Dear List,
I am wondering if checkpoint can handle bandwidth throttling. I am currently
running R60.
Thanks in advance!
Cheers!
Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security
=
To set vacation, Out-Of-Office, or away messages,
Hi,
If you need instant view of which rule is most used, you can also use
firewall connection table. In order to see which rules are the most used
by looking at the connection table, you can use the simple shell script
I have written. It is very useful for policy optimization when
performance prob
Are you sure that port 18190 still the only to be used in such communication ?
Could you run a tcpdump on the MDG client side ?
Regards,
PB
De: Mailing list for discussion of Firewall-1 em nome de Hugo van der Kooij
Enviada: ter 13-11-2007 22:40
Para: FW-1-
Hi
Could someone advise whether I should use checkpoint secureXL with nokia
vrrp monitored circuits to achieve active standby HA with NGX R61 or I
should disable secure xl
Kind regards
Tauseef
This electronic message contains information from bet365 Group Limited which
may be privileged or c
Hi John,
'Ere's some useful troubleshooting tips etc ...
Useful Firewall-1 commands
http://fixmyfirewall.com/checkpointnotes.html
Check Point® Troubleshooting and Debugging Tools for Faster Resolution
http://www.checkpoint.com/services/enterprise/docs/Troubleshooting_and_Debugging.pdf
Common/
Clive Luk wrote:
Dear List,
I am wondering if checkpoint can handle bandwidth throttling. I am currently
running R60.
Yes, it's called Flood Gate in checkpoint and as of NGX is free of charge.
Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security
=
I am absolutely positive that the P-1 uses a single 18190 port, as seen
below from my tcpdump on the Provider-1 box where host 10.1.1.140
is the WinXP with MDG client:
[EMAIL PROTECTED] tcpdump -i eth1 -nn -n host 10.1.1.140
tcpdump: listening on eth1
09:41:09.320478 10.1.1.140.1691 > 10.250.97.9.
Hugo,
The option you referred to is available since version R55. Under the CMA
NAT, there is a box that you check to tell that this is your management
traffics. What you said is entirely accurate but ONLY IF the firewall
in front of the CMA is a checkpoint firewall. The NAT device I have
in fr
During my extensive testing with NGx R61 w/ hfa_01 on Nokia IPSO
4.1 build 19, I found that SecureXL is not recommended when you
have static NAT or VPN. During my test, I noticed that enabling
SecureXL broke VPN and SecureRemote/client and that it did not
help when I have static NAT on the firew
Hi Tauseef,
Builds 16 & 19 are buggy, recommended to upgrade to latest, the following
docs are a good SecureXL reference.
http://europe.nokia.com/A4153241
What types of traffic or services are not accelerated by SecureXL.pdf
SecureXL_and_Nokia_IPSO_Whitepaper.pdf
Cheers
Andrew
CSC Compute
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng <[EMAIL PROTECTED]> wrote:
>
> as you can see the in the tcpdump, host MDG 10.1.1.140 is the one
> actually sent the Reset.
>
> Anymore ideas? Thanks.
In my experience, MDG sends TCP reset when the GUI client is
unrecognized. I know you sa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng <[EMAIL PROTECTED]> wrote:
>
> During my extensive testing with NGx R61 w/ hfa_01 on Nokia IPSO 4.1
> build 19, I found that SecureXL is not recommended when you have
> static NAT or VPN. During my test, I noticed that enabling SecureXL
> bro
what make you think ipso4.1 build 33 and build 35 is not buggy.
They may fix one thing but they may also break something along
the way. Without extensive stress testing, you can not make
a blanket statement. I notice that a lot of consultant in the
professional service make those recommendations
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng wrote:
> Hugo,
>
> The option you referred to is available since version R55. Under the CMA
> NAT, there is a box that you check to tell that this is your management
> traffics. What you said is entirely accurate but ONLY IF the firewall
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng wrote:
> [EMAIL PROTECTED] tcpdump -i eth1 -nn -n host 10.1.1.140
> tcpdump: listening on eth1
> 09:41:09.320478 10.1.1.140.1691 > 10.250.97.9.18190: S
> 1398211834:1398211834(0) win 65535 (DF)
> 09:41:09.320577 10.250.97.9.18190 > 10.1.1.1
I tested this about 7 months ago from my previous job on
IP390, IP560, IP710 and IP1220. In all cases, SecureXL caused
lot of issues especially with VPN and due to NAT in our environment.
David DeSimone <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng wrote:
>
This is what I am seeing in the $MDSDIR/conf/mdsdb/cp-gui-clients.C
[EMAIL PROTECTED] more cp-gui-clients.C
(
:version (6.08)
: (AnyHost
:AdminInfo (
:chkpf_uid ("{5CF25FE6-80B1-11DC-AE7A-0AFA61092323}")
:ClassName (pv
This tcpdump is taken from an P-1 NG AI R55 and it is working.
In other words, the MDG client, host 10.1.1.140, never send
any reset. Therefore, the only logical conclusion I can come up
with is that Checkpoint broke this in NGx. See below:
[EMAIL PROTECTED] tcpdump -i eth0 -nn -n host 10.1.1.1
sin wrote:
Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security
Am I the only one seeing this message on the list ?
Or is Check Point advertising their products now on the list ?
sin.
Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security
==
I'm seeing it too. Guess they have this going through the AV module now.
-GS
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of sin
Sent: Wednesday, November 14, 2007 3:09 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng wrote:
> This tcpdump is taken from an P-1 NG AI R55 and it is working.
> In other words, the MDG client, host 10.1.1.140, never send
> any reset. Therefore, the only logical conclusion I can come up
> with is that Checkpoint broke this in N
I've posted several emails after that. As far as the check box is
concerns, it only applies to CMA, not Provider-1. There is
no check box for Provider-1. I swapped out the router and replace
it with a Juniper firewall and I still have the same issue, even
with static NAT. THERE WAS NO SUCH ISSU
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gary Scott wrote:
> I'm seeing it too. Guess they have this going through the AV module now.
I guess the expression is:
Practice what you preach
Well. There is also the IronPort in the Zonelabs part of their network
and we propably all got some sort
1. Already did. I only see the MDG client host 10.1.1.140 sending reset.
2. NAT setting? NAT on cisco is easy. You don't have to be a rocket
scientist to figure it out. As I've said before, it did NOT work with static
NAT either.
3. Already did. Did NOT solve anything.
4. Already did.
Hi,
Please allow me a silly question: did you upgraded the MDG client software to
NGx R65 ?
Best regards,
PB
De: Mailing list for discussion of Firewall-1 em nome de cisco4ng
Enviada: qua 14-11-2007 14:53
Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Ass
Hi,
you question is indeed a "silly" one.
On a serious note, I did NOT upgrade the MDG client software to NGx
R65. the MDG client software NGx R65 is installed on a clean
Windows XP machine.
I am by no means an Provider-1 expert but I have been working with
Provider-1 since version 4.1 so I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng <[EMAIL PROTECTED]> wrote:
>
> This is what I am seeing in the $MDSDIR/conf/mdsdb/cp-gui-clients.C
> As you can see in my Provider-1 configuration, it accepts ANY hosts.
I had suggested that you look at the log. You can find it at
$MDSDIR/
this file you suggested contained no important information:
[EMAIL PROTECTED] root]# more $MDSDIR/log/fwui.log
Tue Nov 6 07:09:57 2007 cpmidu_update_tool [EMAIL PROTECTED]: Database Lock
acquired
Tue Nov 6 07:10:04 2007 line-editor [EMAIL PROTECTED]: Logging in
Tue Nov 6 07:10:20 2007 lin
Thanks Sin!
Is that really free? How can I get myself a copy? Can I set it up in my
NGXR60 cluster environment?
Cheers!
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of sin
Sent: Thursday, 15 November 2007 1:38 AM
To: FW-1-MAILINGL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng <[EMAIL PROTECTED]> wrote:
>
> this file you suggested contained no important information:
Maybe not, but it was still a good idea to look there.
- --
David DeSimone == Network Admin == [EMAIL PROTECTED]
"This email message is intended for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
cisco4ng wrote:
> 1. Already did. I only see the MDG client host 10.1.1.140 sending reset.
>
> 2. NAT setting? NAT on cisco is easy. You don't have to be a rocket
> scientist to figure it out. As I've said before, it did NOT work with static
> N
Clive Luk wrote:
Thanks Sin!
Is that really free? How can I get myself a copy? Can I set it up in my
NGXR60 cluster environment?
you already have it, just check the QoS properties on on the
modules/cluster and then add your rules in the QoS tab.
=
32 matches
Mail list logo
