I have a problem with VRRP all settings are correct (I
assume) interfaces
are set correctly, vrrp settings are correct. when typing
chhaprob stat it
shows that both are active. However after going into iclid,
show vrrp shows
both as master.
Platform is Nokia IP 130
Just rebuilt, factory install etc.
Help?
On 9/26/06, FW-1-MAILINGLIST automatic digest system <
LISTSERV amadeus.us.checkpoint.com> wrote:
>
> There are 10 messages totalling 847 lines in this
issue.
>
> Topics of the day:
>
> 1. FW-1 and Asterisk PBX (2)
> 2. Connecting Clustered firewalls to two cisco ports?
> 3. exclude CP firewall from the encryption domain in
VPN simplfied mode
> (2)
> 4. High Availability VRRP Outgoing traffic behavior
(2)
> 5. IPSO 4.x and Checkpoint NGx combination
explaination needed
> 6. Need help on upgrading (2)
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
------------------------------------------------------------
----------
>
> Date: Mon, 25 Sep 2006 09:46:26 +0200
> From: Markus Hauke <markusFAMILIE-HAUKE.DE>
> Subject: FW-1 and Asterisk PBX
>
> Hi there,
>
> I've just configured an Asterisk PBX with some
SIP-Phones connected to
> it on the LAN and an ISDN link. So far everything is
working fine. But
> now I've tried to connect the PBX to an external SIP
provider
> (sipgate.de in this case) through my VPN-1 NGX R61. I
configured static
> NAT for the Asterisk machine, but the SIP registrations
fails all the
> time. I observed some strange behavior in the NAT. The
SIP registration
> packet (source port 5060, destination port 5060)
reaches the firewall,
> changes the source port at the interior interface and
to another high
> port at the exterior interface. But the answer packet
will not be
> translated correctly. This is what I see in fw monitor
(n.n.n.n is my
> external IP address, 217.10.79.9 is the sipgate proxy):
>
> eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP)
len=502 id=0
> UDP: 5060 -> 5060
> eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP)
len=502 id=0
> UDP: 17973 -> 5060
> eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP)
len=502 id=0
> UDP: 17973 -> 5060
> eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510
id=0
> UDP: 40625 -> 5060
>
> eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404
id=5495
> UDP: 5060 -> 40625
> eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP)
len=398 id=5495
> UDP: 5060 -> 17973
> eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP)
len=398 id=5495
> UDP: 5060 -> 17973
> eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP)
len=398 id=5495
> UDP: 5060 -> 17973
>
> So you can see, the answer packet does not get
translated back to
> destination port 5060 and will not be accepted by the
Asterisk machine
> (it answers with an ICMP port unreachable...)
>
> Has anyone a hint for me? There are no SmartDefense
settings for SIP and
> I tried to configure a VoIP Domain SIP Proxy rule with
no success.
>
> Thanks
> Markus
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Mon, 25 Sep 2006 10:40:36 +0200
> From: Fabrice Barutel <fabrice.barutelSTERIA.COM>
> Subject: Re: Connecting Clustered firewalls to two
cisco ports?
>
> Hi,
>
> If your customer wants to have high availability, then
he needs two
> switches
> or hub between router and the two firewalls (each
firewall is on a
> different
> switch/Hub). Switches are connected with two links
(crossover cables for
> example).
> At the end, the last "point of failure"
could be the router or the
> external
> link connected to the router.
>
> --
> Fabrice Barutel
> Administrateur réseau et sécurité
> fabrice.barutelsteria.com
>
> -----------------------------
>
> Date: Sun, 24 Sep 2006 14:39:55 +0200
> From: Hadmut Danisch <hadmutDANISCH.DE>
> Subject: Re: Connecting Clustered firewalls to two
cisco ports?
>
> On Sat, Sep 23, 2006 at 01:32:42PM -0600, Sergio
Alvarez wrote:
> >
> > BTW... why is it that you don't want to put a sw
o hub between the
> > cluster and the router?
>
> Customer Request. The Customer does not want to setup a
high availability
> firewall on one hand, and then add another single point
of failure on the
> other hand.
>
>
> regards
> Hadmut
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Mon, 25 Sep 2006 03:12:16 -0700
> From: cisco4ng <cisco4ngYAHOO.COM>
> Subject: Re: FW-1 and Asterisk PBX
>
> This will NOT work as long as your local sip proxy is
behind a checkpoint
> firewall,
> Juniper/NetScreen or Cisco Pix firewall. These
vendors claim to be
> "sip" compliant;
> however, it is not a guarantee thing. For this to
work properly, you
> would need
> something like Session Border Controller (SBC)
nearend and farend.
>
> I've gone through a few months ago with with
something similar to
> Asterisk for
> Juniper/Netscreen firewall.
>
> HTH
>
> Markus Hauke <markusFAMILIE-HAUKE.DE> wrote:
> Hi there,
>
> I've just configured an Asterisk PBX with some
SIP-Phones connected to
> it on the LAN and an ISDN link. So far everything is
working fine. But
> now I've tried to connect the PBX to an external SIP
provider
> (sipgate.de in this case) through my VPN-1 NGX R61. I
configured static
> NAT for the Asterisk machine, but the SIP registrations
fails all the
> time. I observed some strange behavior in the NAT. The
SIP registration
> packet (source port 5060, destination port 5060)
reaches the firewall,
> changes the source port at the interior interface and
to another high
> port at the exterior interface. But the answer packet
will not be
> translated correctly. This is what I see in fw monitor
(n.n.n.n is my
> external IP address, 217.10.79.9 is the sipgate proxy):
>
> eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP)
len=502 id=0
> UDP: 5060 -> 5060
> eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP)
len=502 id=0
> UDP: 17973 -> 5060
> eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP)
len=502 id=0
> UDP: 17973 -> 5060
> eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510
id=0
> UDP: 40625 -> 5060
>
> eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404
id=5495
> UDP: 5060 -> 40625
> eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP)
len=398 id=5495
> UDP: 5060 -> 17973
> eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP)
len=398 id=5495
> UDP: 5060 -> 17973
> eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP)
len=398 id=5495
> UDP: 5060 -> 17973
>
> So you can see, the answer packet does not get
translated back to
> destination port 5060 and will not be accepted by the
Asterisk machine
> (it answers with an ICMP port unreachable...)
>
> Has anyone a hint for me? There are no SmartDefense
settings for SIP and
> I tried to configure a VoIP Domain SIP Proxy rule with
no success.
>
> Thanks
> Markus
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
>
> ---------------------------------
> Yahoo! Messenger with Voice. Make PC-to-Phone Calls to
the US (and 30+
> countries) for 2¢/min or less.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Mon, 25 Sep 2006 07:44:04 -0700
> From: cisco4ng <cisco4ngYAHOO.COM>
> Subject: Re: exclude CP firewall from the encryption
domain in VPN
> simplfied mode
>
> Scott,
> Thanks for the info. The checkpoint sk ID sk25675.
>
> That being said, I performed "cpstop" on
both the Active and Standby
> SmartCenter
> and edit the $FWDIR/lib/user.def file with vi editor.
I performed
> "cpstart" on both the
> Active and Standby SmartCenter after that. The
problem is that after
> the policy is
> pushed, I checked the user.def file again and it
seems like the changes
> I made
> was not there anymore.
>
> I looked at the sk solution again and it specifically
stated that this
> solution is for
> NG AI and not NGx R61. It seems to me that CP is
doing something in NGx
> R61.
>
> Any ideas? Thanks.
>
> cisco4ng
>
> Scott Tobias <stobias14GMAIL.COM> wrote:
> I have seen some documentation from Check Point that
allows excluding
> traffic from a certain IP address to not be encrypted.
The changes they
> discuss in the user.def are
>
> #define NON_VPN_TRAFFIC_RULES \
>
> (icmp, src=212.150.30.22)
>
>
> You could try setting it so traffic from the source and
destination from
> the
> VRRP address is not encrypted. So it should look
something like the
> following
>
> #define NON_VPN_TRAFFIC_RULES \
>
> (icmp, src=192.168.1.1)
> (icmp, dst=192.168.1.1)
>
> I am sure there is a better way to do this but it might
accomplish
> what you are trying to do.
>
>
>
>
>
>
>
> On 9/24/06, cisco4ng wrote:
> >
> > Martin,
> >
> > Well, in the checkpoint firewall, I manually
create a group object
> > called
> > "CP_Encryption_Domain" and place LAN_B
(network 192.168.1.0/24) in
> > CP_Encryption_Domain group object. 192.168.1.2/24
is the physical
> > IP address of the firewall and 192.168.1.1 is the
VRRP ip address of
> > the CP firewall. Are you telling me that I should
"exclude" both the
> > 192.168.1.2 and 192.168.1.1 ip addresses from the
CP_Encryption_Domain
> > group object?
> >
> > Another thing is that if I "exclude"
the 192.168.1.2 and .1 from the
> > "CP_Encryption_Domain" group ojbect,
then the encryption on the Cisco
> > side will NOT match and the VPN tunnel will fail
due to encryption
> > domain
> > mismatch
> >
> > Any ideas?
> >
> > cisco4ng
> >
> > Martin Hoz wrote:
> > On 9/24/06, cisco4ng wrote:
> > > With VPN "traditional" mode, the
Checkpoint FW itself, by
> > > default, is NOT part of encryption domain but
in
> > > simplified mode, it is. Is there a way to
exclude the
> > > Checkpoint itself from the encryption domain
in NGx in
> > > VPN "simplified" mode?
> >
> > This is the defaults, as you said. But you can as
well specify the
> > encryption domain
> > manually on the topology tab and specify whatever
you want as encryption
> > domain
> > there, including just the network objects you
need...
> >
> > Are you doing it this way (manually specified) and
doesn't work, or
> > are you leaving
> > the defaults so the encryption domain is
calculated based on the
> topology?
> >
> > - Martín.
> >
> > --
> > **** ¿Hoy qué haz hecho para ahorrar agua? - What
have you done today
> > to save water? - O que você têm feito hoje para
conservar a água?
> > ** Mi página web: http://gama.fime.uanl
.mx/~mhoz/
> > * "Somos consecuencia del pasado, y causa de
nuestro futuro."
> > ** My Linux - http://www.slackware.com
== My BSD -
> http://www.openbsd.org
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Get on board. You're invited to try the new
Yahoo! Mail.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
>
> ---------------------------------
> All-new Yahoo! Mail - Fire up a more powerful email and
get things done
> faster.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Mon, 25 Sep 2006 11:34:01 -0500
> From:
=?iso-8859-1?Q?Lino_Eduardo_Avila_Rodr=EDguez?= <
> leavilaSCITUM.COM.MX>
> Subject: Re: High Availability VRRP Outgoing traffic
behavior
>
> Well
>
>
> First of all, I should say or you use cluster xl or you
use vrrp, I think
> that your problem resides there. I've never seen this
configuration and I
> don't think is correct at all. Try using only vrrp.
And verify if
> everything
> is working fine.
>
>
> Best regards
>
> lino
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Pedro
> Boavida
> Sent: Viernes, 22 de Septiembre de 2006 06:06 a.m.
> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Subject: [FW-1] High Availability VRRP Outgoing traffic
behavior
>
> Hi,
>
> I'd like some clarification regarding the following
situation:
>
> Environment:
> Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX
R60 HFA04) using
> 3rd
> Party VRRP High Availability and Cluster XL for the
SyncNetwork
>
> VRRP:
> VRRP Monitored Circuits using Legacy Configuration 3rd
Party Configuration
> (Cluster Object) Support for non-sticky connections -
Disable Hide Cluster
> Members outgoing traffic behind the ClusterIP address -
Enable Forward
> Cluster Incoming traffic to Cluster Members IP address
- Enable
>
> Problem:
> Assuming this, whenwe initiate a connection from the
active member,if we
> make a tcpdump, the connection SourceMac is the
VRRP_MAC and SourceIP is
> the
> VIP, and in the SmartTracker we see the ip of the
active member being
> Translated to theCluster IP (VIP) by a implied rule,
well this is the
> normal behavior.
>
> If we make a connection from the Standbymemberwe see
the connection
> getting out (SYN),the SourceMac is the LocalMac and
SourceIP is the
> VIPfrom
> themember,and in the SmartTracker we see the ip of
thestandby member
> being Translated to theCluster IP (VIP) by a implied
rule, the connection
> is unsuccessful because the SYNACK will return to the
VIP address and will
> be processed by the active member and so I cannot
initiateany
> connectionusing the standby member, well this should be
the normal
> behavior
> also.
>
> The problem is that, this behavior is not true on all
interfaces of the
> standby member,in some interfaces the connection is
initiated with
> SourceMAC=LocalMAC and SourceIP=LocaIP and in the
SmartTracker we don't
> see
> the ip of themember being Translated totheCluster IP
(VIP) by a implied
> rule and of course with this behaviorthetcp handshakeis
doneand the
> connection is made.
>
> Can anyone tellwhich behaviorto expect when initiating
a connection from a
> standby member of a VRRPmc configuration regarding
Source Mac address and
> source IP address used by the member?
> Withthe checkbox "Hide Cluster Members outgoing
traffic behind the
> ClusterIP address" enable should not I expect the
same behavior on all
> interfaces? Is there a configuration per interface?
>
> Thanks in advance.
>
> Pedro Boavida
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send
an email to
> LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
subscription options,
> email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Mon, 25 Sep 2006 18:14:02 +0100
> From: Pedro Boavida <pboavidaCESCE.PT>
> Subject: Re: High Availability VRRP Outgoing traffic
behavior
>
> Hi,
>
> This is a very common scenario when you want to have
vrrp and state sync.
> In such scenario ClusterXL is only used for state
synchronization.
>
> Best regards,
>
> Pedro Boavida
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
[mailto:
> FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of
Lino Eduardo
> Avila Rodríguez
> Sent: segunda-feira, 25 de Setembro de 2006 17:34
> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Subject: Re: [FW-1] High Availability VRRP Outgoing
traffic behavior
>
> Well
>
>
> First of all, I should say or you use cluster xl or you
use vrrp, I think
> that your problem resides there. I've never seen this
configuration and I
> don't think is correct at all. Try using only vrrp.
And verify if
> everything
> is working fine.
>
>
> Best regards
>
> lino
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Pedro
> Boavida
> Sent: Viernes, 22 de Septiembre de 2006 06:06 a.m.
> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Subject: [FW-1] High Availability VRRP Outgoing traffic
behavior
>
> Hi,
>
> I'd like some clarification regarding the following
situation:
>
> Environment:
> Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX
R60 HFA04) using
> 3rd
> Party VRRP High Availability and Cluster XL for the
SyncNetwork
>
> VRRP:
> VRRP Monitored Circuits using Legacy Configuration 3rd
Party Configuration
> (Cluster Object) Support for non-sticky connections -
Disable Hide Cluster
> Members outgoing traffic behind the ClusterIP address -
Enable Forward
> Cluster Incoming traffic to Cluster Members IP address
- Enable
>
> Problem:
> Assuming this, whenwe initiate a connection from the
active member,if we
> make a tcpdump, the connection SourceMac is the
VRRP_MAC and SourceIP is
> the
> VIP, and in the SmartTracker we see the ip of the
active member being
> Translated to theCluster IP (VIP) by a implied rule,
well this is the
> normal behavior.
>
> If we make a connection from the Standbymemberwe see
the connection
> getting out (SYN),the SourceMac is the LocalMac and
SourceIP is the
> VIPfrom
> themember,and in the SmartTracker we see the ip of
thestandby member
> being Translated to theCluster IP (VIP) by a implied
rule, the connection
> is unsuccessful because the SYNACK will return to the
VIP address and will
> be processed by the active member and so I cannot
initiateany
> connectionusing the standby member, well this should be
the normal
> behavior
> also.
>
> The problem is that, this behavior is not true on all
interfaces of the
> standby member,in some interfaces the connection is
initiated with
> SourceMAC=LocalMAC and SourceIP=LocaIP and in the
SmartTracker we don't
> see
> the ip of themember being Translated totheCluster IP
(VIP) by a implied
> rule and of course with this behaviorthetcp handshakeis
doneand the
> connection is made.
>
> Can anyone tellwhich behaviorto expect when initiating
a connection from a
> standby member of a VRRPmc configuration regarding
Source Mac address and
> source IP address used by the member?
> Withthe checkbox "Hide Cluster Members outgoing
traffic behind the
> ClusterIP address" enable should not I expect the
same behavior on all
> interfaces? Is there a configuration per interface?
>
> Thanks in advance.
>
> Pedro Boavida
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send
an email to
> LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
subscription options,
> email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Mon, 25 Sep 2006 17:21:55 -0700
> From: no-need to-list <ogos69YAHOO.COM>
> Subject: Re: IPSO 4.x and Checkpoint NGx combination
explaination needed
>
> Neither DOES Microsoft.....but we still buy their
products...Dont we?
>
> The software companies need to be responsible of the
software they put
> on in the market...just like manufacturing....so we can
sue the hell of
> them.
> Maybe, just maybe after that, they would do a lot
more quality
> assurance on their products before releasing and stop
hiring programmers
> from 3rd world countries by paying them few dollars a
day.
>
>
>
>
>
> On 9/21/06, joe smith
<interrupt_handle_this_00100yahoo.com> wrote:
> >
> > Sorry I wasnt able to examine all
"zillion" states. but i dont think
> CP
> > checks all those states before releasing code to
public.
> >
>
>
>
> ---------------------------------
> Stay in the know. Pulse on the new Yahoo.com. Check it
out.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Tue, 26 Sep 2006 11:51:33 +1000
> From: Clive Luk <cliveILANET.NET.AU>
> Subject: Need help on upgrading
>
> Hi Guru,
>
> I want to ask if there is a easy method to do a
management server upgrade?
> Actually I want to move all configuration and license
from a piece of old
> hardware to a new hardware.
>
> Anything I need to pay attention?
>
> Thanks in advance!
>
> Cheers,
> Clive
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Tue, 26 Sep 2006 13:35:32 +0800
> From: "Joseph Carlo C. Quiambao"
<jcquiambaoGMAIL.COM>
> Subject: Re: exclude CP firewall from the encryption
domain in VPN
> simplfied mode
>
> Accept ICMP requests: before last ?
>
> On 9/24/06, cisco4ng <cisco4ngyahoo.com> wrote:
> >
> >
LAN_A---(i)Pix(o)---Internet---(Ext)CP_FW(Int)---LAN_B
> >
> > I have a site-to-site VPN between Cisco Pix and
Checkpoint
> > Firewall NGx. Traffics are encrypted bewtween
LAN_A
> > and VLAN_B without any NAT translation.
Everything
> > is working properly. I am using VPN simplified
mode.
> > One of the requirements is that LAN_A must be able
> > to ping LAN_B and that the icmp traffics between
LAN_A
> > and LAN_B must be encrypted via IPSec
> >
> > I also have a requirement from the customer that
from the
> > Pix "outside" interface, the customer
wants to be able
> > to ping the Checkpoint "External"
interface and that
> > the icmp traffic will not be encrypted. The
problem is
> > that Checkpoint, by default, also includes the CP
firewall
> > itself, as part of the encryption domain. Yes,
the icmp
> > from the pix outside interface, will arrive to the
CP
> > External interface as "clear" but the
CP expects this
> > traffic to be encrypted.
> >
> > Well, I can exclude "icmp" from the
VPN traffics but
> > it also means that LAN_A, will not be able to ping
LAN_B.
> > With VPN "traditional" mode, the
Checkpoint FW itself, by
> > default, is NOT part of encryption domain but in
> > simplified mode, it is. Is there a way to exclude
the
> > Checkpoint itself from the encryption domain in
NGx in
> > VPN "simplified" mode?
> >
> > Thanks.
> > cisco4ng
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Everyone is raving about the all-new Yahoo! Mail.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> Date: Tue, 26 Sep 2006 07:51:03 +0200
> From: Mark Elsen <mark.elsenGMAIL.COM>
> Subject: Re: Need help on upgrading
>
> > Hi Guru,
> >
> > I want to ask if there is a easy method to do a
management server
> upgrade?
> > Actually I want to move all configuration and
license from a piece of
> old
> > hardware to a new hardware.
> >
> > Anything I need to pay attention?
> >
>
> Open a command prompt window :
>
> > cd %FWDIR%\bin\upgrade_tools
> > upgrade_export SmartCenter.tgz
>
> Install CP on your new server
>
> - transfer SmartCenter.tgz to the new box
> - goto upgrade_tools dir
>
> > upgrade_import SmartCenter.tgz
>
> M.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> ------------------------------
>
> End of FW-1-MAILINGLIST Digest - 24 Sep 2006 to 25 Sep
2006 (#2006-256)
>
************************************************************
***********
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|