You have to run
$FWDIR/bin/fw fwm -g *.W
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]] On Behalf Of Fire
Waller
Sent: Tuesday, October 01, 2002 6:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Problems merging back my_rule.W into
Hello guys,
I have problems after installing FP3 on a redhat linux 7.3 box with 2.4.18-5
kernel (the kernel from the releasenotes).
After upgrading my FP2 box with FP3 I cannot install the policy. I get the
error message:
Target localhost is not defined as an NG module, please use the -l flag
RFC addresses are the same as private, non-routable addresses: 10.0.0.0/8
172.16.0.0/12 and 192.168.0.0/16
UDP encapsulation is set on the SecuRemote/SecureClient software: Tools
Advanced IKE Settings.
Take a look at www.phoneboy.com and search the FAQs for SecureClient and
NAT for a full
Title: NG FP 2
Has any one had much experience of the latest release from checkpoint for windows?
Does any one if it will work with Stonebeat Full Cluster 3.0?
We have basically two Checkpoint NG FP2 Enforcement modules and one management module all on NT4 SP6a. We have had numerous
Have you checked your firewall object and changed it to NG FP3.
(It was probably defined as NG FP2 earlier).
Try Get Version
Regards,
Torkel
-Original Message-
From: t-systems-fitz [mailto:[EMAIL PROTECTED]]
Sent: 2. oktober 2002 09:39
To: [EMAIL PROTECTED]
Subject: [FW-1]
The telnet banner is set in /etc/gettytab by using the im (initial
message) capability. All IPSO terminals use the default entry, which
looks like this:
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n IPSO (%h) (%t)\r\n\r\n:sp#1200:
This produces the following initial banner.
---
IPSO
Hello!
We want to support over the Internet remote sites via MSN VPN Clients (PPTP)
from our Internal (non-routable) Network.
However, we do NOT want to allow any host from the Internet to initiate any
connection to our Clients.
Could someone help me to understand, how should we configured our
Hi,
I already checked it, the management object is defined as NG Feature Pack 3.
I also used the pre_upgrade_verifier before upgrade and
post_upgrade_verifier after the upgrade and there was no errors.
best regards fitz, CCSA/CCSE
-Original Message-
From: Torkel Mathisen
Hi,
a) check your configuration - filter.nat / filter-nat.conf vs. FW-NAT
Rulebase
b) check your rulebase - set frequently matched rules to the top
c) check FW-connection table size (NAT) and perhaps increase
d) check your routing - especially are there any ICMP-packets
(echo-request) passing
Is there a way in checkpoint NG to have a source or destination be the
internet or the outside interface. Or is the way to do it is pick every
network that isn't the outside and negate the cell? I just want a rule to
go from our inside LAN out to the Internet and the only way I was told you
can
Hi ..
Can I do this .. ?
I buy FW-1 unlimited license ...
and
then
I add VPN module license for 25 user ?
:-))
=
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set
Destination: Any
Regards,
Torkel
-Original Message-
From: Ted Rakiewicz [mailto:[EMAIL PROTECTED]]
Sent: 2. oktober 2002 13:31
To: [EMAIL PROTECTED]
Subject: [FW-1] is there a universe
Is there a way in checkpoint NG to have a source or
destination be the
internet or the
Yes you can do with that negate :
internet = negate [ all network that firewall know ]
At 07:31 AM 10/2/2002 -0400, you wrote:
Is there a way in checkpoint NG to have a source or destination be the
internet or the outside interface. Or is the way to do it is pick every
network that isn't the
I'm currently running FP1 on a Nokia IP330, and want to implement NAT
only on one interface (out of 4). I will need to static map back about
10 addresses, and have the one default just many--one out (in addition
to the other 3 ethernet interfaces on the Nokia that are NOT using
NAT).
Is there
Hi,
Is there a way to disable session timeout completely? Or at least to
disable timeout for a particular application service port (such as port
18000-18011, for example).
Thanks
Alex
-Original Message-
From: Lars Troen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 01, 2002 2:04
that can also handle vpn's over NAT...
-Original Message-
From: Steve McNutt [mailto:[EMAIL PROTECTED]]
Sent: 01 October 2002 14:20
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Microsoft PPTP across address translation router
4 users? Sounds like a job for a LAN to LAN VPN.
UDP encapsulation is required with the Checkpoint Secureclient/remote to
get a VPN working over NAT. Don't know if it is a feature of Windows
2000.
I think Julian is referring to RFC1918 which stipulates the private
address ranges of 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/24.
Symon
hi,
i installed SecurePlatform FP3 in VMware to test it.
if i made a rule1 with any - any - accept - log and push it i get the
following error:
Policy: Advanced Security
Details: Load on Module failed - failed to load Security Policy.
Get Topology for the Interfaces doesn´t work.
thx for help
Using the Any destination might be misleading if you live in the belief that
Any==Internet. I've seen examples on this where one such Any have overruled what was
meant and given access to devices on other interfaces of the firewall.
Lars
-Original Message-
From: Torkel Mathisen
I have the like problem. I have tried to upgrade from NG to NG FP3. After
upgrading I was not possible to connect from Smart client (windows GUI) to
Smart center (FW+management on Solaris BOX)
I observe some problems in policy loading (one rule - all open just to test
upgrade)
where some object
Static NAT is the way to go.
You will also need to create objects for the external NAT addresses of your
one-to-one mappings in order to use them in the NAT rules.
In your NAT rules first of all you want to make sure your internal comms
between eth1, 2 and 3 LANs do not get xlated:
Source -
No! The Internet is not Any, as it includes your internal
address space. Define the Internet by creating a group with all of your
internal netblocks (as network objects) and negate the cell. You should
have as few Any's as possible in your firewall policy.
Thanks,
Abe
--
Abe L.
Is there a way to set up a VPN connection from an internal client's desktop
to an external VPN appliance without having to give the client's workstation
a static NAT? Does that make sense? Is it possible to use the external
address of the firewall while maintaining static port mappings for the
Hello guys,
I solved the problem.
Because of some problems with securemote-clients, earlier discussed in this
mailinglist, I changed the ip address of the management object to my
external ipaddress. My license was for the internal ip address and in my
/etc/hosts-File was the internal ipaddress
On fw1 0.0.0.0/0 has traditonly been used for automatic natting to the nic address of
the firewall. I believe this feature broke with the introduction og NG, but it was
always a nice feature of atleast 3.0-4.1 (not sure about earlier versions).
With Raptor you usually define the universe like
If you precede it with a DENY rule to networks you DON'T want to give
access to, you can use Any.
Eg.
Office Internal LAN, DMZ = DENY
Office Any = ALLOW
This will allow all packets which are NOT destined to 'Internal LAN' or
'DMZ'.
-Original Message-
From: Lars Troen
Cableone = Cable
Motarola = Open except 137 - 139 ports.
Dynamic = Yet, I keep it for more than 90 days at a time.
And, I have domain resolution to two different dynamic dns
services.
(DNS and the IP I don't think are issues.)
Yes, I have heard this about
Thanks Julian. I think I may be a bit confused..are there 2 ways of
accomplishing NAT in NG? I had thought I merely create an object
(workstation) with the internal IP of the server to be NAT'd...then I go
the properties *of that object*...fill in the NAT section..and thats it?
Or when I do
Probably depends somewhat on what VPN client you're talking about. NAT
breaks IPSec packets unless you're using UDP encapsulation, and not all
vendors' VPN clients/endpoints are capable of handling this. Some more
detail might help.
-Original Message-
From: Christopher Collins
Woops, I got that wrong, it's 192.168.0.0/16 not/24 :)
Cheers,
Symon
-Original Message-
From: Symon Thurlow
Sent: 01 October 2002 19:43
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Microsoft PPTP across address translation router
UDP encapsulation is required with the Checkpoint
I ran ldd against /opt/CPclnt-50/bin/FWui and all of the libraries
EXCEPT libcpopenssl.so show proper association (ie; libckpssl.so =
/opt/CPclnt-50/lib/libckpssl.so). On the entry for libcpopenssl.so,
LDD shows this:
libcpopenssl.so = (file not found), but if you look in the
More completely:
The private address ranges are specified by RFC 1918.
If some one says RFC addresses, they *usually* mean to
refer to this specification.
Dave Gillett
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]On
Behalf Of
Hey guru's,
I should be upgrading our ip440 from IPSO 3.3 with FW-1 4.1 SP3 to IPSO 3.5 with FW-1
4.1 SP6 this week and l've a couple of quick questions.
I've made mods to some FW-1 files (eg base.def) and have installed an Internal CA for
hybrid Ike.
Will these carry over to the new config,
Yes, as long as you're using ike and udp encapsulation for your vpn connection.
Lars
-Original Message-
From: Christopher Collins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 02, 2002 16:28
To: [EMAIL PROTECTED]
Subject: [FW-1] Internal client VPN to External VPN box
Is
Hi,
I have a fairly simple question. We're putting Viruswall in place using CVP.
The antivirus is in a private area right off the FW. We have only 1 server
running the AV. If the AV server fails, what happens to the traffic? Is it
stopped? Is it allowed through? Can I configure Checkpoint to
Title: ClusterXL
Hi Gurus, where i can find configuration document for Cluster XL and HA???
Thanks
I experience the weirdest thing just now and its kind of an emergency
here.
One of the global rules managed to get in the rulebases for our firewalls.
All of them. Its the global cleanup rule that is now actaully IN (at the
bottom) all our firewall rulebases.
When I try to unassign the global
The only way we could get this to work on our NG FP 2 Firewall was by
configuring the ACE server as a Radius Server.
-Original Message-
From: Yim Lee [mailto:[EMAIL PROTECTED]]
Sent: 30 September 2002 17:26
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] NG FP2 and SecurID Authentification
At 12:20 PM 10/2/02, Messier, Michel wrote:
Hi,
I have a fairly simple question. We're putting Viruswall in place using CVP.
The antivirus is in a private area right off the FW. We have only 1 server
running the AV. If the AV server fails, what happens to the traffic? Is it
stopped? Is it
What does it actually say when you select remove global policy ?
is gui active or something like that ? if someone is using policyeditor on
that cma you offcourse cant uninstall global policy.
You also could try to configure that global policy ( delete that cleanup
rule ) and then save and try
Layne Meier wrote:
I ran ldd against /opt/CPclnt-50/bin/FWui and all of the libraries
EXCEPT libcpopenssl.so show proper association (ie; libckpssl.so =
/opt/CPclnt-50/lib/libckpssl.so). On the entry for libcpopenssl.so,
LDD shows this:
libcpopenssl.so = (file not found), but if you look
I am not sure with NG, but many some vendors will negotiate to the lowest
commen denominator. In other words, the two would agree on the lower SA
expiration value. You should be able to dump traffic, and see what they are
trying to negotiate.
-Aaron
-Original Message-
From: Lien, Alex
There is a known bug in SP6 that affects the security servers (smtpd, httpd,
isakmpd). Essentially, it is some sort of memory leak that causes the
processes to run away with CPU utilization requiring a kill -9 to recover.
Checkpoint has provided no solution that has worked for this problem.
SecurePlatform is not designed to be used under VMWARE, and because of the way it
binds the NIC drivers, I don't think you'll have much luck.. A+ for creativity, though!
===
Frank Darden
Chief Technology Officer
Mission Critical Systems
3320 NW 53rd St. Suite
Hi all,
I have a NG FP2, and it are droping some packets with
this message:
Connection contains real IP of NATed address
This occour in some customized services...
I believe that this happen because the fw-1 don't know
the protocol, and some address information is inside
the packet, however in
i've used fp2 in secure platform, i'll have to test fp3
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]On Behalf Of Frank
Darden
Sent: 02 October 2002 22:05
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Secure Platform FP3
SecurePlatform is not
Little behind in my email. Care to let me know how
you have improved the script.
Yim
--- Andrei Grant [EMAIL PROTECTED] wrote:
Thx Yim Lee,
I've now slightly modified your script.
Dre :-
-Original Message-
From: Yim Lee
Subject: Re: [FW-1] Backup Management station
Try
Hi,
I just upgraded my management server to NG-FP3. So far the upgrade from FP2 went fine
(some errors which could be resolved...), however I don't get any logs from v4.1SP5
modules. So I redid initializtion of shared secret using GUI for management and fw
putkey on each module.
Putkey seems
Hi Gurus,
Is it possible to install Customer Log Module and VPN-1 Module in the same machine
(Sun - Solaris 8 - NG FP1)?
Thank's
=
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
Hi,
I will setup a site to site VPN tunnel between 2 Checkpoint NG FW.
--
Site A
|
Checkpoint NG FP2(Redhat 7.2) FW
|
|
Internet (VPN Tunnel)
50 matches
Mail list logo