Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Active Directory replication between VPN site-site-tunnels

from Christian Chiaverini [Permanent Link]
Subject: Re: [FW-1] Active Directory replication between VPN site-site-tunnels
From: Christian Chiaverini <cchiaver AT CV DOT NET>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 25 Oct 2005 14:30:23 -0400 
You don't have to disable all of SmartDefense, just the DNS protocol
inspection part.

Who said it was all or nothing?



On Tue, 2005-10-25 at 13:52 -0400, Tony Pombo wrote:
> Microsoft is always going to change things, but why should I have to
> completely disable enterprise-wide protection just so two windows PCs can
> communicate?
> 
> My point is that I should be able to apply SmartDefense settings
> selectively.  Currently, it's all or nothing.  That's the bad design I speak
> of.
> 
> -----------------------------------------------
> Tony Pombo
> Systems and Security Architect
> Edict Systems, Inc.
> 937-429-4288 x279
> tony.pombo AT edictsystems DOT com
> 
> 
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of 
> Christian
> Chiaverini
> Sent: Tuesday, October 25, 2005 12:40 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Active Directory replication between VPN
> site-site-tunnels
> 
> If Microsoft breaks the protocol and it is then dropped, SmartDefense is
> doing exactly what it is supposed to do.  Microsoft has deviated from
> the RFCs before in this case they may be doing it again.
> 
> Report this to CheckPoint and they may ignore the bad packets Microsoft
> sends when inspecting this in a hotfix or update of SmartDefense.
> 
> 
> Christian Chiaverini
> CCSE
> 
> 
> 
> On Tue, 2005-10-25 at 10:19 -0400, Tony Pombo wrote:
> > I need to disable the DNS UDP protection for my entire firewall system
> just
> > so a couple domain controllers can talk?  So, now I'm no longer protected
> > against bad DNS UDP packets from the Internet?  That's no good.
> > 
> > In this manner, the entire SmartDefense architecture seems poorly
> designed.
> > 
> > -----------------------------------------------
> > Tony Pombo
> > Systems and Security Architect
> > Edict Systems, Inc.
> > 937-429-4288 x279
> > tony.pombo AT edictsystems DOT com
> > 
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of 
> > cisco4ng
> > Sent: Tuesday, October 25, 2005 7:33 AM
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: Re: [FW-1] Active Directory replication between VPN
> > site-site-tunnels
> > 
> > This is quite simple.  Under SmartDefense, there is an option under DNS to
> > turn off 
> > "udp protocol enforcement".  just simply uncheck the box and re-push the
> > policy.
> > It will work after that.
> >  
> > cisco4ng
> > 
> > Loge VK <logevk AT GMAIL DOT COM> wrote:
> > I hope u have tried the Enabling Domain Name over UDP and TCP in Global
> > Properties... if u don't want to do that then add explicit rule with
> service
> > as domain-udp for this to pass..
> > Loge VK
> > 
> > On 10/25/05, Kalpesh Patel wrote:
> > >
> > > Hi
> > >
> > > We have a Site-to-Site VPN tunnel between UK, Paris and Munich with
> "any"
> > > service going through the rule (for now).
> > >
> > > We have now moved over to Microsoft Active directory (Windows 2003 SP1)
> > > and for some reason I'm seeing "domain-udp" drops in the firewall logs
> > > between the domain controllers and the DC are not replicating through
> the
> > > firewalls.
> > >
> > > Does anyone have a solution to this?
> > >
> > > Regards
> > > Kalpesh
> > >
> > >
> > >
> > > This message has been scanned for viruses by BlackSpider MailControl -
> > > www.blackspider.com 
> > >
> > > Website: http://www.kingston.com/europe
> > >
> > > Registered in England, No: 3643195 VAT No: GB 720 5258 60"
> > >
> > > "This email and any attachments is intended for the addressee only.
> > > It may contain confidential, proprietary or legally privileged
> > > information and any views or opinions presented are solely those of the
> > > author.
> > > If you are not the address you have received this e-mail in error.
> > > Please notify the sender by return e-mail and then destroy it.
> > > If you have received this e-mail in error, copying, printing,
> > > forwarding or dissemination of this e-mail is strictly prohibited.
> > > We virus scan all e-mails but are not responsible for any damage
> > > caused by a virus or alteration by a third party after it is sent.
> > >
> > >
> > >
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > >
> > 
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> > 
> >             
> > ---------------------------------
> >  Yahoo! FareChase - Search multiple travel sites in one click.  
> > 
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> > 
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
-- 



Christian Chiaverini
Cablevision Systems - BISC
516 390-5401
christianc AT cv DOT net

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Tony Pombo
Next by Date:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Covington, Chris
Previous by Thread:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Tony Pombo
Next by Thread:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Tony Pombo
Indexes:  [Date] [Thread] [Top] [All Lists]