I have also seen this happen when using automatic NAT rules - the firewall is NATting fine, then suddenly, with no explanation, private addresses start leaking to the public network. Nothing in the firewall logs, nothing in fwd.elg, the NAT xlate state tables aren't full, fw ctl pstat looks fine, etc etc.
The fix has been to create manual NAT rules in the address translation rulebase rather than automatic NAT rules on the objects themselves.
BTW, Hey Check Point, what's up with this? I've never found a satisfactory explanation anywhere for this, and the problem persists right up through 4.1SP4 (have seen it as early as 4.0SP1).
Dan Hitchcock
CCNP, CCSE, MCSE
Security Analyst
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
206-770-0700 work
The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this email message in error, please email the sender at [EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 04, 2001 2:56 AM
To: Siow Yun Patricia
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] NAT fails on adhoc basis - Anybody encountered this
before ?
do you have any "halloc failed blah blah" in you fwd.elg?
maybe you run out of kernerl memory, you can try to increase fwhmen
on /etc/system as shown:
set fw:fwhmem=0x900000
this number is calculated for my config, i think there is an phoneboy
article covering this issue.
Ra�l.
Siow Yun Patricia <[EMAIL PROTECTED]>@lists.us.checkpoint.com con
fecha 03/09/2001 05:59:24
Enviado por: [EMAIL PROTECTED]
De Siow Yun Patricia <[EMAIL PROTECTED]>
@lists.us.checkpoint.com
--------+ -----------------------------------------------------+
A
--------+ -----------------------------------------------------+
Copias
a
--------+ -----------------------------------------------------+
CCI
--------+ -----------------------------------------------------+
Fecha 03/09/2001 05:59
--------+ -----------------------------------------------------+
Tema [FW1] NAT fails on adhoc basis - Anybody
encountered this before ?
--------+ -----------------------------------------------------+
Hi all !
Have any administrators encouter this problem before ?
Setup :
Checkpoint 4.1 sp4 on pair of Sun Ultra 10s Solaris 7. Implements
stonebeat
fullcluster for HA and load balancing solution. Implements VPN with
use of
SecuRemote.
Problem :
NAT fails without reason adhoc basis.
Noticed that after pushing out the same policy with minor changes to
the
firewall many times (during testing). NAT fails to work even though
it has
previously worked before. What's odd is that after creating a new
rulebase
and creating a set of rules and NAT exactly the same as before.
Pushed it
out to the nodes again. NAT works.
Are there any state files or config files to remove and check without
the
need to re-create a new policy everytime ?
Thanks in advance.
Rgds,
Patricia
================================================================================
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
