Thanks, Wabbit --
I am running FW-1 v4.1 SP2 -- which already has this
property "http_force_down_to_10 (true)" in objects.C
The problem still exists. Any other
thoughts/suggestions?
Thanks -- Chris
--- Waskley Wabbit <[EMAIL PROTECTED]> wrote:
>
> It is the problem with the security server. It does
> nothing to do with Websense. All websense does is
> look
> at the packet for the URL definition and verify it
> adgainst its database to be sure it is not
> restricted.
>
> HTTP 1.1 is not supported through the security
> server,
> and that is why you are seeing problems. See notes:
>
> 1.1. An RFE has been submitted for http 1.1 and is
> going to be incorporated
> into the next full release of FireWall code named
> Redmond.
>
>
****************************************************************************
> ******
> Difficulty with HTTP 1.1 through the HTTP Security
> Server
>
> Fix: Upgrade to FireWall 4.0 SP5. It has many HTTP
> 1.1 fixes and
> enhancements.
>
****************************************************************************
> ******
>
****************************************************************************
> ******
> HTTP connections sometimes fail
>
> Cause: HTTP 1.1 works differently than HTTP 1.0 in
> that it is able to
> send data in chunked pieces. If a client experiences
> problems with
> specific packets, a server can resend to the client
> just the data that
> caused problems. In contrast, HTTP 1.0 will resend
> the entire page
> to the client.
>
> The FireWall-1 security server had problems dealing
> with this chunked
> data and sometimes specific web sites would be
> unreachable.
>
> Fix: Add the property "http_force_down_to_10 (true)"
> to the objects.C
> file under the props section.
>
> After implementing the new property the security
> server will downgrade
> the client's "GET... HTTP/1.1" command to a "GET...
> HTTP/1.0". The
> downgrade will take affect only if the following are
> true:
> 1. Prior to the change, the client's GET is an HTTP
> 1.1 command
> 2. The security server sends the data to a CVP
> server
> or it is configured
> to strip any Tags
>
****************************************************************************
> ******
>
****************************************************************************
> ******
> When using HTTP 1.1 with CVP, 'chunked' data could
> cause the connections
> to fail
>
> Fix: Convert HTTP 1.1 protocol packets to HTTP 1.0
> as
> follows:
>
> 1. Stop the FireWall using 'fwstop' (or on NT stop
> the
> FireWall-1 service)
>
> 2. Edit the file $FWDIR/conf/objects.C .
> After the line
> :props (
> Add the line
> : http_force_down_to_10 (true)
> 3. Start the FireWall by running 'fwstart' (or on NT
> start the FireWall-1
> service).
>
****************************************************************************
> ******
>
>
>
****************************************************************************
> ******
> Browser error message: "Your request has been
> redirected to here".
> Symptom: Some images do not load completely.
> Symptom: It doesn't occur when using Internet
> Explorer
> 4.0
>
> Cause: FW-1 does not support HTTP 1.1 which enables
> the client to send
> several HTTP request to a number of different
> servers.
>
> Fix: Workaround: Disable the sending of multiple
> HTTP
> 1.1 requests as
> follows:
> Set the security server to close the connection
> after
> each request as
> follows:
> 1. Stop the FireWall by running 'fwstop' (On WinNT
> stop the FireWall
> service).
> 2. Edit the file '$FWDIR/conf/objects.C'. After the
> line
> : props (
> Add the line:
> :http_avoid_keep_alive (true)
> 3. Start the FireWall by running 'fwstart' (On WinNT
> start the FireWall
> service).
> If the workaround does not work, Make sure to
> - Close the gui and stop the fw
> - Edit the 'objects.C' on the module in the
> recommended way.
> - perform a 'fw load" to the policy and then check
> that the change was
> implemented to the 'objects.C' file in the /database
> directory as well.
> - Start the FW
>
****************************************************************************
> ******
>
****************************************************************************
> ******
> Unable to access site and an 'object moved' reply is
> received from the
> server, while using Internet Explorer as the browser
> Symptom: Browser error: 'object moved' reply from
> the
> server
> Symptom: Unable to access the site
>
> Fix: The HTTP security server now supports the HTTP
> 1.1 'CONTINUE' command.
>
> To enable this support:
> 1. Stop the FireWall using 'fwstop' (or on NT stop
> the
> FireWall-1 service)
>
> 2. Edit the file $FWDIR/conf/objects.C
> After the line
> :props (
> Add the line
> : http_sup_continue (true)
> 3. Start the FireWall by running 'fwstart' (or on NT
> start the FireWall-1
> service)
>
****************************************************************************
> ******
>
****************************************************************************
> ******
> If IE browser is being used, disable http 1.1
> through
> the Advanced Internet
> Options and reboot the client machine.
>
****************************************************************************
> ******
>
>
> There is a recent service pack 7 for firewall 4.0
> and
> service pack 2 for 4.1, that supposedly supports
> http
> 1.1. I have not been able to confirm that, though.
> Anyone else?
>
> David
>
> __________________________________________________
> Do You Yahoo!?
> Send instant messages & get email alerts with Yahoo!
> Messenger.
> http://im.yahoo.com/
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
