocket science. Don't these guys know how to program? May be checkpoint should do what Nokia did, outsourcing their R&D programs to India. my 2c.
no-need to-list <[EMAIL PROTECTED]> wrote: There is no need to be in a rock or hard place.... Why "they" cannot program their software to accect "CUSTOMER defined files", these files that will not be overwritten by HFA, upgrade, etc. If syntax or definitions change over of the hot fixes, upgrade, etc, these files will not be accepted or incorporate into ugrade....giving the user the appropriate error codes and the change to correct the problem. Another option is to have all these definition files, incorporated in the GUI smartcenter..so the user has the option to enable or disable something without have to go around and mess around with files.... These are very basic programming techniques, not rocket science. With the price I pay for this software and support....I want the "best" and "easiest" software to manage....to much to ask? Thorsten Behrens wrote: Rock and a hard place, gents. There are historic considerations here. With HFAs, certain files change that may impact the way the policy behaves, and thus these files are not overwritten by default since NG (FP3 first HFAs, I think, but memory fails). Rock: Overwrite the files no-matter-what. This was the 4.1 stance, and may have continued into the early NG builds. Means your .def changes are gone, though, e.g. base.def and dcerpc.def, to name two popular ones. Means your FTP and MS traffic may fail. Ouch. Hard place: Do not overwrite the files automatically. Create _HFA files with the changes. Leave it to the user to initiate the copying process (P1) or to do it manually (SmartCenter). Plus: You don't break existing traffic. Minus: You don't get certain fixes, such as all the INSPECT fixes in .def, until the files have been copied over to their non-_HFA counterparts. user.def is just that, a place for user-made changes. That would never be overwritten by an HFA, quite obviously. The HFAs change files to deliver fixes, not for the sheer hell of it. A "find / -name '*_HFA*'" will find you all the files that have been changed with the latest HFA. You expect to see a number of .def in lib, also .conf and .h in the same place for R55. .def.hash in hash to correspond with the .def. In R55 also .macro in %CPDIR/conf, and .en_us in %FWDIR/conf/cpsc. Be careful with management stations that have been upgraded to R60 from R55. They may have a cp_HFA.macro in %CPDIR/conf, leftover from R55. Copying that in would break your R60 licenses. Use common sense - the R55 cp_HFA.macro is about half the file size of the R60 cp.macro. As of HFA03, R60 only changes .def and .def.hash files. Hope that clears things up a bit. Best practice is: - Document any and all manual changes to CheckPoint files, such as .def files, .h files, .C files. - When applying a new HFA to a management station or standalone firewall, copy in the changed files, and redo your documented changes after. Keep in mind that .def files are interdependent - if you copy in one changed file, you may have to copy in others. The easy way to handle that is to say "all changed _HFA files get copied over". - On modules, .def changes obviously don't concern you. cp.macro changes won't either unless you change your licensing model. Use common sense - if you see a changed file that may be beneficial to a module, copy it over; otherwise don't. Typically and "99.9% of the time", there's no need to touch _HFA files on a module. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Gary Scott Sent: Friday, August 25, 2006 9:53 AM To: [email protected] Subject: Re: [FW-1] Checkpoint has done it again. What a suprise I can confirm, but I can't tell you which .def files are changed, I think this may vary depending on whether or not the hfa contains changes to that particular .def file. Yes CP does leave you hanging here, here is a clip from a KB solution, note the word "may". Any .def file modification may not survive HFA updates, Hotfix installations, or version upgrades. -GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Friday, August 25, 2006 8:51 AM To: [email protected] Subject: [FW-1] Checkpoint has done it again. What a suprise According to Checkpoint, when upgrading from let say HFA_17 to HFA_18 in NG AI R55: "ALL changes made to the INSPECT files (aka, *.def files) will be overwritten" Well, that is NOT entirely true. I ran a few tests on my provider-1 systems and I made a few changes in the user.def file and also some changes in the base.def file. After upgrading from HFA_17 to HFA_18, changes in the base.def file was overwritten by the new HFA; however changes made to the user.def file remains the the same. I've tested this several times with the same result. Wondering if anyone in this group can confirm? If this is true, it is telling me that Checkpoint just sucks. How can they pull some stupid stunt like that? cisco4ng --------------------------------- Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- All-new Yahoo! Mail - Fire up a more powerful email and get things done faster. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1ยข/min. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
