Yes, you right. "I do not" understand the way Content Inspection works.
Here is the scenario; the Gateways have our Internal DNS defined not the any external DNS (such our ISP). I will follow your suggestion about the TCPDUMP. If I understand you correctly, Content Inspection re-execute the HTTP session all over again, even after been thru our ISA proxy server! Now ... that is starting to make a lot of sense to me. Thanks again for clarifying this for me... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Hugo van der Kooij Sent: Monday, February 18, 2008 5:09 PM To: [email protected] Subject: Re: [FW-1] Content Inspection...Web Filtering on R65 no HFA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Previtera, Sal wrote: | Thanks Hugo, | | But DNS is not the issue....because as soon as we turn Content | Inspection OFF....everything works fine....and we are still use the same | DNS servers. | So we can put that idea on the side for now. I think you do not understand the way content inspection works. With content inspection the HTTP session effectively ends on the firewall and the firewall is the client for each and every remote webserver. Think of it as a hidden proxy. Your suggestion that switching off content inspection did not show the issues is to me a clear indication you MUST check DNS very, very carefully. It is the number 1 suspect. It would be unwise to open a ticket untill you verified the correct working of your DNS servers for this usage. A simple tcpdump on DNS traffic (UDP + TCP) will tell you a lot. I have seen this time and again with Check Point for many years. It is also why I became an advocate against the usage of CVP in the days of version 3.0b and 4.0 Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHuhAHBvzDRVjxmYERAsZcAKC1Q4n9qCwOqfNRCUQP8c48M4lLYQCfdJku KdxPmh2DH+B81+psCLhtRk8= =hNf1 -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
