Re: [FW1] Service not going in state table?

Wed, 16 Aug 2000 06:19:09 -0700 


15 seconds for a compile and install is quick. I
was wondering if it was in the many of minutes
range.

Looking back at your original message, you ask
if FW1 is not adding these connections to the
table correctly. If you see the entries in the log,
they made it to the state table most likely.

I don't think this to be the case,
but you may want to check your systems
maximum connection table entries.

What is changing in the rulebase? Does
this change see the Haht packets, before
your Haht rule. Remember, after an install
the rulebase will be used for the first packet in
the already established conenction, since the
connection table is empty.

I woud break out the sniffer and cut to the
chase. Actually see what's happening when
you install a policy. Let us know on this - even
if your successful.

Have you spoken with Haht on this?

Robert

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> Matt Cramer <[EMAIL PROTECTED]> 8/15/00 5:02:40 PM >>>
>On Fri, 11 Aug 2000, Robert MacDonald wrote:
>
>> Now, with that said, your right, the firewall should add
>> this connection back to the state table. But I'm wondering
>> who is terminating the connection. What does the fw log
>> say happens to this connection(e.g. what happens to the
>> very next packet the firewall sees from this application) after
>> the rulebase is installed?
>
>I show an accept.  IIRC wasn't there a similar problem with Citrix or MS
>Term Serv users - that a policy install would break their connection?  I
>guess I am just looking for clues as to what makes Haht's protocol
>different from say secure shell, which doesn't drop a conenction with a
>new policy install.
>
>> How long does it take to compile & install the
>> rulebase? Timeout issue?
>
>Actually that could be a possibility, because it does take a few seconds
>(< 15) for a new policy to get compiled and installed.
>
>Thanks for the reply!
>
>Matt




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to