Hello,
actually this a very interseting feature ;-). It basically means that you
can connect the trunkport of a switch (which must support 802.1Q
VLAN-Tagging) to your Firewall. Your Firewall will "see" each VLAN which is
on that switch as a virtual interface. Communication between those VLANs
wil
Hello,
the NetScreen Aplliances might be to your taste. Cisco PIX is also not a bad
Firewall. Both use a browserbased GUI which can basically run on any
plattform (Linux, Solaris, Macintosh ... ;-) ). They are all stateful
packetfilters which support VPNs. The NetScreen is said to have a good
thr
Title: Additional IP for management WS
Hello,
on the
console type in 'cpconfig' and choose option #3. If you want to add a
new admin-account as well choose #3 and #2.
--Joerg
http://www.firewalls-illustriert.de
-Ursprüngliche Nachricht-Von: Oleshev, Alexander
[mailto:[EMAIL
Hello,
this had been discussed on the list for several times. You are not running a
supported kernel-version.
If you have a valid software subscription with checkpoint you could dl it at
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/ng/fp3/lin
ux/2.4.18-5/kernel-2.4.18-5.i686
Hello,
I personally would say that if you want or need a platform with somewhat
more whistles than SecurePlatform a plain Linux from scratch is always your
best bet.
--Joerg
http://www.firewalls-illustriert.de
-Ursprüngliche Nachricht-
Von: Lars Troen [mailto:[EMAIL PROTECTED]
Gesendet:
Hello Civic,
at our house we have a very heterogeneous Firewall-environment. Our RainWall
is running on Linux and we are very satisfied concerning the throughput and
stability of the product.
Additionally the RainWall-Support is very good. If you have a complicated
problem and open a trouble tick
Hello,
it is not quite clear to me if you are talking about the sender-address or
the recipient.
a) recipient
in fw41 you can change the account to which the eMails are sent at Policy ->
Properties -> Log and Alert. In rev NG you can change it at Policy -> Global
Properties -> Log and Alert (+).
Hi,
if you can start your fw manually it should not be a big deal to fix it. I
do not know the phoneboy-solution you have aleready tried; --but there is a
Check Point Solution (id sk2947) in the Knowledgebase. Maybe you can look it
up yourself since I do not know if it is quite legal to quote Chec
Tony,
As far as I know when you open the GUI it always displays the most recent
saved (PullDown -> File -> Save[as]) policy, no matter if it is the
installed policy or not. I would open the installed policy from file and
explicitely save it back to the mgmt. I guess this should fix your problem.
-
Hello Wen,
I peresonally think the Intel Celeron might be somewhat faster than the
UltraSPARC IIe (remeber, SUN considers it as "entry level"). However it is
not only abou CPUs. If your Linux-System has a 64/66 Systembus it has
definitively a better throughput than the SUN.
--Joerg
http://www.fir
Hello,
on the Linux where you start the backup use "scp -v" to get some more
verbose output. In most cases when scp does not work properly it says
something like this: "debug: client_disconnect: Illegal protocol version."
But this is a gues only till you get insight in the verbose / debuging
outpu
Hello,
try RedHat 7.2 since the system requirements say
"RedHat Linux 6.2,7.0, and 7.2". Your Kernelversion is probably not
suitable.
--Joerg
http://www.firewalls-illustriert.de
-Original Message-
From: Jason Cameron
To: [EMAIL PROTECTED]
Sent: 2/3/03 4:32 PM
Subject: [FW-1]
> To all
Hello friend ;-,
your question and description is not very specific. However I have only seen
such errors when using User-Defined Service Objects [PullDownMenue
Manage->Services->Other]. If you have created such a service-object and get
the error you should delete the object, even when the obj
Hello,
I would _not_ recommend to use SecurePlattform if you intend to use
Stonebeat or other custom Software.
I.e. when you are going to run the Rainfinity RainWall with SecurePLattform
you need to install additional shared libraries. These shared libs come with
the Rainfinity install CD. As far
ther layer of
defence, or a waste of fw-1 resources?
-Original Message-
From: Joerg Fritsch [mailto:[EMAIL PROTECTED]]
Sent: January 31, 2003 6:13 AM
To: [EMAIL PROTECTED]
Subject:[FW-1] AW: [FW-1] SMTP Rule - 4.1 and NG FP3
Hello,
of course you can configure your C
Hello,
of course you can configure your Check Point FireWall as MTA. DNS does not
handle this issues (SPAM), professional MTAs like MIMESweeper, sendmail or
qMail behind your firewall do. I.e. in sendmail you just have to enter
"OURDOMAIN" into the acces.db.
I personally prefer having a single po
Since
it is only four hosts you might want to consider setting up your rulebase
as follows:
SRC GROUP(4
HOSTS)DST(ALL SYSTEMS AND DESTINATIONS YOU DO NEVER WANT
TO BE ACCESED BY THIS
GROUP)SERVICE(ANY)ACTION(DENY)
SRC GROUP(4
HOSTS)DST(ANY)SERVICE(PUT
T
Title: SecurePlatform support question
Hello,
I have
running several firewalls on RedHat Linux; --even mission critical clusters like
our RainWall. According to my experience Check Point & Linux is a stable
configuration. There are even products like the performance pack which do not
run u
Hello,
I can recommend a very important book::: TCP/IP illustrated vol.1.
It is bettern than any training can be.
--Joerg
-Ursprüngliche Nachricht-
Von: richard marshall [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 14. März 2002 12:30
An: [EMAIL PROTECTED]
Betreff: [FW-1] Off-Topic
Hi,
usually modern Clustersoftware like Stonebeat, the Rainwall or Hardware
loadbalancers are used to achieve High Availability. If your Hardware is
Nokia it comes with a free High Avaliability feature.
Syncing without one of those is complete nonsense.
--Joerg
-Ursprüngliche Nachricht---
an create a replica of an LDAP directory. You could also have
a situation where the directory will reside on host and another host will be
exclusively a consumer and have no local store.
Chris
-----Original Message-
From: Joerg Fritsch [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 13, 200
In fact I wonder if he is talking about openLDAP or the iPilanet Directory
server. As far as I know both require the slapd running on the same platform
where the database is located. IsN't It ???
Of course you can do replicas.
--Joerg
-Ursprüngliche Nachricht-
Von: Chris Arnold [mailto:
Hi there,
I would say it is no big trouble. You can do it the ceap way and configure
BGP on your router. However at least in Germany not all ISPs do support BGP
customers. And then you can use the radware linkproof. However it seems
difficult to get any more information out of them if you are not
time. I have tried it and at least the rulebase
compiles and installs. However, I can not tell if it works stable enough for
heavily productive use.
--Joerg
[Joerg
Fritsch]
-Ursprüngliche
Nachricht-Von: Drake, Brian
[mailto:[EMAIL PROTECTED]]Gesendet: Montag, 11. März
2002
Hi,
in my
opinion public support of Nokia is no good. I would try the manpage section of
www.freebsd.com .
--Joerg
[Joerg
Fritsch] -Ursprüngliche
Nachricht-Von: Muhammed Riyas Kunhi
[mailto:[EMAIL PROTECTED]]Gesendet: Sonntag, 10. März 2002
04:53An:
[EMAIL PROTECTED]Betreff
Hi back ;-)))
it is probably due to the mailservers. Are they on Linux ? If it is sendmail
you often can read / get hints in "ps aux" at what stage maildelivery gets
stuck. I.e. "user open" menas that a connection on port 25 cannot even been
opened. What does "ps aux" say ?
Have you tried a "tel
Hi,
sounds as if you have checked Policy -->> Properties -->> accept icmp.
--Joerg
-Original Message-
From: Gordon Webber
To: [EMAIL PROTECTED]
Sent: 2/26/02 5:16 PM
Subject: [FW-1] Securing the FW-1 Firewall
Hi All,
I have FW-1 on Nokia.
I have implemented VRRP as part of the fw-1/Nok
Look at the protocol. Is it ICMP ?
-Ursprüngliche Nachricht-
Von: Leon Noble [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 28. Februar 2002 14:58
An: [EMAIL PROTECTED]
Betreff: [FW-1] Blank Service
Hi All,
wonder if anyone can point me in the right direction. In our log files,
there
Hi,
the OS
is talking RIP, OSPF or BGP. It does not depend on Checkpoint. You can install
additional (independant) Software packages on every Solaris Firewall which is
talking RIP, OSPF or even BGP (i.e. Zebra). You just have to accept these in
your Rulebase.
In
fact on Nokia IP nnn OSP
Title: Provider-1
Hello.
first of all::: Provider-1 is just a
centralized management GUI. It has nothing got to do with Software maintenance
(at least not in rev 4.1). According to my understanding SiteManager-1 (as it
real name is) is just a stripped down Provider-1 and has nothing got
Hello,
fw-1 only accepts ftp data conns on ports not already used for other
services in the rulebase. This can be fixed with the substitution of about
10 lines in $FWDIR/lib/base.def
It is basically about modifying the parameter NOTSERVER_TCP_PORT. I'm quite
sure you can find it in the archives
Hi,
sometimes people write strange things into $SBHOME/etc/checklist. It is
worth a look, since people might have wanted the fw to swich when the NAT IP
of the internal server is not reachable by a designated filter module.
--Joerg
-Ursprüngliche Nachricht-
Von: Bergs, Martin [mailto:[
Hello,
http://www.ftpproxy.org/
should compile under Solaris. However it is a proxy which strictly follows
RFC and it depends on the capabilities of the used ftp- client if it works
or not. I have made the experience that you gave a 50/50 chance.
Recently someone talked about compiling the SuSE
Hello,
as far as I know the highest supported is Solaris 7 32 bit.
--Joerg
-Ursprüngliche Nachricht-
Von: Kris Cox [mailto:[EMAIL PROTECTED]]
Gesendet: Freitag, 22. Februar 2002 11:27
An: [EMAIL PROTECTED]
Betreff: [FW-1] FW1-41 and solaris 8
Hello,
I'm trying to install FW1-41 on a
Hello,
so I assume you have plumbed a new Interface and all traffic destined to
that Interface goes lost without any sign / message in the logs. If I would
you I would first doublecheck my anti- spoofing settings on that Interface
(turn on logging for anti spoofing). You traffic probably gets los
Hello,
I assume you are running the ISA Servers as a cluster. I once had the same
problem with iPlanet Webservers. The cause was that the webservers sent an
additional TCP packet after the connection was already closed. As far as I
can remember this could be fixed by changing the cluster settings
Hi,
the routing and the arp are the reason why Checkpoint needs to mention that
routing is done before NATing at all. In fact you can do routing before
NATing __IF__ you have a static NAT entry which looks like this
routed add IP_NATed gw IP_original
So that every packet destined to your NATed ho
Hi,
maybe you could describe your setup a little closer, since it is probably
very interesting.
--Joerg
-Ursprüngliche Nachricht-
Von: Emmanuel Bailleul [mailto:[EMAIL PROTECTED]]
Gesendet: Sonntag, 17. Februar 2002 11:11
An: [EMAIL PROTECTED]
Betreff: Re: [FW-1] OpenSSL as PKI for VPN
Hi all,
has anyone ever senn this error- message when installing a new policy in a
distributed installation:::
...
...
Compiled OK.
You have no controlling tty. Cannot read passphrase.
You have no controlling tty. Cannot read passphrase.
lost connection
...
...succeeded.
Thanks.
-
Hello ;-))
for more or less "simple" environments / gateways to the internet I would
NAT on the Firewall because then you have one policy and graphical editor
and so on and so on. In load balancing environments NATing is almost always
done on the Layer 4-7 switches.
However a 6509 might have tre
Hi,
1st and by the way::: the maximum number of subnet bits is 32. Something
like /36 does not exist in IPv4.
Static routes on IPSO are added via Voyager. However if the FW has an
interface in each of the (complete) subnets you do not need a route.
If you add a rule like this:::
source
What are you considering an "informal" IP ?
-Ursprüngliche Nachricht-
Von: liu [mailto:[EMAIL PROTECTED]]
Gesendet: Mittwoch, 13. Februar 2002 10:03
An: [EMAIL PROTECTED]
Betreff: [FW-1] Change one ip adddress for another
Hi
I am to change the ip address of the licence.But during tha
Hello,
I won't bother starting the fw logexport on an EPC or management station as
long as it is running under Unix you can use "nice" to give it somewhat low
priority.
--Joerg
-Ursprüngliche Nachricht-
Von: Scheidel, Greg (Contractor) [mailto:[EMAIL PROTECTED]]
Gesendet: Dienstag, 29.
icaten services from 5500/udp to 550n/tcp.
Do have any proof of it?
**
Roman Zeltser,
@National Computer Center,
RSIS & DNE
-Original Message-----
From: Joerg Fritsch [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 28, 2002 12:43 PM
To: [EMAIL PROTECTE
Hello,
I have kind of rediculous problem. AceServer 5.0 seems to have changed
authenticaten services from 5500/udp to 550n/tcp. I can generate all types
of "customized" sdconf.rec files and transfer them to my filters.
Regrettably the FirewallModule always trys to reach the AceServer via udp
...
Hello,
I have put some FW1<<>>MRTG related stuff on the web. It is tailored for
Solaris however.
http://www.joerg.cc/unix/mrtg/firewall_mrtg.html
--Joerg
-Original Message-
From: Jeremy Morrill
To: [EMAIL PROTECTED]
Sent: 1/25/02 1:59 PM
Subject: Re: [FW-1] MRTG
Memory, cpu, number of
Hello,
if I was you, first I would gather some anonymous ftp- server- URLs on the
internet and try those. If a similar problem occurs ... it is your firewall.
If the problem only occurs with their proxy ... it is their proxy.
Well, chackpoint has had many ftp. bugs and incompatibilities in the p
Hi,
if you want to know the stats of dedicated tcp- sessions you can simply set
the logging to "account" and the number of bytes together with the elapsed
time will appear in your logviewer GUI (when "account" is chosen from the
pulldown menue).
If you want stats per rule / user / source your be
Hi ;-)),
in my opinion there is no need to change te main IP- Address of your
firewall in the GUI. I assume you have objects for your firewall, in the
first raider you have entered the IP you are talking about and in the
"interfaces" raider you have all the other interfaces (done by snmp get).
I
Hi,
you can increase it in the submenue Policy-->>Properties TcpSessionTimeOut
--Joerg
-Ursprüngliche Nachricht-
Von: Andras DORN [mailto:[EMAIL PROTECTED]]
Gesendet: Dienstag, 15. Januar 2002 08:51
An: [EMAIL PROTECTED]
Betreff: [FW-1] Connection lost problem
Hi!
I have problem wit
Hello,
I doubt that nothing had been changed. Is it a Nokia you are onto ? In fact
you REALLY can safely ignore "Could not put license in running module: No
such device or address" on a Nokia. The other ones I don't know. I would
try:::
1. Reboot
2. If the Reboot is no cure backup your
Hi,
there is an easy to install Software on the market which will meet these
requirements. And it is not to expensive though:
www.firemon.com
It is OPSEC Certified.
--Joerg
-Ursprüngliche Nachricht-
Von: Haim Chibotero [mailto:[EMAIL PROTECTED]]
Gesendet: Montag, 14. Januar 2002 09:43
Hi all,
has anyone tried support.checkpoint.com since they have changed the design
of the login screen. It has become very slowww ... . Strange.
--Joerg
=
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in
Hello back ;-)))
it is still working as expected. Only when using anti spoofing (at least on
solaris)you can not get the virtual if / ip address via snmp get in the gui.
You havbe to add the virtual interfaces manually in the GUI.
Everything else id wotking as expected.
--Joerg
-Ursprüngl
If it is a Nokia IP xxx then the files are PakAgEs, they must not be
unziped. You either can add them via voyager or you can add them with the
newpkg command.
--Joerg
-Original Message-
From: Mehta, Phoram
To: [EMAIL PROTECTED]
Sent: 1/8/02 7:01 PM
Subject: [FW-1] nokia ip440
hi,
i tr
Hi,
I do not quite understand:
* Do you want to replace your whole Firewall by a linux based toy ?
* or do you just need something like SecuRemote running on LInux ? -->> In
this case you might want to try FreeSwan. As far as I can say it runs
smoothly and stable.
--Joerg
-Original Messag
Hello,
what
OS is your Firewall running on ? Is it an enterprisecenter (management and
filter all in one) or dare you running a dedicated management
?
I I
was you I would doublecheck if I have logfiles at all, maybe the file /
filesystem is corrupted ( $FWDIR/log/fw.log ... and others).
Hello,
as far as I know 5.001 was slightly buggy and we also had problems in
implementig it on Solaris. However in the meantime there should be a
somewhat more recent release. You have the choice to upgrade to the most
recent rev. (do not know if it os available for NT) or maybe you'd like to
wor
Hi,
I think you need to modify the syslog.conf on your sun.
--Joerg
-Ursprüngliche Nachricht-
Von: Waeytens, Filip [mailto:[EMAIL PROTECTED]]
Gesendet: Freitag, 30. November 2001 10:50
An: [EMAIL PROTECTED]
Betreff: [FW-1] Remote syslog facility problem
Hi,
We have a problem:
We se
Hi.
it means sth. like "Malicious Activity Detector" which is basic detection of
i.e. (DOS) attacks. You can configure it via a more or less self explanatory
file::: "cpmad_config.conf".
--Joerg
-Original Message-
From: Alexander Fabri
To: [EMAIL PROTECTED]
Sent: 10/8/01 4:39 PM
Subjec
Hi all,
is it harmless to apply then new Solaris Kernel Patch 105181-23 to a system
having Checkpoint Firewall-1 4.1 SP2 installed ? Or will my installation be
broken afterwards ?
Thanks,
--Joerg
To unsubscr
Hi Mario,
I have had the same problem with the 1st beta release (they gave out in
Paris) and Solaris7. I tried to get help from [EMAIL PROTECTED] and
their beta- mailinglist.Regrettably there was no reply so far.
--Joerg
-Original Message-
From: Mario Kadastik
To: [EMAIL PROTECTED]
Regrettably that was not the case in Solaris7, but at least the pkgrm worked
fine. Checkpoint 4.1SP2 is running on that machine now.
--Joerg
-Original Message-
From: Neo
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: 5/31/01 4:40 PM
Subject: Re: [FW1] anyone tried NG ?
I installed NG
Hi all,
I tried the NG beta on Solaris7, installed as a standalone product
("EnterpriseCenter"). Well, what should I say... the deamon runs just fine,
it is simply not possible to access it with the GUI. The GUI says that the
server might not be running. This is _NOT_ true.
On cpstart I get the
Hi,
it is not quite clear to me what your topology really is. Firewall routing
is always static routing and static routing is always next hop routing. If
your topology is like this:
172.x.x.x--330--192.x.x.x
I
R
I
166.x.x.x
You need a route for "166.x.x.x gateway 172.x.x.101" at th
Title: Message
You
can see the downloaded topology on thje Client- side in the userc.C-
File.
Both
Servers (the gatewayserver and the internal server) should be in the valid
encryption domain.
--Joerg
-Ursprüngliche Nachricht-Von: Mack, Don
[mailto:[EMAIL PROTECTED]]Gesendet:
Hi,
I think www.fish.com/titan would be your best bet. It is from someone who
has been/is working for SUN.
By the way, could you pls send me: "how to strip down Unix".
--Joerg
-Ursprüngliche Nachricht-
Von: Robert N. Correa [mailto:[EMAIL PROTECTED]]
Gesendet: Freitag, 4. Mai 2001 17
Hi,
I think www.fish.com/titan would be your best bet. It is from someone who
has been/is working for SUN.
By the way, could you pls send me: "how to strip down Unix".
--Joerg
-Ursprüngliche Nachricht-
Von: Robert N. Correa [mailto:[EMAIL PROTECTED]]
Gesendet: Freitag, 4. Mai 2001 17
In Version4.1 it is mainly after installing a new Rulebase, because the
state tables are cleared on the "established" tcp connections are not
recognized any more.
Maybe you have installed the rulebase and some stupid application has not
recognized yet that the connection has been droped.
--Joer
Hi back,
I do not know if this explains your problem, but CheckpointFirewall-1 works
its way through the rules sequential and the 1st / 1st rules that fits the
circumstances is used. To me it looks as if the rule for client
authentication is placed before the rules which request client encryptio
Hi,
I do not know that Error, but why don't you use FWZ as encryption scheme. It
does not require a certificate authority.
--Joerg
-Ursprüngliche Nachricht-
Von: F.Iga [mailto:[EMAIL PROTECTED]]
Gesendet: Montag, 23. April 2001 13:58
An: [EMAIL PROTECTED]
Betreff: [FW1] About SecuRemo
Hi,
if your Firewall is Solaris you can simply do a snoop on the interface where
you expect the incoming traffic and at the same time a snoop on the outgoing
interface. Of course you can combine this with grep ... and redirect the
output to a file. Well, it's a bit of work but this way you can d
Hi all,
I have an "old" fw4.1SP4 installation running on Solaris2.6. I have not
installed that one, but I know that the firewall- service does not start at
boot time. I have doublechecked /etc/rcS.d/S25fw1boot which is there and
executable. FW_BOOT_DIR point to /etc/fw.boot which is there either
Hi there,
for LinuX there is freeSwan. You can get it from www.sourceforge.net.
--Joerg
-Originalnachricht-
Von: [EMAIL PROTECTED]
An: [EMAIL PROTECTED]
Gesendet: 23.04.01 21:22
Betreff: [FW1] Secure Remote for Linux/Solaris, Macintosh
Hi,
Do secure remote clients exist for n
Mikael,
that shouldn't be a problem ... if the script is written in Perl or Python.
You can use the commands fork (Perl) or rfork (Python). You can find
valuable rescource about starting / forking Pythonscripts into deamonmode at
http://starship.python.net/crew/jjkunce/ . Pay attention to daemon
Hi,
are the Encryption Schemes on 1.the Firewall 2.the SecuRemotClient 3.the
User the same ? Just to make sure that both (Client and Firewall) are having
the same information do an update / new Topology dl on the Client. Which
services do make trouble. Could it be that they might need back conne
Greg,
Provider1 is very expensive. However it would be the most comfortable way to
manage that many Firewalls. As far as I know Provider1 does not allow you to
manage multiple management stations, but IS the management station for ALL
the Firewalls you manage. You even can remove alle the manage
Hi all,
I have an "old" fw4.1SP4 installation running on Solaris2.6. I have not
installed that one, but I know that the firewall- service does not start at
boot time. I have doublechecked /etc/rcS.d/S25fw1boot which is there and
executable. FW_BOOT_DIR point to /etc/fw.boot which is there either
Mikael,
that shouldn't be a problem ... if the script is written in Perl or Python.
You can use the commands fork (Perl) or rfork (Python). You can find
valuable rescource about starting / forking Pythonscripts into deamonmode at
http://starship.python.net/crew/jjkunce/ . Pay attention to daemon
Hi,
if your Firewall is Solaris you can simply do a snoop on the interface where
you expect the incoming traffic and at the same time a snoop on the outgoing
interface. Of course you can combine this with grep ... and redirect the
output to a file. Well, it's a bit of work but this way you can d
Hi all,
I have an "old" fw4.1SP4 installation running on Solaris2.6. I have not
installed that one, but I know that the firewall- service does not start at
boot time. I have doublechecked /etc/rcS.d/S25fw1boot which is there and
executable. FW_BOOT_DIR point to /etc/fw.boot which is there either
81 matches
Mail list logo
