Hi,
I am new to securemote!
I have installed a PC with a legal IP address and this is connected directly
to the internet.
Securemote works a treat, when i go to a web server inside our network i
get prompted to authenticate.
I authenticate and i get to the web server.
All works well!!!
HO
Check the logs out for drops / rejects.
Quite often, SYN Defender has too lower a timeout on a heavily used network.
If the packets aren't in the log, check that all rules that drop/reject are
set to log, then look again.
Tim
- Original Message -
From: Ben C <[EMAIL PROTECTED]>
To: <[EM
Is there any way through I can instruct the system that if request comes
from interface1 then reply should goes back from the same interface and If
request comes from Interface 2 then reply should goes back from Interface
2.
insted of picking up default route and primary inetrface gateway
The type of host is included in the license string. Whether this is parsed
or not, I don't know, but it must be there for a reason so I conclude that
you probably can't just swap it over.
Tim
- Original Message -
From: Nils Kolstein <[EMAIL PROTECTED]>
To: 'Claes Jansson' <[EMAIL PROTE
What are you trying to NAT ?
Your proxy.arp and routes look wrong.
Let's use an example:
External address of FW - 10.0.0.1
Public address of host - 10.0.0.2
Real (inside) address of host - 192.168.10.23
On the FW, setup local.arp as follows:
10.0.0.2 - MAC address of 10.0.0.1
And a route:
ro
I have a question regarding PAT. I have a single
box running TWO SSL services. One is on PORT 443, standard SSL, and the
other is on PORT 6443. Unfortunatly I cannot bind these to both port 443
on different IP addresses due to restrictions on the server. This is a
problem since many comp
Thanks Tim, I was able to make it work yesterday. But now I have another
thing which I want to do, NAT in the reverse direction.
>From my client(10.0.0.2) I can access the server(192.168.10.23) through
server's NAT'd IP(10.0.0.23) on port 2900 fine.
At the same time, I want the server(192.168.1
Hi,
Check the following, by default in the Policy/Properties screen some
rules
are enabled (they are called :Implied Rules) one of them allows the
connections
from the Firewall to ... anywhere. The other thing is that you can tell Cp
to
log those rules ... you see what I mean ... either yo
Hi everybody,
I need to migrate a FW-1 (version 3.0b) installed on a HP-UX system to the
last version of the FW-1 installed on a Linux server. I need to know what
considerations do I need to have in mind in order to do this migration, It
is possible to migrate the objects, users and rules from
Braindumping of this nature is against the terms and conditions set by
Checkpoint for their exams, breaches of which will result in your
qualitications being revoked !
Be careful - you're devaluing your own certifications by telling other
people the exam content.
:)
Tim
- Original Mess
FW-1 only supports ONE external interface, regardless of license used.
However, you should be able to NAT as many public addresses as you want.
Tim
- Original Message -
From: Chris Arnold <[EMAIL PROTECTED]>
To: 'Velasquez Venegas Jaime Omar' <[EMAIL PROTECTED]>; FW1-MailingList
(E-mai
Hi all,
I have an "old" fw4.1SP4 installation running on Solaris2.6. I have not
installed that one, but I know that the firewall- service does not start at
boot time. I have doublechecked /etc/rcS.d/S25fw1boot which is there and
executable. FW_BOOT_DIR point to /etc/fw.boot which is there either
Full mesh is when you have direct links (i.e. directly connected) into all
your nodes.
The most common implementation of a full mesh is the network's core layer.
It provides
n(n-1) paths between each node, where n is the number of nodes. It means
your core layer
can absorb several link failures w
Raymond,
CheckPoint first checks the services file, /etc/services in your case
I think or \winnt\system32\drivers\etc\services for others, before it
checks it's own service list. Looking at my U*x box , that service is
running on port 520/UDP ... could it be a system that is running routed
What do your anti-spoofing rules say ?
Setup the external interface to Others, the sync link to This Net, and the
internal interface to Others+, adding a group with all the public IP
addresses you're using for NAT.
Do this for both firewalls, as this info is not replicated.
If you're using 'Speci
Hi all
I need help to get the http FW authentication running on a FW module. I am
not sure what could affect the problems I am experiencing. On a
SingleFWMangement station, the http authentication works fine. I am using
for both solutions the same HW and SW platforms.
Any routing issues can be
I have noticed that when I'm at home, not connected to our network at work,
I have the ability to use our internal DNS server to resolve address' on my
home machine. I have no access set up to our DNS servers from the outside,
and when I watch the logs, I see nothing come in to the internal D
I'm getting ready to upgrade our firewall from version 4.0 to 4.1, and I
was just wondering if there's anything I should be aware of before I do so.
Will the update install automatically, or will I have to relicense all the
cert keys? Any other hints, gotchas, etc, would be helpful.
Thanks i
Would anyone here have a link or a SMTP load generator to do stress testing?
IF so let me know.
Thanks!
Michael
To unsubscribe from this mailing list, please see the instructions at
http://ww
I am doing an upgrade from FW4.0 to FW4.1 (Solaris 2.6)..What files do I
need to save/backup in order to preserve my rulebase, policies, users, etc.?
So that I do not have to re-enter all my custom data?
Thanks in advance,
Larry Milliken
USLEC
i have fw-1 appliance 4.1, i want to send alert via
email.
i had tried several command but i didn't
work
my command is
%fwdir%\bin\sendmail -s Alert -t
(smtp IP) -f [[EMAIL PROTECTED]] mailto:[EMAIL PROTECTED]
is the command correct or not?
cause in my company, we have 1 mail server. so i
Does anyone know why this service would be used?
265/tcpX-Bone CTL
Does SecuRemote run off of 50/tcp?
__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
=
Why not take a look at the SonicWall Tele2? That will allow 5 IP's behind
it. And it can connect to a FW-1 using Manual IPSec and IKE (assuming you
weren't crazy and applied SP3 to FW-1)...
Joe
(I have 2 of these now and another going in another office, they work GREAT
and they are cheap (515
Hi All,
I am running on NT 4.0 SP6a. I have installed 2 firewall modules on separate servers with separate licenses. I also have installed a management server in my private n/w.
Till here all is fine. I need to now install stonebeat & form a cluster with these 2 CP servers. How do i proceed?
Hi. I'm customizing SR (build 4167) for both employees and clients and
would like to provide two different packages depending on the group. I've
been using Phoneboy docs as well as a CP doc for version 4.0 which appears
to work still.
My first question is about branding the SR release. It is
Greg,
Sorry I missed the followup message.
I still don't think you should run Provider despite others
suggestions because of the high cost. If you can afford it,
great, but not many can.
To see how to replicate your objects over to multiple servers, do
a search at http://www.phoneboy.com for "
SecuRemote working behind devices performing NAT is no problem. The problem
occurs when the two networks are identical. Someone needs to change their
network addresses and my guess is the home users network has fewer machines.
Look in CP's public support site for setting up Hybrid IKE for SR
test
begin:vcard
n:Al-khafaji;Sadir
tel;cell:+ 46 70 526 11 43
tel;work:+ 46 8 568 64970
x-mozilla-html:FALSE
url:www.ericsson.se
org:Ericsson GIS AB.;WIRE
adr;quoted-printable;quoted-printable:;;G=F6talandsv=E4gen 230 =0D=0A;=C4lvsj=F6;Stockholm;12582;Sweden
version:2.1
email;internet:[EMAIL P
Add this
:fwd_conn_tout (90)
to $FWDIR/lib/setup.C
HTH
Yim
--- Chris Arnold <[EMAIL PROTECTED]> wrote:
> I get this fairly often but the policy is in fact
> properly installed. On
> the FW platform, try "$FWDIR/bin/fw stat" to compare
> time/date of the
> current installed policy wit
The beta version for Mac just came out. Check the
Checkpoint site.
Yim
--- [EMAIL PROTECTED] wrote:
>
> Hi,
>
> Do secure remote clients exist for non-windows
> platforms like Linux,
> Solaris, Macintosh. I'm mainly interested in Linux
> but I can wish for
> the others.
>
>
> Bill
>
>
>
Hi there,
for LinuX there is freeSwan. You can get it from www.sourceforge.net.
--Joerg
-Originalnachricht-
Von: [EMAIL PROTECTED]
An: [EMAIL PROTECTED]
Gesendet: 23.04.01 21:22
Betreff: [FW1] Secure Remote for Linux/Solaris, Macintosh
Hi,
Do secure remote clients exist for n
Hi everyone,
My client is currently running 4.0, and will be replacing with a new box and new
version 4.1.
Questions:
What are the files (conf/database?) that I need to transfer to the new box? And
How can I do that? If someone could provide me a few steps on how to do it, I would
really apprec
As yo need VPN, consider Intrusion.com PDS with Check Point Small Office.
Best wishes
Aylton
- Original Message -
From: "Conrad Chircop" <[EMAIL PROTECTED]>
To: "David E. Hoobler Jr." <[EMAIL PROTECTED]>; "FW-1 Mailing List (E-Mail)"
<[EMAIL PROTECTED]>
Sent: Wednesday, April 25, 2001 9
On an NT-box, I've tried to close down as much as possible of services etc.
I have not uninstalled NetBIOS, just disabled every thinkable service.
However, a port scan still shows port 135 and 139 as open. (Though I can't
connect
to them from other windows machines.)
Anyone know what I missed?
I have a Nokia IP440 with three 4 port cards in it. The first two have all 8
ports in use, no problems. The third card has one port in use. I was
attempting to do a TCPDUMP on the port in use on the third card and got a
message saying the devise was not configured. Voyager displays the interface
I have successfully configured a VPN1/FW1 4.1 SP2 on WinNT 4.0 SP6a and
SecuRemote using FWZ.
Now I want to change this setup to use certificates and IKE. I have got Netscape
(iPlanet) CMS 4.2
with SP2.Could someone help me with Netscape CMS with FW1 or provide me info
links/docs on the above.
Could someone please explain the fully meshed topology and what it is used
for? I appreciate it.
Paul
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpo
well - policy-based routing is possible - but I don't know if it works
with checkpoint or any platform supported by checkpoint.
cheers
-reinhard
On Wed, 18 Apr 2001, gunjan wrote:
>
>
>
> Is there any way through I can instruct the system that if request comes from
>interface1 then reply
If you are talking about setting up a IPSEC vpn to Checkpoint there are many
products that will work. For example there is FreeS/WAN which is open
source IPSEC software that will run on linux and other OSes. What you have
to consider is if you have enough knowledge/experience to securely set up
Hi
Rob,
Solaris 8 isn't supported with CP 4.1 ... even with
SP3.
Looking at the Beta of CP NG it will be
Searching the archives of this mailing list will show you
the problems people encountered
when
using Solaris 8.
Met vriendelijke groeten - Bien à vous
- Kind regards
Guy R
With MetaIP and UAM integration with FW-1, you do not need to configure
users individually but FW-1 can poll the UAM database real time to see what
users are on what IP address and in what user group. Then FW-1 rule can make
a dicision based on that response. UAM can work with NT domain logon or
Title: question
You
will need a published arp statement for the valid ip you will translate.
That arp statement should bind the valid ip to the valid mac address of the
firewall's external interface. You will then need a route statement for
the valid to the private address.
If
your addres
(I previously posted this, but it appeared to have bounced for some reason, apologies
if you get this twice)
I have searched all the FAQ's and docs (checkpoint pdfs etc) and from what I can tell
it looks like I am screwed.
What I want to do is use my CiscoSecure TACACS server to handle authen
Does anyone know if udp/2746 is used by a CheckPoint
FW1 service?
Thnx,
hkm
__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
==
On the contrary, if you use FWZ, you get a certificate authority structure
automatically. When you set up FWZ encryption on a firewall object, the FWZ
Properties tabs require you to create a set of keys:
- 1 management key for the management station
- 1 Diffie-Helman key for the individual fire
Greetings!
"Roelandts, Guy" schrieb:
> Can any one pls tell me what these ports are used for and purpose of this
> ports.
>
> Port No 23434 and 1086.
>
> Gupta.
UDP / 23434 sounds suspiciously like Unix (van-Jacobsen) traceroute.
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangel
If I understand Dave's question correctly, the answer
is no. You do not need to do putkeys to your current
4 fw gateways that are working. You only need to do
putkeys for the two new boxes.
HTH
Yim
--- "Felicetti, Stephen A." <[EMAIL PROTECTED]>
wrote:
>
> Yes, it should append the keys to t
Just wanted to know if there are any security risks involved in opening up
Real Player ports through the firewall. I've heard there are. What is the
safest way to open this kind of traffic even if it is only to restricted
users ?
If users still need to listen to some Real Audio, don't they have h
You may want to take a look at the Nokia unsupported tools package for
IPSO. It includes a perl script called addstatic.
https://support.nokia.com/knowledge/frmResolutionView.jsp?ResolutionId=1783
If you do any manual changes to ipsrd.conf make sure you kill -HUP the
routing daemon. Somethin
Hello list,
I've recently set up a VPN from a pc behind an ADSL router which is
doing
PAT.
Finally solved problems of NATing with udp-encapsulation.
The PC is a W2K Pro with SR v4.1 3DES Build 4174, let's say it's IP
is
172.16.1.2
The Firewall
Josef!
It seems like no one understood your question. Let me take a stab at it.
I personally do no know of an excrypted file system for Solaris. I know
of one for linux, but that doesn't help you. I can imagine with solaris
you are going to be very limited in your choice and that likely only
51 matches
Mail list logo