I caught the tail end of this thread. Could someone please email the complete discussion?
We were going to implement NG within the month... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED]] On Behalf Of Zeltser, Roman Sent: Thursday, January 03, 2002 5:13 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] NG - UNACCEPTABLE!!! Re: WAS Is NG ready for general use ? My coworkers said: do not run NG on Wintel! ********************************** Roman Zeltser, @National Computer Center, RSIS & DNE -----Original Message----- From: Mark Whitworth [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 03, 2002 2:51 PM To: [EMAIL PROTECTED] Subject: [FW-1] NG - UNACCEPTABLE!!! Re: WAS Is NG ready for general use ? Importance: High I know someone asked if NG was ready for general use, and others have been asking how soon they could get it. I would like to mention some problems we've seen and see if anyone else has seen the logging issue specifically, and I would wholeheartedly say that if you upgrade - BEWARE!! We have been running FW-1 for years on multiple firewalls, all Wintel boxes. Most recently, we were on 4.1 with the latest service packs on top of NT 4.0 SP6a. We upgraded in a rolling fashion onto clean Win2K installs and tried to import our objects/policies as instructed. Following the instructions on how to do this and in various FAQs yielded only hours of frustration. We had to rebuild from scratch. Although we got our site-site VPNs up, we have seen a multitude of other errors. DNS/AD errors via the site-to-site VPN that did not previously exist, and which do not occur when tunneled alternatively via Netscreens. Securemote failures due to missing SKU line items on paid-for (not eval) licenses from the Checkpoint site!!!! Intermittent object errors on policy verification on objects that have not been modified in any way. Errors on trying to delete objects, with advice to contact technical support. To top it off, BSODs on multiple installs of FP1. Actually, there is even one more issue we've seen which rivals the BSODs. We have "front door" and "back door" firewalls which protect different numbers of hosts. The front door firewalls have always had unlimited licenses, while the back door firewall had a 250 count license because we have roughly that many hosts. In our 4.1 and even mixed 4.1-NG environments, we saw no logging issues. However, as soon as we took the back door firewall to NG, now when it detects "too many internal hosts (typically due to transient laptops), it logs an error to our central management station and ALL firewalls stop logging!!!!! Actually, at some point we still see logged events, but it ultimately fails and no items after that error are displayed in the gui any more. To reinitiate, you have to clear the appropriate files, CPSTOP/CPSTART, and reinstall putkeys. Talk about the most screwed up thing ever. TOTALLY UNACCEPTABLE, and if any of you are on this borderline, I recommend you not upgrade. We will likely upgrade our license, but this is not the manner in which this should have been handled. I requested an eval license and even though Checkpoint technical support told me this was not the issue, and we had no logging problems until the day after it expired. Same issue. These items have all been reported to and ignored by Checkpoint. Largely the reason we are evaluating other products. Mark Whitworth ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
