Hi,
I actually tried installing it on an official version of RedHat 7.2 and it
failed to load the Fw-1 module. It says cannot create some device . etc..
I tried installing on RedHat 7.0 and it worked fine in a jiffy.
Regards
Divakaran
-Original Message-
From: Morton, Matthew
Check the kernel version.
We have some customers with this Red Hat and we havent't any problem
during the install...
Oh, I remember something: try this:
- after Linux box is booting, log as root;
- type the following command:
cpstop
cpd
cpstart
I remember that cpd wasn't launched, so I launch
Hi, Dear friends,
I need to take a down an existing firewall (Firewall B) and configure it to
be the backup server of another firewall (Firewall A). These two firewalls
are on same network and both are running checkpoint 4.0 on solaris box. Of
course both of them are having different routing
Title: RE: [FW-1] Nimda Uri
You didn't mention anything about ndb_open error or fwauthd.conf I am glad you have overcomed your problem. See ya around.
-Original Message-
From: Joe Bloggs [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 13, 2002 7:08 PM
To: [EMAIL PROTECTED]
Hi,
I have a client who is trying to connect to our mail over the VPN. He is
located at one office which has a firewall module 4.1 sp3 , and his
commucating with our office here.
He has communication, however when he tires to open the exchange server and
resolve, using the lmhost, the exchange
Title: Message
In addition to the
FWD.H and HWD.HOSTS files, a list
of licensed IP's is
also kept in the LICHOSTS table.
I assume this is
preserved over a reboot, for some reason,
thus your
problem.
Also, my FW has a
tendency of counting a couple of external IP's,
menaing I get this
error
Yes it would. Just make the internal interface of the firewall be the site
address.
Lars
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]On Behalf Of Sam
Ghannadi
Sent: Wednesday, March 13, 2002 16:07
To: [EMAIL PROTECTED]
Subject:
Hi,
usually modern Clustersoftware like Stonebeat, the Rainwall or Hardware
loadbalancers are used to achieve High Availability. If your Hardware is
Nokia it comes with a free High Avaliability feature.
Syncing without one of those is complete nonsense.
--Joerg
-Ursprüngliche
FW-1 4.1 on Solaris 7
The servers behand it become slowly responding. And I found plenty of log
entries in /var/adm/messages like these below:
...
Mar 14 15:23:49 bjsfig last message repeated 5 times
Mar 14 15:23:49 bjsfig unix: FW-1: halloc: unable to allocate 60 bytes
Mar 14 15:23:49 bjsfig
Dear friends
I need ICMP re-direct to work on Checkpoint NG firewall running on LINUX
operating system.
I need it to send back the whole route if possible to the Windows clients
for a corporate WAN router.
I have noticed that:
When I ping the firewall the ping is excepted to the firewall the
Hi,
I faced the same problem with default kernal of 7.2 (2.4.7-9)
After upgrading to latest kernel it just worked fine.
Do rhn_register up2date.
Cheers
Renju.
- Original Message -
From: Ullampuzha Mana, Divakaran (GEAE, GTS India)
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent:
Hello,
I have been running Fw-1 in an enterprise environment for over a year now,
but have very little in the way of formal TCP/IP training.
I would like to take a course that would cover TCP/IP and fill in what i
feel are gaps in my knowledge. (or at least confirm what i think i know)
Can
At 17:53 14.03.2002 +0800, Winway wrote:
FW-1 4.1 on Solaris 7
The servers behand it become slowly responding. And I found plenty of log
entries in /var/adm/messages like these below:
...
Mar 14 15:23:49 bjsfig last message repeated 5 times
Mar 14 15:23:49 bjsfig unix: FW-1: halloc: unable to
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]On Behalf Of
richard marshall
Sent: 14 March 2002 11:30
To: [EMAIL PROTECTED]
Subject: [FW-1] Off-Topic... tcp/ip training
Hello,
I have been running Fw-1 in an enterprise environment
I'm using FW 4.1 SP5, anyone any idea how to get the FW to broadcast the
actual source IP instead of it's int IP after applying a URI resource to a
rule ? ie would be nice to know what host was attacking your dmz with a
codered worm etc...
Thanks in advance...
Hello,
I can recommend a very important book::: TCP/IP illustrated vol.1.
It is bettern than any training can be.
--Joerg
-Ursprüngliche Nachricht-
Von: richard marshall [mailto:[EMAIL PROTECTED]]
Gesendet: Donnerstag, 14. März 2002 12:30
An: [EMAIL PROTECTED]
Betreff: [FW-1]
Add an entry in to /etc/system and allocate FW more memory, information
is available as a download
from Checkpoint (search for tuning Solaris ).
Winway wrote:
FW-1 4.1 on Solaris 7
The servers behand it become slowly responding. And I found plenty of log
entries in /var/adm/messages like
=
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the
I'm using FW 4.1 SP5, anyone any idea how to get the FW to broadcast the
actual source IP instead of it's int IP after applying a URI resource to a
rule ? ie would be nice to know what host was attacking your dmz with a
codered worm etc...
There is no way to do this. When a connection passes
Title: RE: [FW-1] Source IP change after creating uri
If you create a URI resource droping traffic to your WEB Servers in the DMZ you will actually see the real IP address of the attacker and not the IP Address of the Firewall. When you create URI of this type the traffic is not sent at the
Darn... Incidently, NG does not do this therefore all of a sudden I'm
looking forward to an NG upgrade...
Thanks! :-)
From: Don [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Source IP change after creating uri
Darn... Incidently, NG does not do this therefore all of a sudden I'm
looking forward to an NG upgrade...
Are you sure about that? I was under the impression that NG had the same
behavior. Then again, the sum total of my experience with security servers
under NG was a half hearted attempt to
Found this out from http://www.phoneboy.com, do a search for uri proxy
From: Don [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Source IP change after creating uri
Date: Thu, 14 Mar 2002 09:43:39 -0500
Darn...
No that's fine, I'm accepting the uri, however I have Snort running and it
used to pick up the source ip, now it's picks up the fw's ip. Apparently NG
does not do this according to phoneboy.
From: Chontzopoulos, Dimitris [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
Title: How to change NT FW-1 IP address due ISP move
Hi,
Anyone have the detail steps what to do with NT FW-1 changing the IP with new ISP Vendor?
I am new to FW-1, please help!
Thanks
-tom
Title: Does anyone know how to block Kazaa, Morpheus and all these parasites on a FW-1 ?
Yes...Deny everything from the start (this is what you should have
done in the first place), create a network diagram showing what your traffic
really is, install a Proxy for WEB browsing, and start
We got it figured out [sorta] :-)
Our FW Design guru had mentioned it in one of our meetings, and everyone in
support said, Nah, shouldn't matter...hehehehe
Checkpoint had advised to go to sp4. sp4 didn't fix it. :-
What did fix it was moving these host any any rules way up on the list
Title: Message
No.
This is the highest rule in the rule-set .
And
they are definetely using Kazaa, I have checked and rechecked the rule and
everything si configured right.
No
drop or reject logs.
Cheers,
Serge
-Original Message-From: Stuart Carrison
[mailto:[EMAIL PROTECTED]]
Hello
We use 2NG's on two Solaris 8 environment in a HA configuration.
If we start the HA-Sync Module then the firewall send hudge number of
broadcasts on UDP port 8116 with a MAC-Address like FE:1 to all the
connected networks. In 4.1 we can reduce this traffic to interfaces in the
sync.conf.
Hello
We use FW NG on Solaris 8 in a HA environment.
After installing the FP1 on the enforcement point the following error
appeared:
Start cpshared
SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started
Start fw-1
ld.so.1: fw: fatal: relocation error: file fw:
Hi,
WInNT4 About VPN1 4.1 build 41710.
The following scenario is working well while using
ID_IPV4_ADDR.
I'm trying to do IKE using Aggressive Mode, using
ID_USER_FQDN, using certificate.
I'm sending the on the ID_USER_FQDN field a string
which contains the user name that I've defined on
Title: Message
Block
all access to the 206.142.53.0 network, class C.
Morpheus.
213.248.112.0 for KaZaA
64.245.58.0 and 64.245.59.0 for
AudioGalaxy
All
Class C - this came from a website I found -- said if you block these IP
ranges
then the clients will not function as they
cannot
Hi, All
I have a problem with Nokia IP 650 now.
The problem occured when I was viewing a log on log viewer
of Management console.
When I was exporting logs by text form to Client PC,
log viewer froze , and so I aborted dealing with it.
But after it , when I tried to access Management Server
have you tried fwstop, fwstart ?
From: usui [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [FW-1] Nokia IP 650 Problem
Date: Fri, 15 Mar 2002 02:29:32 +0900
Hi, All
I have a problem with Nokia IP 650 now . ( FW-1 v4.1
You'll need to get in touch with checkpoint, have a look at their website.
This is so that they can issue you with a license based on the new ip.
You'll then need to stop the fw service, change the ip of your nt box, enter
the new license key for the new ip, start the fw and re-configure the ip
Hi, All
I have a problem with Nokia IP 650 now . ( FW-1 v4.1 SP2)
The problem occured when I was viewing a log on log viewer
of Management console.
When I was exporting logs by text form to Client PC,
log viewer froze , and so I aborted dealing with it.
But after it , when I tried to access
Title: RE: [FW-1] secure remote and adsl howto ...
should be very straightforward as long as your ISP allows IPSec
passthru...
Erik Goldoff Systems Manager The HoneyBaked Ham Company 678-966-3320 [EMAIL PROTECTED]
-Original Message-From: Andrade Guerra, Marcelo
[mailto:[EMAIL
Title: Message
I
thought kazaa and the like are p2p? Surely they don't use a 'central'
server?
-Original Message-From: Ed Davidson
[mailto:[EMAIL PROTECTED]]Sent: 14 March 2002
17:50To:
[EMAIL PROTECTED]Subject: Re: [FW-1]
Does anyone know how to block Kazaa, Morpheus
Title: Message
Check
Point blocks traffic bound for port 1214 by default, so you shouldnt even need
a rule to block Kazaa and Morpheus. You would actually have to have a rule
which allows them access to port 1214 in order for them to work. We have them
blocked and didnt need a rule to do
fwstop; fwstart
Chris
-Original Message-
From: usui
To: [EMAIL PROTECTED]
Sent: 3/14/02 12:53 PM
Subject: [FW-1] Nokia IP 650 Problem
Hi, All
I have a problem with Nokia IP 650 now.
The problem occured when I was viewing a log on log viewer
of Management console.
When I was
Hello:
Some of users from Office want to make NetMeeting session
with the users working from home. At present it is stopped at FW-1 4.1. But, I
want to know that what are security breaches if we open it? What is the best
way highly secure to enable it? What if we enable it from
Dear,Joe
Thank you for your early reply !!
I have not tried yet what you told me.
Could you guess what caused this problem ?
thanks !
- Original Message -
From: "Joe Bloggs" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, March 15, 2002 2:53 AM
Subject: Re: [FW-1] Nokia IP 650
Well i dont agree with
that. We are running 2 x ip520 with NG fr1 without "almost" any
problems. Policy install tooks something like 10 sec for 20 rules.
well imo state sync works
fine and you actually can set it up really easily ( 10 min ). Just waiting for
fr2 to come so I can control
This is assuming that you licensed the external IP. If you licensed the
internal Ip, you should not have to worry about it. Just do the stop,
change the IP, start the firewall. On the management console, do a SNMP get
for the interfaces. Adjust Anti-Spoofing as needed if you use it.
Haven't
Title: Message
What
rule is allowing them to go out? Check that rule. Your clean up rule
would normally dis-allow access to those ports, unless specifically allowed by a
higher rule.
-Original Message-From: Serge Vondandamo
[mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14,
Anybody know how "Increase the buffer size for the mail headers of Firewall-1
".
This is the Trendmicro (Interscan VirusWall) solution to messages with in-line
attachments sent to multiple recipients are corrupted or malformed.
We use fw-1 v4.1 SP5
J. A. Cosenza
Title: Message
Hi,
I do
not have a rule which is allowing that traffic and I do not use default
configuration on firewalls.
By the
way, I used the IP range as suggested by Ed and that solved my problem for
now.
I will
later on try to find out why the blocked ports were allowing that
Can anyone recommend a good linux box for FW1/NG?
Thanks,
Jim Driskell
=
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
You
must have Checkpoint Gods looking over your sholder. I have talked to a
few Nokia reps and all have told me my "sluggish" response from my 530's and NG
are "normal" and should be fixed soon. I'm glad things work for you.
I wish our setup worked better, but i dont know what else to do.
Title: Message
look in your logs to
see what rule accepted the traffic.that should answer that question for
you.
Steve SchusterMidwest
ISO Security Analyst
-Original Message-From: Serge Vondandamo
[mailto:[EMAIL PROTECTED]]Sent: Thursday, March 14, 2002
4:05 PMTo:
[EMAIL
you must have a userid/password to get to these documents. is there a
generic way to get in or what must one do to get into this site. the public
access is not always that great.
-Original Message-
From: Aeon Hale [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 13, 2002 1:37 PM
To:
Hi,
This may be one for the archives, but I am having an issue with accessing
the mailing list archives right now. That is being dealt with. So, in the
interrim, I thought I'd ask about duplicate IP addressing issues with
Firewall 1.
I had sort of a two-fold question with regard to FW-1 and
configure IP NAT Pool in your office firewall. It should solve the
duplicate IP address issue.
Regards
Thomas Leong
-Original Message-
From: Rich Quinn [SMTP:[EMAIL PROTECTED]]
Sent: Friday, March 15, 2002 8:53 AM
To: [EMAIL PROTECTED]
Subject:[FW-1] Dupe IP addresses.
Will this be the nightmare that I foresee, or does Firewall 1 take all this
into account somehow.
Or is there something I need to do via Voyager or the Policy GUI to
eliminate this Duplicate IP addr problem.
Is there any way around this besides enforcing upon all 50 of my clients to
all use
May I know what is the name of the special software to be installed on the
firewalls for the high availability? If I have the software maintenance
contract, can I download it?
In order to configure HA, you need to install special software on the
firewalls. This software handles the actual
One must have a valid support license with CP or a CP reseller. If you do,
it's trivial to get an ID. If not, CP doesn't want anyone in there and
public support is the only official option I know of.
Chris
-Original Message-
From: Wyatt, Kenny, ITS
To: [EMAIL PROTECTED]
Sent: 3/14/02
If you want to stick with version 4.1, try looking at www.intrusion.com
They have some great appliances that have a stripped down version of Linux.
It can also handle a very heavy load.
The disadvantage is that you can't really modify the box or haven't seen
upgrades to NG yet. But very stable.
IP pools are not meant to address this issue, as Don stated. Their use is a
limited technical solution to a specific set of issues. What is meant to
address this issue though, CP FW-1 NG Office Mode aside, is proper
organizational security policies. You need senior management buy-in in
support
proper
organizational security policies. You need senior management buy-in in
support of your reasons in dealing with your territorial lot of home users
as you see and justify as necessary.
Just because you _can_ doesn't make it right.
That, in a nutshell, is what it all comes down to. If
Hello,
at first I am the same opinion as Dimitris, you better use another strategy
for policy.
But anyway if you don't want to change it, blocking tcp and udp port 1214
does not prevent users from using kazaa or morpheus. These applications can
use socks proxys for connecting, so if a user has
60 matches
Mail list logo