FireWall-1 Gurus Mailing List

[fw1-gurus] Closing Down FW1-Gurus

fw1-gurus@lists.phoneboy.com (Dameon Welch-Abernathy) — Fri, 01 May 2009 17:23:18 GMT

It seems those new-fangled web-based forums are all the rage and mailing lists are dead. Time for fw1-gurus to enter the deadpool. In case you haven't discovered these places yet, here's where you can get help with your Check Point products: * https://forums.checkpoint.com/forums/index.jspa (Check Point's official forums) * http://www.cpug.org/forums/ (Check Point User Group forums, and the inheritor of the old phoneboy.com FW-1 FAQ content) Thanks for your support over the years. I will keep the archives for this list up at http://fw1-gurus.phoneboy.com for posterity. -- PhoneBoy _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] NATing ICMP traffic

fw1-gurus@lists.phoneboy.com (carlopmart) — Wed, 22 Apr 2009 05:55:01 GMT

Hi all, I have a problem using NGX R65 and R70 gateways. I need to do nat with icmp traffic from one host in our internal network. I see this solution id 3.0.136469.2193953 but I don't have access because I have downloaded trial editions. How can I do nat with icmp traffic under checkpoint?? Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Ted Serreyn) — Thu, 02 Apr 2009 06:55:01 GMT

Title: Re: [fw1-gurus] Static NAT limitations Of course this is just an issue of how Checkpoint has implemented the proxy arp to help users and adminsitrators to automatically do the necessary configuration to support the NAT. This is not necessary (just like it has always been) in the case where you have already configured routing to send the packets to the appropriate interface of the firewall without proxy arping. This can be done by configuring static host and/or networks route on the next hop router. Ted Serreyn Serreyn Network Services, LLC _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Dan Lynch) — Wed, 01 Apr 2009 16:55:02 GMT

Thanks to all who replied. The concensus seems to be: In that context it makes perfect sense. It just seems kludgy in that the system assumes an automatic static NAT requires a proxy ARP, and will atempt to provide it if that feature is enabled, regardless of whether the actual topology requires it. It also strikes me as odd that in the two Checkpoint sk articles (sk18463, and sk25949) sent to me by Nokia support regarding this question, the recommended solution is to modify your configuration: And interface. They never mention that the error is purely cosmetic. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Hugo van der Kooij) — Wed, 01 Apr 2009 08:55:01 GMT

Basically if an ISP assigns a customer with a 192.0.2.0/26 subnet we try to get only the 192.0.2.0/28 bit on the outside. That would leave room for redundancy solution on both ends and some other stuff like PacketShapers, IPS, .... Then for the remainer of the 192.0.20/26 netblok there is no physical network. NAT still works beautifually. There is no need to for ARP entries and but in order to support customers who need to NAT from external subnets (like the 192.0.2.0/28 block in this example) the code is still there to make it work. So in fact there is no harm done. It's just a warning that you can ignore now that you know why it is there. It ain't pretty but there is no harm in them. Hugo. - -- hvdkooij@xxxxxxxxxxxxxxx http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknSmikACgkQBvzDRVjxmYEONQCfXYb5k/QlvZHumpw+YbzWzmx2 OLAAn0G6QqKjmkt/TbUzTyyHLyxb9jxM =oILT -----END PGP SIGNATURE----- _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Hamish Marson) — Tue, 31 Mar 2009 22:55:02 GMT

Quoting Dan Lynch : I could, but the messages appear for most, if not all (I've been unable to check all), objects with an automatic static NAT to a network address that does not match an existing interface address. Just for this reason, it doesn't seem to imply object corruption. That may be true, but I'm curious whether this is truly an otherwise undocumented limitation of the Checkpoint firewall product. Does a NAT address *require* an interface in its network range? I don't think so, and no documentation I've found refers to that, yet the cited Checkpoint KB article (sk18463) states that it does: The SK is wrong. Or perhaps to be more charitable, it's incomplete. If the NAT address is resident on the network that's directly attached AND is the inbound interface of the firewall, then yes, you need an ARP entry. However I prefer to NAT (Where necessary) using a completely virtual network range. One that only exists IN the firewall itself. The network routing simply ensures that the firewall interface is the next hop to the NAT network. In this way, the previous router is really only interested in the ethernet address of the firewall as the 'next hop'. The fiewall itsefl doesn't care whether the network range exists on the firewall at all. It's completely independent. H ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Juan Concepcion) — Tue, 31 Mar 2009 22:55:02 GMT

Typically you get that error message when you have an automatic NAT, auto arp enabled, and the firewall does not have an interface on that network. You cannot arp for an address that does not belong to the same ip subnet, the Check Point software cannot generate an auto arp in this scenario. Sent from my Verizon Wireless BlackBerry -----Original Message----- From: "Dan Lynch" Date: Mon, 30 Mar 2009 09:04:46 To: FireWall-1 Gurus Mailinglist Cc: Subject: Re: [fw1-gurus] Static NAT limitations I could, but the messages appear for most, if not all (I've been unable to check all), objects with an automatic static NAT to a network address that does not match an existing interface address. Just for this reason, it doesn't seem to imply object corruption. That may be true, but I'm curious whether this is truly an otherwise undocumented limitation of the Checkpoint firewall product. Does a NAT address *require* an interface in its network range? I don't think so, and no documentation I've found refers to that, yet the cited Checkpoint KB article (sk18463) states that it does: In this case, the message appears regardless of the "apply to gateway" setting. Even so, there is no interface in the network referenced in the object's automatic static NAT. My question is whether that's a requirement. If so, I can't find it documented anywhere else but the above referenced sk18463. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Hugo van der Kooij) — Tue, 31 Mar 2009 22:55:02 GMT

..... It happens with automamagic NAT entries. The system tries to generate ARP entries but fails to do so and will warn about them. As you have no need for them you can safely ignore these messages. They are niether good nor bad. These messages just are. (Sorry, B5 humor) Hugo. - -- hvdkooij@xxxxxxxxxxxxxxx http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknRpF8ACgkQBvzDRVjxmYHc8QCgn+pPHYoY8fjs2YXvbS4IDGVL br4AoJO1BrkwVVg36pt3t1fVEEZoGCqm =817R -----END PGP SIGNATURE----- _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Musgrave, Tom) — Tue, 31 Mar 2009 22:55:02 GMT

Not sure if I can offer any help but this is interesting: That may be true, but I'm curious whether this is truly an otherwise undocumented limitation of the Checkpoint firewall product. Does a NAT address *require* an interface in its network range? I don't think so, and no documentation I've found refers to that, yet the cited Checkpoint KB article (sk18463) states that it does: <<<<<<<<<<<<<<<<<<<<< I have many different static NATs for ranges that are outside of the NATing interface's range. Not having read the article, but does it really mean that with Automatic NAT and automatic ARPing you have this restriction? I believe that's how Proxy ARP behaves on devices from other Vendors by default. Have you tested by manually entering a Proxy Arp for your global address? I'll be a little more dogmatic than Phoneboy and say that I always reconfigured any firewall I take ownership of to remove automatic NAT. I really can't cope with software presuming it knows my intentions.. Good Luck! Tom _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Dan Lynch) — Tue, 31 Mar 2009 00:55:02 GMT

I could, but the messages appear for most, if not all (I've been unable to check all), objects with an automatic static NAT to a network address that does not match an existing interface address. Just for this reason, it doesn't seem to imply object corruption. That may be true, but I'm curious whether this is truly an otherwise undocumented limitation of the Checkpoint firewall product. Does a NAT address *require* an interface in its network range? I don't think so, and no documentation I've found refers to that, yet the cited Checkpoint KB article (sk18463) states that it does: In this case, the message appears regardless of the "apply to gateway" setting. Even so, there is no interface in the network referenced in the object's automatic static NAT. My question is whether that's a requirement. If so, I can't find it documented anywhere else but the above referenced sk18463. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Michele Chubirka) — Sun, 29 Mar 2009 03:55:03 GMT

[fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Dan Lynch) — Sat, 28 Mar 2009 09:55:01 GMT

Greetings list, I recently had cause to peek into a fwd.elg file on an enforcement point, and found several of the following messages: ip address: 198.132.13.94 198.132.13.94 The firewall is Checkpoint R65, HFA02 on Nokia, running IPSO 4.2, b96. There are dozens of these messages, and the IP addresses all match some object with automatic static NAT configured. They appear on all our enforcement points, seemingly without regard to whether the enforcement point is listed in the given NAT's "Install On Gateway" field. All our enforcement points are managed from the same SmartCenter. The NATs seem to function just fine, ,and have for years, despite these log entries. I have a slew (slough?) of similarly configured NATs. I found the following Checkpoint sk18463, which states in part: StaticNAT IP configured. I've gone back through Dashboard's help files, my FW-1 documentation, books and notes from training, and I can find no other reference to this limitation. Can anyone address: - is this in fact a limitation of static NAT? - is this documented anywhere? - is the error message purely cosmetic? Or does it reflect a serious problem, or could other issues arise doe to this config? Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Static NAT limitations

fw1-gurus@lists.phoneboy.com (Dameon Welch-Abernathy) — Sat, 28 Mar 2009 08:55:01 GMT

Can you delete and re-create the object? Perhaps it got corrupted or something. My own bias is to use manual NAT rules and not rely on automatic ARP configuration. While it is a little more work, you have a lot more granularity in terms of what rules apply in what circumstances. -- PhoneBoy -- PhoneBoy _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Fragmentation question

fw1-gurus@lists.phoneboy.com (David Gillett) — Tue, 24 Mar 2009 17:55:02 GMT

Yes, that's correct. Is it reasonable for someone to be sending you 64KB UDP packets? Is it reasonable for some link between that send and you to have an MTU of 410? In general, I'd incline toward "No" as the answer to both, but you *might* have a situation where one or the other is reasonable. (I recommend PMTUD over fragmentation....) I used to see a lot of 64KB ICMP packets fragmented -- they were always an attempt to DoS our bandwidth.... David Gillett _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] Fragmentation question

fw1-gurus@lists.phoneboy.com (Adam Carter) — Tue, 24 Mar 2009 06:55:02 GMT

The console log from a Sun R55 box: FW-1: Virtual defragmentation error: Large packet (xxx.22.98.29 -> xxx.18.7.14 proto 17 id 3976 len 410 offset 65120) - 175 fragments dropped during the last 60 seconds So proto 17 = UDP, i assume len is the length of the current fragment in bytes, but what does offset mean? Is it bytes from the start of the unfragmented packet? If so, then has a 65K packet been broken up into 160 odd 410 length fragments? _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Will HCL be updated?

fw1-gurus@lists.phoneboy.com (Steve Moran) — Fri, 13 Mar 2009 07:55:01 GMT

_______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Will HCL be updated?

fw1-gurus@lists.phoneboy.com (raypesek) — Fri, 13 Mar 2009 00:55:02 GMT

_______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] SmartDefense Message ID reference

fw1-gurus@lists.phoneboy.com (Chris Hague) — Thu, 12 Mar 2009 21:55:03 GMT

Good Day everyone, Does anyone know if there is a SmartDefense message ID reference guide? If so, please direct me to a link, or reply back to myself. Cheers, Chris _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] Will HCL be updated?

fw1-gurus@lists.phoneboy.com (leonid77) — Thu, 12 Mar 2009 21:55:03 GMT

Has anyone checked the list of R70 certified platforms at http://www.checkpoint.com/services/techsupport/hcl/all.html? Only 1 HP and 2 IBM servers are listed. How will the existing R65 (or older versions) customers will be upgraded to R70 if they wish to keep their HW (such as DL380G5 etc.)? NIC list (http://www.checkpoint.com/services/techsupport/hcl/nic/index.html) is funnier, none of the cards are supported for R70! Are those lists final or should we wait for an update? _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Query regarding CheckPoint VSX

fw1-gurus@lists.phoneboy.com (Dameon Welch-Abernathy) — Thu, 12 Mar 2009 04:55:01 GMT

Check Point uses a proprietary mechanism to communicate configuration information to the devices and information from the devices (e.g. logging). The communication is encrypted with SSL. Check Point, in general, treats the security gateway as a discrete object with only one security policy. The only exception to this rule is anti-spoofing, which is an interface-specific setting. Otherwise, all interfaces enforce the same security policy. In the VSX case, each interface will only enforce the rules that are specific to the virtual system they are a part of. Beyond changing what interfaces are in each virtual system, you cannot control what interfaces get a particular policy. -- PhoneBoy _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] slightly off topic

fw1-gurus@lists.phoneboy.com (Pierre Lamy) — Thu, 12 Mar 2009 03:55:02 GMT

_______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] Query regarding CheckPoint VSX

fw1-gurus@lists.phoneboy.com (krishna gopi) — Thu, 12 Mar 2009 03:55:02 GMT

Hi Gurus, I've following set of questions regarding CheckPoint VSX. Any information regarding the below questions would really helps me.Q> Which transport communication is supported by CheckPoint(like XML over HTTP)?? To communicate with the device and configure some setting from the external environment.. Q> When we create the ACL's and Virtual Systems, how does it applied to the interfaces. is there any specific physical Interface to which they apply this. Is there any specific name for the interface like 'security interface in Cisco ASA'. I checked in their website, but i couldn't find the required information. Thank You for your support in advance.RegardsGopi Krishna.S _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] slightly off topic

fw1-gurus@lists.phoneboy.com (Campbell.ColinD) — Wed, 11 Mar 2009 04:55:01 GMT

Hi, Have a look at ftp://ftp.lacnic.net/pub/stats/lacnic/. In particular, the file delegated-lacnic-20090309 Colin -- Colin Campbell Security Specialist Public Safety Network Management Centre p: (07) 3008 4782 f: (07) 3008 4799 e: Campbell.ColinD@police.qld.gov.au From: fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx [mailto:fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Steve Moran Sent: Wednesday, 11 March 2009 7:37 AM To: fw1-gurus@xxxxxxxxxxxxxxxxxx Subject: [fw1-gurus] slightly off topic Does anyone know if organizations such as ripe or lacnic divide up IP blocks by country? For example, we don’t do business with the vast majority of the ranges supported by lacnic, however, we do business with panama, so I want to know what IP blocks are allocated to panama, so I could allow them, but block the rest. I found this list from IANA, but its limited to just the governing body, not down to the country. http://www.iana.org/assignments/ipv4-address-space/ ********************************************************************** CONFIDENTIALITY: The information contained in this electronic mail message and any electronic files attached to it may be confidential information, and may also be the subject of legal professional privilege and/or public interest immunity. If you are not the intended recipient you are required to delete it. Any use, disclosure or copying of this message and any attachments is unauthorised. If you have received this electronic message in error, please inform the sender or contact securityscanner@xxxxxxxxxxxxxxxxxx This footnote also confirms that this email message has been checked for the presence of computer viruses. ********************************************************************** _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] slightly off topic

fw1-gurus@lists.phoneboy.com (Alex CISSP) — Wed, 11 Mar 2009 04:55:01 GMT

_______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] slightly off topic

fw1-gurus@lists.phoneboy.com (Michael Hamelin) — Wed, 11 Mar 2009 04:55:01 GMT

On Mar 10, 2009, at 5:37 PM, Steve Moran wrote:It is a quite complicated process to do, you are best to use a service that provides a coded feed, but if you look you can trace each allocation.The delegation goes from IAN, to the RIRs (Regional Internet Registry)Each RIR delegates to one or more NIRs (National Internet Registry)Each NIN delegates to one or more LILs (Local Internet Registry)Each LIL then delegates out to the local ISPs.You should be able to find a Country coded address list from each RIR and NIR, they are required to make this data available.For instance here is one of the latest APNIC lists:ftp://ftp.apnic.net/apnic/stats/apnic/assigned-apnic-20090310This does not guarantee that that address is actually used in the country assigned, many companies will aquire address space and use it on remote offices, for instance several US companies have their parent company in the EU and use address pace allocated to within the EU by RIPE.Good luck,Michael Hamelin_______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] slightly off topic

fw1-gurus@lists.phoneboy.com (Steve Moran) — Wed, 11 Mar 2009 01:55:04 GMT

Does anyone know if organizations such as ripe or lacnic divide up IP blocks by country? For example, we don’t do business with the vast majority of the ranges supported by lacnic, however, we do business with panama, so I want to know what IP blocks are allocated to panama, so I could allow them, but block the rest. I found this list from IANA, but its limited to just the governing body, not down to the country. http://www.iana.org/assignments/ipv4-address-space/ _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Query regarding ASA multiple security context Vs checkpoint VSX

fw1-gurus@lists.phoneboy.com (Robert Hughes) — Tue, 10 Mar 2009 15:55:02 GMT

First, VSX is software. It runs on multiple platforms/appliances from multiple vendors. It is not itself an "appliance". As far as the rest of your question, yes, VSX does all that *and* VPNs and dynamic routing. If you want to know more, I'd suggest visiting Check Point's web site. Complete details on VSX's features and capabilities are published there. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Query regarding ASA multiple security context Vs checkpoint VSX

fw1-gurus@lists.phoneboy.com (Pierre Lamy) — Tue, 10 Mar 2009 15:55:02 GMT

_______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Query regarding ASA multiple security context Vscheckpoint VSX

fw1-gurus@lists.phoneboy.com (Olivier Menil) — Tue, 10 Mar 2009 15:55:02 GMT

Hello Gopi, VSX offers the same features you list as well as VPN (site to site and remote users) and dynamic routing (but not for VPNs) You can find the known limitations in the release notes. Checkpoint now offers (aka sells) VSX appliances but you can run it on your own server (just check they are certified by Checkpoint first !) With kind regards, Olivier From: fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx [mailto:fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Gopi Krishna S (gopis) Sent: mardi 10 mars 2009 4:08 To: fw1-gurus@xxxxxxxxxxxxxxxxxx Subject: [fw1-gurus] Query regarding ASA multiple security context Vscheckpoint VSX Hi Gurus, I’ve a query regarding the multiple context mode functionality in ASA comparing with CheckPoints VSX. In ASA multiple-context mode You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which include routing tables, firewall features, IPS, and management. Some features are not supported, which include VPN and dynamic routing protocols. Does this is same as CheckPoint VSX which allows to create virtual systems?? And Which other CheckPoint’s security appliances support this multiple security contexts?? Your help is highly appreciated in this regard. Thank You. Regards Gopi Krishna.S C-CURE will be present at InfoSecurity 2009.Click here if you want to register in Dutch. Click here if you want to register in French. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Query regarding ASA multiple security context Vs checkpoint VSX

fw1-gurus@lists.phoneboy.com (Yu Simon) — Tue, 10 Mar 2009 15:55:01 GMT

Hi Gopi, CheckPoint VSX support dynamic routing(e.g. OSPF, RIP) and VPN on each virtual systems. You can create max 250 virtual firewalls per VSX device which it is also depend on hardware specification. If you are interest on VSX then you can take alook on the VSX-1 appliance from CheckPoint http://www.checkpoint.com/products/vpn-1_power_vsx/ Thanks and Regards, Simon Date: Tue, 10 Mar 2009 08:37:42 +0530From: gopis@xxxxxxxxxTo: fw1-gurus@xxxxxxxxxxxxxxxxxxSubject: [fw1-gurus] Query regarding ASA multiple security context Vs checkpoint VSX Hi Gurus, I’ve a query regarding the multiple context mode functionality in ASA comparing with CheckPoints VSX. In ASA multiple-context mode You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which include routing tables, firewall features, IPS, and management. Some features are not supported, which include VPN and dynamic routing protocols. Does this is same as CheckPoint VSX which allows to create virtual systems?? And Which other CheckPoint’s security appliances support this multiple security contexts?? Your help is highly appreciated in this regard. Thank You. Regards Gopi Krishna.S 收發郵件以外 - 了解更多Windows Live™卓越功能收發郵件以外更多功能 Attachment: image001.gif Description: GIF image _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Query regarding ASA multiple security context Vs checkpoint VSX

fw1-gurus@lists.phoneboy.com (Vincent Malguy) — Tue, 10 Mar 2009 15:55:01 GMT

Hi, Security context are clearly Cisco ASA response to virtualisation. The lack of vpn make it a bit usless in my opinion. I hope that in some release they will enable it. For the other solutions, I would say that one is vmware esx(i) . Checkpoint is selling a Checkpoint "VE" edition design for vmware virtual machines. You can also use Checkpoint SecurePlateform on each virtual machine. I have never try other virtualisation solution with checkpoint product. This solution doesn't have any kind of features limitation but some can find limitation in virtualisation technologies itself. Vincent. Le 10 mars 09 à 04:07, Gopi Krishna S (gopis) a écrit : _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] Query regarding ASA multiple security context Vs checkpoint VSX

fw1-gurus@lists.phoneboy.com (Gopi Krishna S (gopis)) — Tue, 10 Mar 2009 05:55:02 GMT

Hi Gurus, I’ve a query regarding the multiple context mode functionality in ASA comparing with CheckPoints VSX. In ASA multiple-context mode You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which include routing tables, firewall features, IPS, and management. Some features are not supported, which include VPN and dynamic routing protocols. Does this is same as CheckPoint VSX which allows to create virtual systems?? And Which other CheckPoint’s security appliances support this multiple security contexts?? Your help is highly appreciated in this regard. Thank You. Regards Gopi Krishna.S _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Virtual defragmentation error: fragment table is full

fw1-gurus@lists.phoneboy.com (Hugo van der Kooij) — Sun, 01 Mar 2009 05:55:01 GMT

You need to fix the path. I seems your are fragmenting packets all over the place. That will kill your performance. So make sure there is no need to fragment packets. Hugo. - -- hvdkooij@xxxxxxxxxxxxxxx http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmpnVEACgkQBvzDRVjxmYFzTQCgsPLisri6jHb3bIMnIMfFVgg3 pjIAnA9pjd9ntg+AlMJK7ILV3z9dyCAD =finy -----END PGP SIGNATURE----- _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Virtual defragmentation error: fragment table is full

fw1-gurus@lists.phoneboy.com (Dameon Welch-Abernathy) — Sun, 01 Mar 2009 05:55:01 GMT

Normally, VPN-1 receives a packet and makes a determination about whether or not to pass it. In the case of a fragmented packet, there isn't enough information in the packet to determine whether or not to actually pass it. What VPN-1 does is attempts to assemble all the received packet fragments in memory prior to making a decision. Legitimate traffic is rarely fragmented, though you may see it in situations where different network paths have different MTUs or when large packets traverse a VPN (in the latter case, it is caused by IPSec packet overhead). If you see a large number of packet fragments (and thus this errors), it is either because someone is maliciously trying to send you a lot of fragmented packets or you have a rogue/misconfigured/compromised machine on your network. -- PhoneBoy _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] Virtual defragmentation error: fragment table is full

fw1-gurus@lists.phoneboy.com (System Administrator) — Sat, 28 Feb 2009 04:55:01 GMT

We use Checkpoint FW1 R55 with ai in a cluster with rainwall. The data throughput betweet the DMZ is very slow for the last day. In one of the nodes is get the following error. ------------------------------------------------------------------------------- FW-1: Virtual defragmentation error: fragment table is full (xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx proto 17 id 26458 len 1500 offset 17760) - 353232 fragments dropped during the last 60 seconds ------------------------------------------------------------------------------- Johan Loubser

Re: [fw1-gurus] Eventia Consolidator

fw1-gurus@lists.phoneboy.com (Norman Zhang) — Wed, 25 Feb 2009 07:55:02 GMT

Found the solution. SCS will not send log to Eventia via DBsync. I need to point the Log Consolidation and Event Correlation to the SCS log server. Norman _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] Eventia Consolidator

fw1-gurus@lists.phoneboy.com (Norman Zhang) — Sat, 21 Feb 2009 07:55:02 GMT

I have Eventia Suite on a separate box from the SCS. Enforcement Gateways send all log to SCS only. Eventia talks to SCS via LEA and CPMI. * Will logs from SCS be sync to Eventia's log server via DBsync? * For Log Consolidation should I use SCS log server (separate box) instead of Eventia's log server (same box)? * For Event Correlation should I use SCS log server (separate box) instead of Eventia's log server (same box)? Norman _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] LOG_CRIT Kernel errors.

fw1-gurus@lists.phoneboy.com (Robert Hughes) — Fri, 20 Feb 2009 17:55:01 GMT

I wasn't able to find anything on this message, but rtmChains makes me think this is related to real time monitor. Are you running smartview monitor on this box? The only other thing I can suggest is opening a ticket with Check Point and letting a dev take a look at it. At a minimum, they'd probably want a sample of the traffic triggering this, so they can see what's special about those packets. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] LOG_CRIT Kernel errors.

fw1-gurus@lists.phoneboy.com (Matthew MacAulay) — Fri, 20 Feb 2009 10:55:01 GMT

Hello, This morning I am seeing lots of LOG_CRIT errors, the hex values translate to IP addresses non of which I would count as being one of my customers. A couple of weeks ago, I had simular errors which were trying to use one of my public DNS servers as a recursive lookup as part of a DDOS attack, but in that instance one of the hex values was (as the destination) my DNS server. These messages are different and do not give me a clue as to what is going on. Can anyone shed any light? Or give me some pointers as to what is going on.. I am tempted to just block them at my perimeter routers but I would prefer to understand what the traffic is before I do that. Bf71015 = 191.113.1.5 Latin American and Caribbean IP, Mexco.. 62f71015 = 98.247.16.21 Comcast Cable Communications, Inc. 9fd0562c = 159.208.86.44 Sunlife Assurance Company of Canada Feb 20 09:58:03 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Feb 20 09:58:03 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Feb 20 09:58:05 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Feb 20 09:58:05 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Feb 20 09:58:07 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle bf71015 - entry used for handle 62f71015 with value 9fd0562c Feb 20 09:58:07 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle bf71015 - entry used for handle 62f71015 with value 9fd0562c Feb 20 09:58:07 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Feb 20 09:58:07 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Feb 20 09:58:10 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Feb 20 09:58:10 thk22fw2 [LOG_CRIT] kernel: fwhandle_get(rtmChains.c:1640): Table kbufs - Invalid handle 2e638012 - entry used for handle 37638012 with value a9865370 Regards, Mat. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System and delivered to you by Cobweb Solutions, Europe's leading provider of Microsoft Hosted Exchange. Discover how Hosted Exchange could help your business at http://www.hostedexchange.co.uk/ VAT No. 682 2512 41 Registered office address: South Wing, Delme Place, Fareham, Hants, PO16 8UX Registered in England No. 3283443 Registered with: Companies House, Crown Way, Cardiff, CF14 3UZ ______________________________________________________________________ _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] fwm logexport - does it work against MDS in NGX-R65?

fw1-gurus@lists.phoneboy.com (Hal Jackson) — Fri, 20 Feb 2009 05:55:02 GMT

Here is the fix for logexport, from Check Point: CPRegSvr /opt/CPPIconnectra-R65/lib/libCPInstMgrConnectraConvComps.so This sets a registry entry to allows "fwm logexport" to work on the MDS audit file. (it may fix the issue running it on the gateway; didn't try that) Thought this might prove useful since others have run into this. ----- Original Message ----- From: "Hal Jackson" To: "Malguy, Vincent" ; "Robert Hughes" ; "FW1 Gurus" Sent: Monday, February 09, 2009 8:11 PM Subject: Re: [fw1-gurus] fwm logexport - does it work against MDS in NGX-R65? Yes, that is what I did. I talked to CP today about it, this bug is reproducible by them and going to R&D. Hope we see a fix soon. ----- Original Message ----- From: "Malguy, Vincent" To: "Hal Jackson" ; "Robert Hughes" ; "FW1 Gurus" Sent: Monday, February 09, 2009 11:12 AM Subject: RE: [fw1-gurus] fwm logexport - does it work against MDS in NGX-R65? I had the same problem after the same upgrade. I upgraded my script from : /opt/CPmds-R65/bin/fwm logexport -n -i /var/opt/CPmds-R65/customers/$CMA-NAME/CPsuite-R65/fw1/log/$file >> $CMA-NAME.$DATE.log to mdsenv $CMA-NAME /opt/CPmds-R65/bin/fwm logexport -n -i /var/opt/CPmds-R65/customers/$CMA-NAME/CPsuite-R65/fw1/log/$file >> $CMA-NAME.$DATE.log So I think you shoud try to "mdsenv " to your cma prior running fwm logexport Vincent. -----Original Message----- From: fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx [mailto:fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Hal Jackson Sent: dimanche 8 février 2009 04:52 To: Robert Hughes; FW1 Gurus Subject: Re: [fw1-gurus] fwm logexport - does it work against MDS in NGX-R65? This is on the P-1 server, not the gateways. The P-1 server was upgraded from NGX-R62 no HFA to NGX-R65. I did a search on sk36423 and didn't find anything but I saw some others fixed the issue that way. We usually just export on the management, not the gateways, and we are only having problems exporting the MDS's logs (CMA logs work) Someone in the "community" section of the CP support site suggests there might be an issue with a file lock, but that doesn't explain why mdsenv to another CMA allows the command to work - mdsenv is mainly changing env variables. ----- Original Message ----- From: Robert Hughes To: Hal Jackson ; FW1 Gurus Sent: Saturday, February 07, 2009 10:35 PM Subject: Re: [fw1-gurus] fwm logexport - does it work against MDS in NGX-R65? Should work. Were the firewalls upgraded? If so, you might want to open a ticket and mention sk36423. -----Original Message----- From: Hal Jackson [mailto:hal_jackson@xxxxxxxxxxx] Sent: Saturday, February 7, 2009 03:22 PM To: 'FW1 Gurus' Subject: [fw1-gurus] fwm logexport - does it work against MDS in NGX-R65? Using Provider01. We use fwm logexport to generate reports. Can't get it work under NGX-R65, base version or with any hotfix including up to HFA 40. Get the message "failed to convert database". ************************************************************************************* The message is intended for the named addressee only and may not be disclosed to or used by anyone else, nor may it be copied in any way. The contents of this message and its attachments are confidential and may also be subject to legal privilege. If you are not the named addressee and/or have received this message in error, please advise us by e-mailing security@xxxxxxxx and delete the message and any attachments without retaining any copies. Internet communications are not secure and COLT does not accept responsibility for this message, its contents nor responsibility for any viruses. No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates ("COLT") and any other party by email Communications unless expressly agreed in writing with such other party. Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotional emails. For more information refer to www.colt.net or contact us on +44(0)20 7390 3900. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] can the management server ship logs to syslog

fw1-gurus@lists.phoneboy.com (Juan Concepcion) — Fri, 20 Feb 2009 05:55:02 GMT

You can have the module send them directly to the syslog server as well as the management station. Juan -----Original Message----- From: fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx [mailto:fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Danny Wacker Sent: Wednesday, February 18, 2009 1:31 PM To: fw1-gurus@xxxxxxxxxxxxxxxxxx Subject: [fw1-gurus] can the management server ship logs to syslog Hi folks: Management is R65 HFA 30 on Windows Modules are UTM-1 2070 cluster R65 HFA30 Once the management server receives log entries from the modules, can it in turn ship them off via syslog? thanks. Danny _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] can the management server ship logs to syslog

fw1-gurus@lists.phoneboy.com (Hamish Marson) — Thu, 19 Feb 2009 01:55:01 GMT

Quoting Danny Wacker : I'm not sure it can. But you can write an app to read the logs (remotely) and write to syslog (Or another logfile). H ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] can the management server ship logs to syslog

fw1-gurus@lists.phoneboy.com (Danny Wacker) — Wed, 18 Feb 2009 20:55:03 GMT

Hi folks: Management is R65 HFA 30 on Windows Modules are UTM-1 2070 cluster R65 HFA30 Once the management server receives log entries from the modules, can it in turn ship them off via syslog? thanks. Danny _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] iPhone L2TP with VPN-1 R65 HFA30

fw1-gurus@lists.phoneboy.com (Robert Hughes) — Mon, 16 Feb 2009 01:55:10 GMT

I've set this up with several customers, so I know it works.Supporting AES-128 and forcing AES-128 are two different things. I don't recall haven't had to configure AES-128. But if you decide to try it, just make sure that AES-128 is selected in policy > global properties > remote access > ike phase I and that enforce algorithm is unchecked under phase II. Though likely the person is thinking of an issue where ike_phase2_key_size isn't downloaded to MAC clients, causing many people to using AES-128 instead of editing the userc.C on the client. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

[fw1-gurus] iPhone L2TP with VPN-1 R65 HFA30

fw1-gurus@lists.phoneboy.com (Torkel Mathisen) — Mon, 16 Feb 2009 01:47:53 GMT

Hi, Has anyone gotten L2TP to work from iPhone through R65 HFA30? I've done all the configuration stated in the release notes, but it still doesn't work. I've read somewhere that you need to support AES-128 on the gateway. We do support AES-128, however we use AES-256 on both Phase 1 and Phase 2. I have not tested yet if this is the problem because it will affect our RemoteAccess users and I can't do that on a Friday. Anyone know what the problem could be? Regards, Torkel _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Somebody knows if SPLAT NGX R65 will run on an HPProLiant DL385 G5p ?

fw1-gurus@lists.phoneboy.com (Juan Concepcion) — Mon, 16 Feb 2009 01:47:53 GMT

There is, by request, a build that has 2.6 kernel which should support the hardware. The problem at present is verifying that all hotfixes included as part of the build since normal hotfixes out out for R65 will not install on the 2.6 build. Juan Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Chris Campbell Date: Wed, 11 Feb 2009 23:23:30 To: Eric Janz; FireWall-1 Gurus Mailinglist Subject: Re: [fw1-gurus] Somebody knows if SPLAT NGX R65 will run on an HP ProLiant DL385 G5p ? _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Somebody knows if SPLAT NGX R65 will run on an HP ProLiant DL385 G5p ?

fw1-gurus@lists.phoneboy.com (pkc_mls) — Mon, 16 Feb 2009 01:47:53 GMT

Eric Janz a écrit : If the machine is not in the HCL, it is not recommended to use it with ngx r65. If you already have the hardware, you can at least try the hardware compatibility testing tool http://www.checkpoint.com/services/techsupport/hcl/testing_tool.html _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Nokia IP 390 memory

fw1-gurus@lists.phoneboy.com (Steve Moran) — Mon, 16 Feb 2009 01:47:53 GMT

Title: Re: [fw1-gurus] Nokia IP 390 memory Just don’t bring up the fact that you’re running non-nokia memory. When Nokia release ipso 4.1 (I think), the ip350 was able to support 2gb, but nokia didn’t make it, and I couldn’t buy it from them. So I put some ‘other’ memory into it, and I haven’t had a problem yet, neither with the memory or support. From: fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx [mailto:fw1-gurus-bounces@xxxxxxxxxxxxxxxxxx] On Behalf Of Chris Campbell Sent: Tuesday, February 10, 2009 3:30 AM To: Toomas Vahtra; fw1-gurus@xxxxxxxxxxxxxxxxxx Subject: Re: [fw1-gurus] Nokia IP 390 memory From: Toomas Vahtra Date: Sun, 8 Feb 2009 16:14:55 +0200 To: Subject: [fw1-gurus] Nokia IP 390 memory Hi, Does anyone know what kind of memory IP 390 uses, well prices from Nokia resellers for memory upgrade are just ridiculous. Thanks They might be overpriced, but putting non-nokia ram in your appliance will void your warranty/support. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Somebody knows if SPLAT NGX R65 will run on an HP ProLiant DL385 G5p ?

fw1-gurus@lists.phoneboy.com (mithun ) — Mon, 16 Feb 2009 01:47:53 GMT

Hi , I am not sure about the hardware details, but i have another doubt , I also will be doing an upgrade from r55 to NGX R65. The box running now is alteon, now I am going to replace it with checkpoint utm appliance. Can I directly upgrade from R55 to NGX R65 ,or restore the R55 backup? Best Wishes & REgards Mithun On Wed, 11 Feb 2009 23:05:12 +0530 wrote >Hi, > >We are planning to upgrade our current Checkpoint deployment from R55 NG >with AI to NGX R65. My question is hardware related. > >We would like to buy two HP ProLiant DL 385p but in the Checkpoint >hardware compatibility list at >http://www.checkpoint.com/services/techsupport/hcl/vpn1.html lists only >the HP ProLiant DL 385 G5. Somebody has used SecurePlatform NGX R65 on >this hardware ? > >The reason to use this HP model is that it seems that the 385 G5 does >not support the last AMD Opteron Processor 2384 but we would like to >have the higher performance from the 2384. > >Comparison between AMD Opteron 2356 and 2384: >http://products.amd.com/en-us/OpteronCPUSideBySide.aspx?id=419&id=494 > > >Thanks in advance for any advice, >Best Regards > >Eric Janz > >_______________________________________________ >fw1-gurus mailing list >fw1-gurus@xxxxxxxxxxxxxxxxxx >http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com >Love & Regards Mithun Benoy_______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com

Re: [fw1-gurus] Somebody knows if SPLAT NGX R65 will run on an HP ProLiant DL385 G5p ?

fw1-gurus@lists.phoneboy.com (Chris Campbell) — Mon, 16 Feb 2009 01:47:53 GMT

Title: Re: [fw1-gurus] Somebody knows if SPLAT NGX R65 will run on an HP ProLiant DL385 G5p ? From: Eric Janz Date: Wed, 11 Feb 2009 12:11:08 +0100 To: FireWall-1 Gurus Mailinglist Subject: [fw1-gurus] Somebody knows if SPLAT NGX R65 will run on an HP ProLiant DL385 G5p ? Hi, We are planning to upgrade our current Checkpoint deployment from R55 NG with AI to NGX R65. My question is hardware related. We would like to buy two HP ProLiant DL 385p but in the Checkpoint hardware compatibility list at http://www.checkpoint.com/services/techsupport/hcl/vpn1.html lists only the HP ProLiant DL 385 G5. ¿ Somebody has used SecurePlatform NGX R65 on this hardware ? The reason to use this HP model is that it seems that the 385 G5 does not support the last AMD Opteron Processor 2384 but we would like to have the higher performance from the 2384. Comparison between AMD Opteron 2356 and 2384: http://products.amd.com/en-us/OpteronCPUSideBySide.aspx?id=419&id=494 Thanks in advance for any advice, Best Regards Eric Janz It all comes down to support. If you use the newer hardware and you run into a problem, Check Point aren’t going to be able to support you if its a driver/hardware issue. You are best off sticking with what the hardware compatibility list says or asking your reseller for the most up to date list. Chris. _______________________________________________ fw1-gurus mailing list fw1-gurus@xxxxxxxxxxxxxxxxxx http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com