Hi Liu,
As in my case, I use Windows2000 Server as the platform. The firewall does
not do the route, it is not firewall's functions. To activate the routing
function, you have to activate routing service. It was the case I
experienced in Windows2000 Server, the routing service is disabled by
Hello,
I had the same problem and after working with checkpoint RD they found a bug in the
code which cause this problem .
It seems that there is a problem with the libDataStruct.so file, after i replaced the
file with a new one i got from checkpoint and made a reset to the SIC , there is no
Good day!
I want to implement port-mapping: client connect to predetermined port on
fw's internal interface, must be redirected to extrenal host:port address.
Firewall use hiding NAT for local netowrk, and statis source/destination
for some hosts.
For sample:
client: 10.1.1.2
external-host:
Yannick and others,
Having done it, and several times to test it before in our lab. Here
are the things
I experienced.
Yes you can run a NG FP1 Management Server and manage 4.1 modules,
but, in the lab
I did not have to redo the putkey stuff just a download of the security
policy and
Steve,
To comment on Scott answer.
Whatever version you are running, it seems Check Point first looks for the name of
a service in the services files (being /etc or \winnt\system32\drivers\etc) then in
its own service file. Several services show this behavior, SMTP, DOMAIN-UDP/TCP ...
Liu,
Static routes on IPSO are configured using Voyager, for this\
proceed as follows :
- Login to Voyager
- Click on Config
- Go to Routing Configuration - Static Routes
- Enter the following infos :
- New Static Route : IP address of subnet
Good day!
I want to implement port-mapping: client connect to predetermined port on
fw's internal interface, must be redirected to extrenal host:port address.
Firewall use hiding NAT for local netowrk, and statis source/destination
for some hosts.
For sample:
client: 10.1.1.2
external-host:
On Wed, Feb 13, 2002 at 06:12:38PM -0500, Brian Fritz wrote:
Subject: SNMP vulnerability patches available for IPSO ( CERT Advisory
CA-2002-03 )
On February 12, 2002 CERT announced an SNMP vulnerability
affecting many vendors. All versions of IPSO up to and including
IPSO 3.4.1 are
Liu,
A1:yes (OS routing is always possible)
A2 / A3:
1st of all
the firewall has to answer to ARP requests!
- Proxy ARP configuration is needed
Interfaces - ARP
Add a new Proxy ARP entry:
IP Address: 192.168.2.79 Interface: name of 210... = Nokia
external interface
check with
Thank you for all the replies.
I have solved the problems.
I found that the Nokia can not do the routing.(Maybe I miss setting
something.)But if you install firewall module without using NAT and it
can.
The Nokia maybe have no ability to do the routing itself.At least in my
environment,only
Hi,
To me this has nothing to do with Check Point ... you should rather
ask
Sun for a patch ... no ??
Met vriendelijke groeten - Bien a vous - Kind regards
Guy ROELANDTS
EMEA GS Internet Expertise Centre - CCSA CCSE
Compaq Software Engineer - Belgium
E-mail : [EMAIL PROTECTED]
Tel:
Sun's site says that there is a patch for Solaris, but it says it's not
available for download yet on the actual download page. Go figure...
-Original Message-
From: Hans-Joachim Hoetger [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 5:14 AM
To: [EMAIL PROTECTED]
Subject:
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]On Behalf Of
Hans-Joachim Hoetger
Sent: Thursday, February 14, 2002 11:14
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] SNMP vulnerability patches available for IPSO ( CERT
Advisory CA-2002-03
-Original Message-
It's the OS that is vulnerable. Sun has not released any
patches yet. Here
is Sun's statement about this issue:
Yes they have.
Sun Microsystems, Inc. Security
What about a content security solution??
p.e. Websense. It works with FW-1 very good
See ya
- Original Message -
From: Steve Crume [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February 13, 2002 4:16 PM
Subject: Re: [FW-1] Messenger
Yes it is unfortunate that any of
Here is how to block MSN Messenger:
All you have to do is block access to the login servers. If the user can't
login, they can't use IM.
Create 8 different Network Objects (Workstations).
MSN164.4.13.170
MSN264.4.13.179
MSN364.4.13.175
MSN464.4.13.82
MSN5207.68.172.251
MSN6
Nokia Security appliances have two task to do, routing and security.
So i don´t undertand why you have problems with the Nokia´s routing
features.
I think that you must first check the default router of each machine.
If you need more help I know Nokias very well.
See ya
- Original
I have recently setup a VPN with a customer using their
Cisco VPN concentrator. I keep getting the error message "IKE Log: Sent
Notification: Invalid id information phase 2 stage 2 Negotiation ID: xx" I have seen two possible solutions to
this. One says that I set the other
Gentlemen
I would like to implement a dual firewall, dual ISP
with both firewall active all the time.
But my question is ALTEON or F5?
Some practical advice... will be welcome!
Thanks
__
Web-hosting solutions for home and
Both are good. F5 is partnered with Nokia now and may offer discounts if
you have Nokias. I'm personally growing more found of the Foundry
solutions.
Chris
-Original Message-
From: CGI [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 10.50
To: [EMAIL PROTECTED]
Subject:
On Thu, Feb 14, 2002 at 12:48:56PM +0100, Lars Troen wrote:
Hello
Do you know, if other Versions/Platforms are vulnerable? Has
Checkpoint released fixes already? We are using Version 4.1
on Solaris.
regards
It's the OS that is vulnerable. Sun has not released any patches yet. Here
I've got one word for you: StoneGate!
Eric
-Original Message-
From: CGI [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 14. Februar 2002 16:50
To: [EMAIL PROTECTED]
Subject: [FW-1] Alteon via F5
Gentlemen
I would like to implement a dual firewall, dual ISP
with both firewall active all
Hello,
I have a mail server having one NIC and an IP Address
of 10.x.x.x !! I can send emails anywhere. The problem
is I cant receive emails coming from the outside (WAN)
but I can recieve emails within the network.
On my Firewall Policy, I reserve one public IP to my
mail server and define it
Hi,
I agree, we tested the Alteon (Nortel) boxes and they were great, much
better for bandwidth etc than the F5 stuff, but Foundry was the best for a
secured environment and performance.
Bestest,
nick
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL
We use the first one. If do not count the small configuration problems in
the beginning (mostly because the consultants didn't know much about our
network architecture) the device is working OK.
**
Roman Zeltser,
@National Computer Center,
RSIS DNE
-Mensaje original-
De: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]En nombre de CGI
Enviado el: jueves, 14 de febrero de 2002 16:50
Para: [EMAIL PROTECTED]
Asunto: [FW-1] Alteon via F5
Gentlemen
I would like to implement a dual firewall, dual ISP
with
Hello,
have you add a route and the static arp entry ?
CU, Dirk.
©¿©¬ JGuevarra wrote:
Hello,
I have a mail server having one NIC and an IP Address
of 10.x.x.x !! I can send emails anywhere. The problem
is I cant receive emails coming from the outside (WAN)
but I can recieve emails
Please mister salesman give it up. The days of software load balancing are
coming to an end. Rapidstream Checkpoint Appliance do it in hardware and its
quick and fast and doesn't require another mortgage to buy it.
-Original Message-
From: Mailing list for discussion of Firewall-1
Chris Arnold wrote:
Your
reseller lied to you. You need the Account Management License installed
to use an external LDAP directory. You can manage your directory
with the AMC without this license but the FW won't even look to it.Chris
It seems that you're true. I've installed an evaluation
Title: Message
On
your FW-1, in the properties of the firewall object for the Cisco device, do you
have 'Enable Subnets' checked? If so, you might want to try turning it off
as a test. I seem to recall having similar issues and the "ID information"
in question was the intended source of the
hello ,
we are having the firewall module on NOKIA ip 330 and
mangement console on NT. how can i apply the patch and
what are the precautions should i take before applying
the patch.
thanks,
surya
Looking for a job?
Hello Everyone,
I am working on a new build of NG in the test lab.
I have a management server and a firewall module server and I can't get it
to work. They do talk to one another but I get the following error when I
try to install the policy on both the management station and/or the
firewall
Just a shot in the dark: do you have an MX record in your DNS?
Paul Chinnery
Network Administrator
Mem Med Ctr
-Original Message-
From: ©¿©¬ JGuevarra [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 11:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Problems on Passing
Also add the entry for the external mail address to local.arp file in State
folder
-Original Message-
From: Dirk Boenning [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 12:23 PM
To: [EMAIL PROTECTED]
Subject:Re: [FW-1] Problems on Passing
Hello,
have you
Not sure what you mean by specify the external v. Internal IF...
My thoughts are that if IKE Phase 1 works OK (which it does in order
for Phase 2 to kick off) then the initial config is OK. Usually Phase
2 errors are due to your Encryption Domain not matching the access-list
they have
On Nokia's website there is a PDF on connection to the 330 via Console
and installing it...
RTFM ;)
Scott J. Friedman, MCSE CCSE CCNA
Security Engineer
Ideal Technology Solutions, Inc
Email : [EMAIL PROTECTED]
Phone : (248) 398-5500 x280
[EMAIL PROTECTED] 02/14/02 12:48PM
hello ,
we are
I have a FW1 4.1, we just put a proxy (Linux) between the private
network and the firewall, and we have problems with FTP, when doing from
private network to any public site, I can´t do ls or get because the
connection is closed, the firewall do a reject ( reason: tried to open
other host port)
Hi,
running cpconfig I get the following error (CPDIR is set to /opt/CPshared/5.0, FWDIR
is set to /opt/CPfw1-50):
Interface Configuration
Scanning for unknown interfaces...
ld.so.1: /opt/CPshared/5.0/bin/amon_config: fatal: libcpstatreg.so: open failed:
No
I just tried to install a clean copy of NG on a clean copy of IPSO.
IPSO-3.4.2-FCS2-12.15.2001-064400-877
NG Feature Pack 1 (Wed Dec 26 18:29:23 IST 2001 Build 51012)
FWDIR=/opt/CPfw1-50-01
I am getting the following error:
**
Your LD_LIBRARY_PATH is bad. As root, . /.profile
Chris
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 14, 2002 14.37
To: [EMAIL PROTECTED]
Subject: [FW-1] NG Installation problem Solaris 8
Hi,
running cpconfig I get the following
Clean copy of IPSO with no other FW-1 packages installed? The only thing
that comes to mind with this is if there was a FW-1 package installed and
registered. Not much help though since you said it was a clean install. It
looks like it's not seeing a shared library so I assume your
Please mister salesman give it up. The days of software load
balancing are
coming to an end. Rapidstream Checkpoint Appliance do it in
hardware and its
quick and fast and doesn't require another mortgage to buy it.
Eh? Alteons are very expensive. They are very expensive and so is their
I believe you will get these errors if you do not define the firewall
itself in Host address assignment in Voyager. I know for sure that
cpconfig will be unable to generate a default policy.
Regards,
Nicolai Andersen
Network Technologies A/S
email: [EMAIL PROTECTED] - web: www.nwt.dk
I
Clean copy of IPSO with no other FW-1 packages installed? The only thing
that comes to mind with this is if there was a FW-1 package installed and
registered. Not much help though since you said it was a clean install. It
looks like it's not seeing a shared library so I assume your
Is there any reason why the timeout option in the Block Intruder GUI screen
is specified in minutes, while the command line version of the command fw
sam -t is specified in seconds? I am studying for the CCSA exam and I would
like to clarify this information before comitting it to memory.
Andre
Did you check the Firewall/VPN option when defining the workstation object
for your firewall module(s)?
Andre
From: Mula, Chris [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [FW-1] Having problems with Installing policy
i have a few rules in my policy to block nimda.
src=any
dst=mynetwork.com
service=http-nimda_rule
action=reject
the uri resource http-nimda_rule is:
connection method=transparent
schemes=http
methods=get
host=*
I've got a NT 4.0 sp 5, checkpoint 4.0 sp7 box VPN'd with a win 2k sp2,
checkpoint 2k sp 4 box.
I am using IKE encryption.
Both boxes are dell servers, the remote office has a PE 1450 SC (900 MHZ,
512 RAM) and the central office has a PE 2400 (500 MHz, 256 RAM)
Ping times range from 50 ms to
Slightly OT, after all this is a Checkpoint list
Stonegate is almost exactly the same price as Checkpoint and offers more
flexibility than hardware load balancing without any additional cost.
Furthermore, to date we have not have any issues with performance.
Stonegate is not for all
49 matches
Mail list logo