Hi,
You need to create a service to allow the GRE protocol, as follows
(cut from a previous mail in this list )
http://www.phoneboy.com/fw1/faq/0321.html
PPTP
Q:
How can I make FireWall-1 work with PPTP?
A:
You must add a rule permitting access between your PPTP clients and server.
Did anybody succeed in stripping Mime types using SP3 new feature and would
care to elaborate ?
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/se
Hey all,
I have a very strange issue that I would like to run past you all. Abt 2
weeks ago, we noticed that the internet browsing on PC's started to take
extremely slow. I fire up my browser and type in a URL like www.sun.com The
PC waits and waits and after abt 25-30 secs, just then seems to f
Hi Ivan,
If I understand the question correctly... VLAN's are not a security
mechanism but simply a way to have multiple logical networks on one physical
device (in their most common use). They introduce _no_ security into the
environment. You could really say that they actually decreas
Good $daytime,
Let me to bring back the ruleset:
> - priv_dmz2_tmvw, pub_dnsservers, dns, allow
> - any, priv_dmz2_tmvw, smtp, allow
> - priv_dmz2_tmvw, any, smtp, allow
> - any, pub_intra_mail, smtp->ZR_TMVW_SMTP,allow
> - priv_intra_mail, any, smtp->ZR_TMVW_SMTP,allow
>> This way priv_dmz2_
Make sure that you set the default gateway on the AS/400 to allow it to
return the tcp communication.
-Jason
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Pires, Michael
Sent: Tuesday, February 13, 2001 4:02 PM
To: 'John Delano'; [EMAIL PROTECTED]
Sub
Hello all,
I currently have a Solaris 2.6 running Fw-1 4.0 as
a stand alone. I have purchased and gotten the incenses for an Enterprise
addition of FW-1 4.1. I am planning to move the Management console to an
NT box, and use the current box as the firewall module. I was hoping that
some
Hello,
I'm new on the list. Before submitting this message I browsed the archive
and found more or less similar problems but none exactly matching so I hope
to find an answer yet...
Sending data to a newspaper's server secured on my end by Check Point's
VPN-1 SecuRemote client (version 4.1 SP-2
Hi FW1 List,
I have Solaris 2.6; FW1 v4.1 SP3
I use Websense, therefore, FW1's HTTP Security Server.
Whenever I re-install a policy, WWW browsers cannot
browse. They get that blank page/error from the
firewall that says:
FW-1 at firewall: Access Denied
The ahttpd.elg log file logs the followi
Michael;
If these sites use L3 switches, would VLAN provide the same level of
security as VPN?
Thanks,
- Original Message -
From: "Michael Batchelder" <[EMAIL PROTECTED]>
To: "Ivan Fox" <[EMAIL PROTECTED]>
Cc: "Firewall-Wizards@Nfr. Net" <[EMAIL PROTECTED]>;
"Firewalls@Lists. Gnac. Net
My first question to you, Mona, is what is the dedicated point to point
connection for? If it is used for sensitive information between sites, do
you REALLY want it to fail-over to going across the internet? If it isn't
an issue, you may investigate in the future a pair of internet connections
To all:
I have the following
question:
Is it
possible to have a user authenticate via SecurID to download the topology using
SecuRemote Hybrid mode for IKE?
I have the
following config:
Two Nokia
IP650s running Nokia IPSO 3.3 with CheckPoint 4.1 SP2.
Let say three are 3 sites in serial, i.e., A --> B --> C. Each site has its
own subnet and Check Point VPN-1. Can I setup a continuous VPN using Check
Point VPN-1 starting from A and ending at C.
Any pointers are appreciated.
Ivan
===
I am on an E450 with 1 GB of memory on Solaris 2.6
with CheckPoint 4.1 SP2. The system is not very heavy
loaded (about 70% idle). I was wondering what is the
latency between going through the fw and not going
through the fw.
Thanks for your help.
Yim
_
Title: More network neighborhood browsing questions
With
98 you need to make sure that the Client for MS Networks is installed and that
the users are putting in their account information and hitting OK (not cancel)
at both the initial logon screen and the "No Domain server..." screen that
fo
Title: More network neighborhood browsing questions
3 easy
steps ( assuming dial-up 98 clients)
1.
Dial ISP with Msoft Dial Up Icon with a WINS entry in its the server
properties.
2.
Authenticate yourself to the Firewall .
3.
Logon to the Windows network ( name, password, domain) when the
Title: More network neighborhood browsing questions
They
are 98 clients and I dont think they are authenticating.
My
problem is with the order of operations I guess. When the client boots do they
need to enter the same domain password in their windows logon? Then when they
dial up to the ISP
Hi,
In my oppinion, if you want to have access from Internet to your AS/400 you
must check the following :
- add a route to your firewall on the AS/400 (CFGTCP menu, work with routes
option)
- Add a rule that enable traffic between your external Workstation (Internet
side) to your Nated AS/400
-
Every time you change your rulebase you should save as, and update the name
so that
you can roll back to a specific rulebase if needed. I use a datetime
convention to save
the rulebase for just that reason.
-Shad
-Original Message-
From: felix [mailto:[EMAIL PROTECTED]]
Sent: Tuesday,
Hi, Shad:
I simply lost my rulebase, I have to rebuild a new rulebase from the
very beginning. I upgrade my GUI. Only thing may be concerned was that I
forgot to shut down my FW-1 services when upgrade SP2 or SP2. CheckPoint
said they can fix the problem by running a command, like:
Man I worked with AS/400 in my past life. Can you specify more iformation on
your netowrk setup. If you are using static nat did you do the necessary
route add on the firewall and also the publish arp? arp
pub
As for just this type of setup I dont think you need to do anything on the
as/400.
Hello
Anybody knows If FW-1 4.1 runs over IPSO 3.1.4-FCS1 ·681 07.02.99 184834
Best Regards,
Matias
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoi
How will I be able to update a route table between an inside and outside
router through fw-1. I wanted to configure load balancing between the 2
routers.
The exact scenario is:
Inside router serving local subnet traffic to central office over serial
point-to-point
Routing of external traffic
If there is a network card in the PC ensure that tcp is not bound to the
network card or that there are no settings in the tcp properties for the
network card. This can impact on dialup and WINS settings ,default gateway
dns etc. make sure these are all defined in the properties for the dialup
co
Using Secure Remote with Secure ID
We are currently using FWZ encryption with Secure ID.
All of my users except for one can get authenticated
by the Secure ID server.
He is recieving the following error message and the
error message also appears on the FW log:
Access Denied by SecureID
New PIN
Hi
0. install a suse7 minimal installation
+ components which are needed for compiling a new kernel
(Don't ask me which components, YOU should be familiar with the linux os, if
you want to run stuff like fw1)
1. you need to compile a kernel yourself
-
Title: More network neighborhood browsing questions
Yes,
you can do that, but not required.
THe
networking box will still popup allowing you to logon to your NT domain after
you authenticate yourself to the firewall.
Another alternative is to use tweakui and not worry about it
all!
hi vitaly
this was the only way how trendmicro viruswall smtp service will and f/w 1
and cvp protocol was going to run without any problems. if you have any
other idea, i love input for input.
hints to my interpretation of the working and failures of fw1-sendmail
deamon i found at trendmicros su
Yes, I tried that, but the rulebase can't be overwrited, the GUI promt me
with an error: Rule Base name already exists!!!
Do I have to rename it every time?
Thanks!
Felix Xia
Network Administrator
North American Quotation
Tel. 519 6574300 ext. 233
Fax. 519 6573331
Company - www.naq.com
Pe
In a scenario with only ONE external IP, and that being a
non-negotiable factor, I would be partial to either:
a) locate a trusted SMTP server at another site and only trust that
one for incoming, or
b) replace win2k with solaris and install a *VERY* locked down relay
on it. (Postfix being my
Title: More network neighborhood browsing questions
Which
OS are the clients using, and are they authenticating to an NT
domain?
-Original Message-From: Pope, David
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, February 13, 2001 3:31
PMTo: '[EMAIL PROTECTED]';
[EMAIL PROTECTED]S
Title: More network neighborhood browsing questions
I have
the same browsing problem although I cant even use \\server technique!
I get
the error "Not logged onto the domain" or "The sharename can not be
found"
Does
the WINS server need to have an external address so that the dialup connecti
I've got a very strange problem with a CP 4.0 firewall on Solaris with
build 4094 (SP5) (I need to get to at least SP7, I know).
I've searched all the available archives of this list and havent seen
only posts with the same problem, but no solutions.
fw lichost consistently shows EXTERNAL a
It's not NAT.
It's Fw-1 security server.
Michael.
-Original Message-
From: Tim Holman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 13, 2001 4:13 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW1] FW-1 / SMTP / Static NAT / SINGLE IP Address
Anyway - I don't think this wouldn't have wor
Title: More network neighborhood browsing questions
I've
seen this before. The problem is that the browse list is too slow to compile
when using the vpn connection, so it times out and shows you nothing instead.
UNC names (\\server) are the way to go.
-
CQ
-Original Message-Fr
Good $daytime,
> Date: Mon, 12 Feb 2001 16:41:14 -0300
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: [FW1] CPMAD
> Anybody knows How I can set up CP MAD, and If I need something to
> activate?
Look at 'Getting Started' book, page 30. If I recall properly, it is
enabled after in
Title: More network neighborhood browsing questions
Put a
WINS entry in your dial-up entry ...
Andy DavidJ. Muller International / Egis,
Inc.
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, February 13, 2001
2:43 PMTo:
[EMAIL PROTECTED
I upgraded to SP3 without any problems, it actually fixed some problems.
Running on NT 4.0 SP5.
Here is a silly question, did you lose your rulebase or were you simply
unable to reach it via the gui.
Did you install the sp3 upgrade for the qui client?
-Shad
-Original Message-
From: felix
Good $daytime,
> Date: Thu, 8 Feb 2001 22:44:52 +0200
> From: Mario Kadastik <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: [FW1] More than 1 external subnets techniques
> a) When adding an iface hme0:1 with the new subnet, it won't be
> pingable ...
Don't you forget to bring it UP?
Good $daytime,
> Date: Mon, 12 Feb 2001 21:48:47 +0100
> From: "Sommerfeld, Frank" <[EMAIL PROTECTED]>
> To: 'GARCIA Frédéric' <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
> Subject: AW: [FW1] SMTP troubles with FW-1, eSafe and a Notes SMTP Relay
> the problem is the sendmail deamon from check
I certainly hope this isn't some sort of braindump
type setup.
Nothing worse than the "paper" SE's invading yet
another certification
that I have worked hard for.
I am thinking that all cert's should require lab
work like the CCIE.
- Original Message -
From:
David
C. Die
Title: More network neighborhood browsing questions
Hello all,
I am trying to set up SecuRemote 4.1 SP2 3DES (build 4166). My FW-1 4.1 SP2 is running on NT4.0 Sp 6a. I did everything documented in CP's references and successfully download the topology from the FW-1. I can use \\computerna
Hi
all:
Each
time I apply service pack I lost my rulebase, how can I apply SP3
corectly?
I heard
SP3 has some bugs, do you guy think it is ok to upgrade from sp2 to
sp3?
Thanks!
Felix
Diemer is right, the actual
test is kind of freaky with its no correct answers on some questions. I
too studied the Boson exams and passed by the SA and the SE on the first try
with an 80% and a 77% on each respectively.
-Original Message-From: David C. Diemer
[mailto:[EMAIL PR
I have taken both the CCSA (passed on the 1st try) and the
CCSE (missed on the
first try).
The software test from Boson, replete with misspellings (for
example, RCZ
instead of RC2), answers with only 1
choice (happened once), answers
where all the answers were treated as
wrong even though
I have checked this but does not make any difference. Host is resolved
in the host column, but not in the "Info" one where you get something
like: resource http://ip.number/
> -Original Message-
> From: Langa Kentane [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 13, 2001 1:2
Re-bind the network adapters via the secure remote client(under
tools)...Usually solves it for me...
At 06:17 PM 2/13/01 +0100, Hartmann, Josef wrote:
>
>Oh I did not mean "cannot login to domain using securemote" but just after
>installation on a computer the casual domain logon without SecuRe
On the log viewer's drop down menu, go to SELECT, OPTIONS, RESOLVE
ADDRESSES.
Warning: Displaying log entries will now be slow because of the DNS queries
to be made.
Hope this helps
-Original Message-
From: Iztok Umek [mailto:[EMAIL PROTECTED]]
Sent: 13 February 2001 6:48 PM
To: [EMAIL
Hi all,
I'm in the process of testing FW1's Service Pack 8 before we install it on
our production servers, and I noticed a strange behavior in the NT GUI
preventing anyone from correctly editing a rule, which I'm surprised nobody
else noticed, so here it is:
I have the folowing rule in my ruleb
I've
got two users who can't seem to stay connected to my LAN through their VPN
connection. They have the following configuration in
common:
W2K
Workstation --> hub --> Cisco 575 aDSL Router --> Internet -->
IP330 firewall --> LAN.
What
happens is they connect to the firewall and get
Oh I did not mean "cannot login to domain using securemote" but just after
installation on a computer the casual domain logon without SecuRemote does
not work properly.
> -Original Message-
> From: Gaughan, Daniel [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, February 13, 2001 6:16 PM
> To:
Hey Arizona and Indiana residents out there,
This is a little OT I'm afraid, but I'm wondering what people do in AZ and
IN whose states are not part of the same time zone for the whole year? Do
you have to change your FW's NTP server twice a year to be in the
appropriate time zone? Any hints app
Investigate SDL. On the password tab of SecuRemote.
Daniel Gaughan
-Original Message-
From: Hartmann, Josef [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 13, 2001 10:55 AM
To: [EMAIL PROTECTED]
Subject: [FW1] SecuRemote cannot login to NT Domain?
Hi,
I just installed SecuRemote
Hi,
Does anyone in here know that whether IP650 can run GRE tunneling or not ?
If yes, how can i configure this GRE together with the use of Checkpoint Point to
Point Encrypted VPN ?
Thanks
Best regards,
martin
===
Another thing is to do more logswitches to keep the
log smaller.
Yim
--- "Vincent, Mike" <[EMAIL PROTECTED]> wrote:
>
> One thing that can be done to make the log viewer
> faster is to uncheck
> "resolve addresses" in the options if you have not
> already done so. The
> only down side to that
I've used http://www.phoneboy.com/fw1/faq/0103.html to set up logging of
URLs (FTP/HTTP). Now it logs with http://ip.number/rest.of.url
How do I make it log as http://host.domain/... instead?
Regards,
Iztok
=
Anyone know how to change the certificate use by https security server?
the cerificate that it's using now seem to be issued by the firewall itself
To unsubscribe from this mailing list, please see the ins
Hi,
I have to setup SecuRemote in a distributed firewall env.
There is one mgm srv and more fwd modules. fwd modules are interconnected
using a few nets. The MGM server is in one of those. Moreover another one is
used for internal traffic.
Now I would like to download userc.C file for one of th
Create the tcp/udp port range by using the "Port" in the Services->New and
not the "Port Range". You can define the port range as "1024-65535" or
">1024"
and both would work fine.
-Original Message-
From: Thomas Borger [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 13, 2001 7:25 A
I had two problems with passive ftp on firewall-1 ver 4.0 SP5
(1).If the data port (which is greater that 1024) happens to be a
defined port in your
firewalls objects.C table then the firewall would drop this.
(2).If the ftp client using passive ftp was transfering large number
Hi,
I just installed SecuRemote (on NT4sp6) however the Domain Controller cannot
be found during the first login. Setting the regkey
HKLM\SYSTEM\currentcontrolset\services\LanmanWorkstation\DependOnService
(String) to FW1 using regedit did not change anything!
Any hints?
Cheers,
Josef
Does anyone know of a CP document detailing a SecureRemote/Client
deployment? There were numerous config and troubleshooting docs in the CP
knowledge base but nothing that seemed to describe how to bring SR to the
masses. Thanks for any pointers.
Chris
===
Hello,
This is that I have:
my site:SOURCE_HOST -> FW_0
my customer:FW_A -> FW_B -> FW_C -> TARGET_HOST
FW_C is not directly reachable over the internet, so i am not able to
establish
a VPN between FW_0 and FW_C, but we would like to encrypt the traffic from
SOURCE_HOST to
Besides NBT and RPC , is there any other port which I should open in order
we can get trusted zone clients are able to log into a remote NT domain?
Thanks
Jaime O.
To unsubscribe from this mailing list, ple
Anyway - I don't think this wouldn't have worked. FW-1 (4.1 SP2) will not
accept port 25 connections to the IP address of it's external interface,
even if you translate it.
- Original Message -
From: Thomas Borger <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: 13 February 2001 10:41
You can see how many active connections (not necessarily users) there are by
typing "fw tab -t connections -s"
-Jason
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Sumash Singh
Sent: Tuesday, February 13, 2001 12:46 AM
To: FW1-mail (E-mail)
Subject: [
Hi All !!
My FW looks like!!!
Anybody knows what´s happend?
Solaris 2.7
Firewall-1 Enterprise ver 4.1 SP2
Feb 13 00:57:38 firewall unix: FW-1: Warning: modify for a
new entry:
Feb 13 00:57:38 firewall
Feb 13 00:57:38 firewall unix: <0 : =0 22>
$
Best regards,
Matias
===
Thanks Michael,
I couldn't get SMTP to pass through, as apparently there is a DoS attack
that can be made on Checkpoint FW-1 if you let the FW-1's external IP
address receive SMTP directly, regardless of whether or not you NAT it (so
they've disabled it!).
I had to NAT extra IP address for th
One thing that can be done to make the log viewer faster is to uncheck
"resolve addresses" in the options if you have not already done so. The
only down side to that is source and destinations are all IPs instead of
host names.
-Original Message-
From: Claus Bruun
To: '[EMAIL PROTECT
Thank you for your help with this. This set me on the
right path to resolving the issue.
Once the 'internal' password option was configured we
experienced an error - User not found. In addition No Login name
appeared for users when viewed in the AMC. We modified the uid
on the Netware
Hi
Create an TCP service objekt and in the port field just enter the range you
want to use in this syntax: 1024-65535
Port range objekt is for port address translation only.
Regards
Johan
- Original Message -
From: "Konstantinos Bilalis" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent
Hi,
Has sombody a description how I configure a FW-1 as a simply HTTP-Proxy?
thx in advance
Thomas
--
Thomas Borger
Networkadministrator
GM Europe GmbH c/o Adam OPEL AG
c/o ESG Elektroniksystem- und Logistik-GmbH
Phone: +49.61 42/751 071
email: [EMAIL PROTECTED] / [EMAIL PROTECTED]
=
Hi Kostas,
At 13:46 13.02.01 +0200, you wrote:
>
>Hello all!!!
>I want to include all high ports in my service field of a rule and although
>I have created the relevant object called high-ports (port range object
>1024-65535), I cannot use it in my rule.
>Do you have any idea on how to overcome
Hi,
I try this way too, (usually I use select/by columns/interface) but the
result is the same. Event log browse replay with "no match" but I see the
name of interface (like N1003) when I listed all event log.
Perhaps I should say that I use NT platform.
LP
Matej
- Original Message -
Hello all!!!
I want to include all high ports in my service field of a rule and although
I have created the relevant object called high-ports (port range object
1024-65535), I cannot use it in my rule.
Do you have any idea on how to overcome this problem and if there is any
solution on how to ope
Hi Matey,
>we upgrade FW-1 with VPN 4.0 on FW-1 with VPN 4.1 SP 2. When I check events
>in fw event log I usually select one of interfaces to view the log entries
>on this selected interface.
>This was working without any problems until upgrade. I see the interface
>names when I have full view o
I have the following problem with a securemote setup (VPN-1 4.1 SP3 build 41814 , SR
4.1 SP3 build 4174)
. configure standard securemote (no NAT, no encapsulation, FWZ ecryption only, user
authentication is Firewall-1 passwd)
it works perfectly if I check the Accept Firewall-1 & VPN-1 contro
Hi @ll,
>Configure the external IP to be an MX for your domain.
>Create a rule:
> any firewallsmtp=>resource accept
>put your mail server real address (10.0.0.1) into the mail server field in
>the smtp resource.
>Cheers.
>P.S. This is not very secure...
>Michael.
Why not? Can
Hi,
we upgrade FW-1 with VPN 4.0 on FW-1 with VPN 4.1 SP 2. When I check events
in fw event log I usually select one of interfaces to view the log entries
on this selected interface.
This was working without any problems until upgrade. I see the interface
names when I have full view of event log
Configure the external IP to be an MX for your domain.
Create a rule:
any firewallsmtp=>resource accept
put your mail server real address (10.0.0.1) into the mail server field in
the smtp resource.
Cheers.
P.S. This is not very secure...
Michael.
-Original Message-
F
Hi Edward,
lately I had the same problem :-)
I managed to strip the attachment by MIME type - though there is a description
on the release notes, IMHO it´s not described foolf-proof.
So, here is what I changed:
1. fwstop
2. make a copy of $FWDIR/conf/objects.C
3. look for the entry of the re
very good hint, Craig.
Thanks again,
-botp
> -Original Message-
> From: Craig Skelton [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 13, 2001 11:48 AM
> To: '"Peña, Botp"'; 'Yim Lee'
> Cc: Fw-1-Mailinglist (E-mail)
> Subject: RE: [FW1] newbie & ot: tail a fw log -CLOSING
>
>
>
82 matches
Mail list logo
