If you use a resource other than * (for example *.nz in our case) FW-1 will
do a forward and reverse lookup on each URL. If the results do not match
the connection is dropped.
Hotmail's servers fall victim to this "functionality".
You're right that it affects all http connections and not just the ones that
the rule applies to.
There is no way to prevent it doing these lookups.
Regards,
Kerry.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Becker, Jim
> Sent: Thursday, 3 August 2000 5:27 a.m.
> To: '[EMAIL PROTECTED]'
> Subject: [FW1] HTTP Security Server Problems
>
>
>
> I recently introduced a URI resource, marking the first time the HTTP
> Security Server needed to do anything on my firewall. I had two
> problems as
> a result. I found little help at first (and Check Point's tech support was
> rather useless), but I finally believe I know what's going on. I
> offer these
> FYI and in case someone can offer further solutions or work-arounds.
>
> First, I found that internal users could no longer reach external Hotmail
> accounts using Outlook Express. This is an http connection, not a pop3
> connection. Apparently, the HTTP Security Server was inspecting all http
> connections, not just the ones that would have matched the rule I
> introduced. Hotmail must be doing some non-standard http, because in the
> firewall log I see a Rule 0 reject (http) because of a "Malformed
> request."
> That is, the security server is deciding to chuck the connection
> even though
> my rules would have allowed an http connection to that site.
>
> When we disabled the new rule, Hotmail was fine again. When we re-enabled
> the rule, Hotmail broke again. I have no good work-around. The security
> server was introduced for a real purpose, but we have a few
> people who have
> a defensible need for access to Hotmail. So far, I can't have it
> both ways.
>
> Check Point's tech support took a while even to understand the
> question, and
> then they said the Hotmail URL must be matching something in the rule (it
> doesn't) or in a UFP server (which I'm not using).
>
> I've seen the next issue posted in a few places, but it took a
> while to find
> a good explanation. Intermittently, internal users visiting external web
> pages get a response page along these lines: "FW-1 at <firewall>:
> Unable to
> connect to WWW server." I finally found a good explanation here:
> http://www.websense.com/support/platform/display.cfm?id=10
>
> The work-around is simply to hit shift-refresh in the browser
> until the real
> page shows up -- or to disable any rules that need the http
> security server.
>
> Check Point's tech support had assured me this problem had nothing to do
> with the firewall.
>
> --
> Jim Becker
> The Urban Institute (http://www.urban.org/)
> DECUS ESILUG (http://eisner.decus.org/lugs/esilug/)
>
>
> ==================================================================
> ==============
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
