RE: [FW1] FW-1 SP2 (reloading policy and connection table)

Thu, 14 Sep 2000 08:38:58 -0700 


Rajeev,

In FW-1 4.0 reload of security policy doesn't clear connections.  In a Lab
environment I reloaded security policy during a ftp download and there
wasn't any interruptions...  But I donot know abt ver4.1.

regards
baskar

-----Original Message-----
From: Rajeev Kumar [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 14, 2000 10:59 AM
To: Firewall-1 Maillist
Subject: [FW1] FW-1 SP2 (reloading policy and connection table)



Hello All,
        As many of you have been migrated to FW-1 SP2. Correct me if I am
wrong here.

-> Whenever you run fwstop;fwstart , FW-1 flushes its connection table and
as a default
     behavior it won't allow established connection anymore. (Since they are
sending
NON-SYN)
     packets after FW-1 restart. And you will see lots of "Unknown
established TCP
packets".

RESULT: You will loose all valid connections. (telnet, ftp, rlogin, any
client/server
application based
              on TCP/IP) after FW-1 restart process.

->Same thing happens even if you try to reload security policy from
management GUI. It
also
    flushes connection table and loose all established connections.

So what that means is , I can not modify/reload security policy during day
time as I know
lots of
users will scream at me. If you have multi-site setup spread all over globe,
then users
are busy
round-the-clock and again I can not reload policy without hurting users.

IS THERE ANY EASY SOLUTION TO THIS in FW-1 SP2?   

(I want to keep this feature of rejecting "Unknown TCP Packets" (if they are
really
unknown)
 but also do not want to loose my valid established connections.)

Yes! I want to have my own cake and eat it too!!

Thanks!!

Rajeev



-- 
********************************************************************
        Rajeev Kumar ([EMAIL PROTECTED])
                http://www.rajeevnet.com
********************************************************************


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to