I will be out of the office starting 01/28/2002 and will not return until
02/01/2002.
Please forward your requests to Danny Shaw or Josiah Dunlap. Otherwise, I
will respond to your e-mail when I return.
Thanks,
Ben Petty
Internet Operations
This message contains information from Equifax Inc
Is it possible for one to get around a SecureClient
security policy by having 2 NIC's in the machine? For
example, if one has 2 NIC's in their machine at home
can they bind SecureClient to only one of them,
thereby preventing the security policy from being
enforced on the second?
Thank you.
___
Title: Message
Hello:
I have defined an
URI resource for the http scheme and the get method with the following wildcard
specification
{*/*.{mp3,mpg,avi,mov},*.{mp3,mpg,avi,mov}}
It blocks correctly
all those file types, however it keeps blocking some .jsp pages with long URLs.
For
examp
You can use websense with a premium package but it is extremely slow, the
best solution we have found is described at
http://sam.zoy.org/doc/freedom/doubleclick.html?menu=no
It involves your internal DNS Server and a small web server (could be
Apache)
-Original Message-
From: Ed Davidso
Title: RE: [FW-1] NT event log errors after upgrade to v4.1 SP5
This is actually not my system. It is one of our offices in Poland
so I don't have all the details. As far as I know they upgraded within the
last few weeks.
-Original Message-From: Ellison, Steve
[mailto:[EMAIL PROTE
Well,
in rev. 4.x they recommended an entry in /etc/services like this
securid5500/udp
as of 5.0.x in their list of ad ons to /etc/services there are numerous
entries like
securidprop_005505/tcp
securidprop_015506/tcp
...
and so on. The entry concerning securid 5500/udp is not recomm
More accurately, you need to have Checkpoint Software Subscription purchased
with the license in order to access the Service Packs from the checkpoint
site.
Blaine Martin
VANS Engineer
DigicelTM
25 Balmoral Avenue
Kingston 10. Jamaica.
Tel :876-511-5244
Mobile :876-381-5244
Pager: 876-510-1665
Didn't think to check that... But the ICS box in the
dial-up connection's properties isn't checked.
I appreciate the suggestion though.
--- "Atkinson, Ron" <[EMAIL PROTECTED]>
wrote:
> Did the person turn on "Internet Connection
> Sharing"? SecureClient treats
> home networks using ICS as IP for
Title: RE: [FW-1] NT event log errors after upgrade to v4.1 SP5
When did you upgrade?
-Original Message-
From: Graff, Tracy [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 28, 2002 2:38 PM
To: [EMAIL PROTECTED]
Subject: [FW-1] NT event log errors after upgrade to v4
>>AceServer 5.0 seems to have changed
authenticaten services from 5500/udp to 550n/tcp.
Do have any proof of it?
**
Roman Zeltser,
@National Computer Center,
RSIS & DNE
-Original Message-
From: Joerg Fritsch [mailto:[EMAIL PROTECTED]]
Sent: Monday, Janua
Have anyone stabilished successfully a VPN between
Netscreen Firewall box and Checkpoint VPN-1 ?
At the remote site with Netscreen thats a network
with fake address under 10.x.x.x A class.
The main office is the core of 10/8 network with VPN-1.
I tried with PFS (creating an new PHASE 2 Pr
I have a distributed installation (as far as setup is concerned) but
both FW module and Mgmt module are on the same machine.
-Original Message-
From: Trievel, Thomas [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 28, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Striping exe fi
If your management console and firewall are on different devices, the
objects.C file that you should edit is on the management console. If you
edit the one on the Firewall it will cause problems. After you edit the
objects.C file, push your current policy. This will also push the objects.C
fil
Is there a way to create a URI resource to strip out the code
that creates the pop-under ads? I don't want to strip
out all javascript, nor do I want to prohibit the valid
pop up windows that Yahoo Mail and the like create.
I just want to stop the pop-under ads.
Any way to do this w/FW1? I have
I will be out of the office starting 01/28/2002 and will not return until
01/30/2002.
Delivering Training in Needham, MA. While I'm out -- please forward all
correspondance to Anthony Laricchia, [EMAIL PROTECTED]
=
To set vacation, Out Of Office,
We have seen the following event log errors since the upgrade to CheckPoint v4.1 SP5
on NT:
Application Log
Event ID: 1
Source: Firewall-1
Type: Error
Category: None
Description: FireWall-1: T_evenet_NT_mainloop: wait failed. The handle is
invalid.
Application Log
Event ID: 1
Source: Firewall-1
Did the person turn on "Internet Connection Sharing"? SecureClient treats
home networks using ICS as IP forwarding, which means that all those users
that are sharing their cable/DSL modems with their family members can no
longer do so.
This is one of the quirks that really bugged me about SecureC
That's exactly what I did and I also was locked out of my GUI and as I said
before then I managed to strip every attachment that tried to come through
the firewall.
Wade Sellers
|+-->
|| Aeon Hale <[EMAIL PROTECTED]> |
|
Hello.
One of our SecureClient users is currently haven't a
problem that has me baffled. All of a sudden,
SecureClient complains that "The IP Forwarding option
of the TCP/IP protocol is set! Desktop security
features will not be active until IP Forwarding is
disabled."
I don't know what suddenl
Hi Jeff,
It sounds like:
1) Their firewalls are using the wrong source IP address. This is usually
as OS-specific issue. It can obviously be very bad if it's private address
space (e.g. RFC 1918).
2) They might have the internal addresses of their firewalls as the primary
IP in their firewall o
Hello,
I have kind of rediculous problem. AceServer 5.0 seems to have changed
authenticaten services from 5500/udp to 550n/tcp. I can generate all types
of "customized" sdconf.rec files and transfer them to my filters.
Regrettably the FirewallModule always trys to reach the AceServer via udp
...
:: We bought a permanent license for Firewall v4.0. I want to reinstall the
:: product on a brand new machine but I no longer have the latest service pack,
:: where can I get the service pack if I don't have a support contract with
:: Checkpoint ?
4.0 is full of security holes. Get a support con
Sounds like the machine your connecting to on his site doesn't know how
to route back to your source IP.
Of course, just a guess... a good tcpdump/snoop willl show for sure
Scott J. Friedman, MCSE CCSE CCNA
Security Engineer
Ideal Technology Solutions, Inc
Email : [EMAIL PROTECTED]
Phone : (248
Hello Olivier,
I would guess that the FireWall-1 policy itself is not allowing that
computer to access the firewall. Under the Policy menu, Properties,
General check if "Allow Firewall-1 control connections" is checked. If
not, you need to add the FW-1 services to your access rule for that fire
I would also like to know exact steps. I tried setting this up and
after I changed the objects.C file (i went by a solution that I found
from Securepoint), I was locked out of the gui, so if somebody could
please step by step this procedure, i would greatly appreciate it.
These are the steps tha
Title: RE: [FW-1] Checkpoint VPN trouble
Short story: They need to change the gateway cluster object's IP address to the external (globally routable) address of the gateway, and need 4.1 SP4 or later for *stable* redundancy for the VPN (SP3 supported it, but CP's site and release notes say to
Hi all,
We've got a 4.1 sp5 management console running on NT 4.0. We want to upgrade
that server to Windows 2000. If I do perform the upgrade process for
Windows, will the management console still work, or do I need to uninstall,
upgrade, then reinstall?
Thanks,
--Ryan Vickmark
===
This sounds an awful lot like a table entry getting stuck. The string
c61de76c looks like an IP address, 198.29.231.108, and the data: c61de740
is 198.29.231.64.
Regards
Jim
At 12:17 AM 1/28/2002, you wrote:
>Hello,
>I see each day lot of entries like this one:
>Jan 22 15:44:16 InterWall [LOG_C
I know this was discussed before and I tried to set it up but I ended up
striping ever attachment that came through the firewall instead of selected
attachments.
I would really like to disallow exe files from being sent through the
firewall. can someone in detail explain how to do this.
Thanks,
I am having similar issues when using CVP here is what Checkpoint has to
say on the issue.
Solution Title:
Unable to get mail from a specific Web server - Hotmail, when using
OutlookExpress
Solution ID:
skI4524
Creation Date:
09/10/2001
Last Modified Date:
10/22/2001
Environment: FireWall
Hi everyone,
We are trying to install VPN encryption between our site and another
distant site. Both are using IKE 3DES with the same version of Firewall
4.1 SP2.
After adding all the rules we are facing to a weird problem.
The distant site can connect to my site and I can see the encryption/
D
Title: RE: [FW-1] IPX through FW-1
Even
Netware 4.11 and 4.2 have the ability to encapsulate IPX in IP as an added
service called NetwareIP. If this is Netware 3.x or Windows NT based your best
bet is probably GRE or setting up a Netware 4.11 or better server acting as an
IP
> if i try to connect to the management with the gui client the
> fwm process is ending.
the problem is, that i changed the FQDN from the management.
can i customize something or must i use the old name?
thx
Jochen
=
To set vacation, Out Of Office
That's not completely true !
If you make automatic arp config - then it's ok.
But if you will manually create static NAT Rules (often used for reverse Port
forwarding) there is no possibility to bind the IP on the external MAC adress !!
Arno
-Ursprüngliche Nachricht-
Von: James Oryszczy
Title: RE: [FW-1] Destination port number
Check out Webtrends firewall suite with OPSEC LEA (www.webtrends.com/products/firewall/fws.htm). Might fit the need...
As a side note, unless mandated by a corporate policy on which you have no input, it is generally advisable to limit outgoing traffi
I'm installing securemote on windows 2000 client. I've got a 4.1 sp3
checkpoint and securemote client 4176 for windows 2000.
I want to do some client authentification. All the auth process from a
laptop connected via a modem to a ISP works fine but I can not do a
conneciton into my network.
The
Title: RE: [FW-1] IPX through FW-1
If you don't have any later-version netware (5.x or later) servers handy, you can use GRE tunneling on Cisco routers to tunnel the IPX through IP. This is relatively simple to configure, and can be made transparent to IPX servers on either side (i.e. the tun
Hello there,
You'll need Add two properties to the $FWDIR/conf/objects.C file. Proceed as
follows:
1. Close all GUI clients
2. Stop the FireWall-1 (fwstop)
3. Edit the $FWDIR/conf/objects.C file on the management. (Use a simple text
editor such as Notepad. Do not use a word). Under the ':props'
Yes !
Some issues are fixed but the local.arp problem is still there !
Arno
-Ursprüngliche Nachricht-
Von: Kim Longenbaugh [mailto:[EMAIL PROTECTED]]
Gesendet: Dienstag, 08. Jänner 2002 15:54
An: [EMAIL PROTECTED]
Betreff: Re: [FW-1] AW: FW1-NG
We installed NG soon after it came out.
Try "fwgold" Shareware.
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]On Behalf Of Jeremy
Morrill
Sent: Thursday, January 24, 2002 6:39 PM
To: [EMAIL PROTECTED]
Subject: [FW-1] MRTG
Does anyone have any good sample MRTG configuration f
hi,
if i try to connect to the management with the gui client the fwm process is
ending.
GUI Client 4.1 SP5 NT and Management 4.1 SP5 RedHat7.0.
know anyone this behaviour?
can i something log for troubleshooting?
thx
Jochen
=
To set vacation, Out
I am trying to establish a VPN with another company. Checkpoint/Solaris on our side,
dual Checkpoint/AIX(?) in a cluster on their side. Rules are setup as I have for
other working VPN's, and an attempt to connect through the VPN causes key exchange
packets to be sent from our side (I see with
Reinhard it worked. As soon as the rule matched, in.asmtpd started.
It was a problem in the VRRP config smtp traffic never got to the fw
deamon.
Thanks!
Lupinum,
Netherlands
==
At 17:08 25.01.2002 +0100, Lupinum Lupus wrote:
>Hi girls/guys,
>
>Our Firewall (C
Why would you want to? Switches are very cheap. Get two and completely seperate
your dmz and external network with your firewall.
Hal
-Original Message-
From: McDougle, Clovis-PxL [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 28, 2002 2:32 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] Sw
In the way that I can see, you are missing one static route...Don´t forget
your GUI client needs a defaut gateway in order to reach your firewall.
Good luck,
Jorge Espinel B.
IMPSAT Ecuador
-Mensaje original-
De: Olivier GUILLEMIN [mailto:[EMAIL PROTECTED]]
Enviado el: miércoles 23
Hi
i got problem connecting to the site Via secure remote the error "fw1 is
not an authentication authority .."
i opened the users db try to install (user db) got the error failed
installing DB ,
does it mean that the user DB is damaged ?
how can i restore it or rebuild the user DB ?
==
Hi there,
I the past I've had to allow IPX accross an NT firewall.
Not a good plan, but if you HAVE to... ;-)
What I did was install the RRAS service and use that to route the IPX
*around*
firewall-1. As FW1 lives on the bottom of the IP stack, it never sees
the IPX traffic.
The main, glaring, p
Hello,
some information about sniffing at switches. You are right, that this in
general not works, but with tools like "hunt" you can also sniff at a switch
without a monitor port. This works with arpcache poisoning. And you can also
hack VLAN's with this trick.
So if you use a switch, the most
VLANS are the minimum you should consider for separating your DMZ from your
outside interface.
However, I wouldn't go this way as your security architecture is then
dependent on the quality/performance of your switch manufacturers
implementation of VLAN segregation. Your expensive firewall could
Hi,
they are right. Any computer connected to a HUB can with a packetsniffer
see _every packet_ that is transmitted on the network. If you use a
switch this cannot be done for all network traffic, broadcasts however
will be transmitted to every computer on the same layer2
network.
And you can use
Hi
We have same DMZ´s and we want to build it with a switch and VLAN´s.
Is this a great security problem ?
thanks for your assistance
manfred
=
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of th
Hi Jeremy,
I am the new Real Time Monitoring team manager. You are right currently the
Traffic Monitoring UI does not allow you to view the top services or IPs
that dominant your bandwidth. However this feature is available in the
command line. for example to monitor the top services you can type
Hello
We bought a permanent license for Firewall v4.0. I want to reinstall the
product on a brand new machine but I no longer have the latest service pack,
where can I get the service pack if I don't have a support contract with
Checkpoint ?
Thanks
Doug
=
Title: Switch vs Hubs and VLANS
I have a pair of Nokia IP440 setup with VRRP running FW1 V4.1
I have been told that using a switch instead of a hub is more secure, can someone please confirm if this is so.
Also If I use a switch, can I use VLANS, so I can setup half the switch for my DMz a
Further to my last mail, it would appear that the PIX
6.x code does not yet support the UDP/TCP
encapsulation feature with the Cisco VPN client 3.x
To use the Cisco client with this feature, you would
still need the Cisco VPN 3000 concentrator.
Other options are still therefore to run Cisco clie
If you have Netware 5 or 6 servers
on hand you can use them to encapsulate the ipx traffic for
you
Rocky StefanoEchelon Systems Inc.[EMAIL PROTECTED]www.echelonsystems.comB
905-303-2811F 905-303-2855Systems that
work...--
Hello all,
Im facing the following problem.
We have to connect two campus networks in the next month from which one is
running also IPX for some database servers.
On our side we can make the connection only through our FW-1. In front of
the FW-1, at the outside world, we have a cisco 3640. Inside
Hello,
I see each day lot of entries like this one:
Jan 22 15:44:16 InterWall [LOG_CRIT] kernel: ex_expire: c61de76c (data:
c61de740) ld_del failed to ex_remove !
This is on 2 Nokias IP330 Fw-1 4.1 SP5 hotfixed running in VRRPmc mode. What
does this mean and how to resolve?
THX
Steffen
==
is there static nat for the webserver, what about the nat rules and
routing... do you see the packet on the interal interface of the fw? ip
pool nat for securemote client, or not? a lot of questions, perhaps
then i can give you an anwer :)
Frits Heemstra wrote:
>Hi all,
>
>I ran into the fol
Greetings to you all
One of our clients is having problems with NG. on
Solaris 8.
They can get to internet for an hour before they get
error messages that the firewall can't get to the
WWW server they requested. When this happens, I cant
login to the policy editor.
the messages file has thousands
60 matches
Mail list logo