yes, be very careful about using names that may infringe upon Check Point's
copyrights!
:-)
All kidding aside, I ran into this as well in an earlier version of
firewall-1.
Check this out: I started with firewall-1 and then tried firewall, and that
too
did not work. I then got pissed off and used a nasty word that started with
the letter 'F'.
That didn't work either! (Imagine my surprise!).
I changed the 'F' to something else, and *that* worked. I then began testing
other
words that began with 'F' and none of them worked! I concluded, at that
time,
that you could use a word for your firewall that begain with 'F' or 'f'.
However, since then, I have been able to use "fwA", etc...
Fun, eh?
BTW, the use of the Gateway Cluster object for your purposes doesn't
compute.
It is only useful in the context of supporting a failover of an established
VPN connection.
--- Jerald Josephs
----- Original Message -----
From: "Matthew Clements" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, July 04, 2000 1:23 AM
Subject: Re: [FW1] GW Cluster Funnies - different behaviour from members
> > > I have a strange problem with a Gateway Cluster made from two Nokia
> >IP650s
> > > running IPSO 3.2.1 and FW-1 version 4.1 SP1 DES.
> >
> >Are you literally using a Gateway Cluster object in FireWall-1 4.1 SP1?
>
> Yes
>
> > > There are 2 VIPs
> > > configured for the internal network, one ordinarily residing on each
> >box.
> >
> >Therefore, each platform is normally a master for a VIP while the peer is
a
> >backup
> >for that VIP?
> >
>
> Yes
>
> > > When proxying at the other VIP, FW-1 comes back with fw-1 at machine
> >access
> > > denied without even prompting for authentication.
> > >
> > > Network traces indicate that the module that isn't working queries DNS
> >to
> > > resolve the requested hostname, receives a valid reply then sends the
> >denied
> > > message back to the browser.
> > >
> > > I don't understand how this can be happening given that the same
> >security
> > > policy is supposedly installed on both of the modules.
> > >
> > > Other services work fine through the weirdly behaving machine. It's
> >only
> > > when the http security server gets involved that the weirdness begins.
> > >
> > > Any Ideas?
> > >
> >I agree - sounds wierd. What if you were to fail the funky machine so
that
> >the other platform was to then take on both VIPs? Would the failing HTTP
> >connections
> >then make it through this one platform?
> >
>
> This doesn't work.
>
> >If there is no anamoly in the workstation properties for this firewall,
> >then check Host Address Assignment in Network Voyager on this failing
> >firewall and
> >make sure that the SYSTEM NAME is associated with the IP Address you have
> >specified in the workstation properties window on the General frame.
>
> I don't know why this resolved the problem, maybe I found an Easter Egg :)
>
> The machines host names were firewall-1.mydomain and
> firewall-2.mydomain. firewall-2 was working and firewall-1 wasn't! - I
> changed them to more obscure names and everything started to work. So the
> moral of the story is not to call your firewall firewall-1!
>
> Thanks
>
> Matt
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
