Hello,
if I had to choose one component of FW-1 that I trust the most, it would be
its logging facility. Having said that, if you do not see a log entry in
your logs it can mean only two things: a) the packet never reached your
firewall, or b) you do not log what you searching for. Obviously the first
case is the most difficult to troubleshoot, as you are almost blind, since
on most occasions you can only check your border gateway's access lists.
Check your rulebase for relevant rules where tracking is disabled. Also, if
you use any of the implied rules, enable logging for them. Personally, I
always enable that option even on cases where I have disabled all implied
rules.
SecuRemote uses the TCP/264 port in order to communicate with your firewall
and create or update a site. An easy way of testing if your firewall is
reachable from your external network is to do a telnet on that port.
There is a workaround though if you have a secure way of giving your users
the config file they need (from my experience Directors and VPs can be a bit
hasty and tend to demand fast results). Install SecuRemote on a system and
create the site topology. A file called userc.C will be created in the
database subfolder of SR's installation folder. Distribute this file to your
users and have them copy it to the right folder. Then all they need to do is
restart SR's services (if their system account has such priviledges) or
reboot their computer.
On 30/12/05, Chris Moore <christopher.b.moore AT gmail DOT com> wrote:
>
> Hello,
>
> I'm having difficulty getting my users connected with SR. I'm running
> NG-AI
> R55, and the clients are R56, Build 615 or 619.
>
> The problem began when I could no longer get into the SmartDashboard GUI.
> Searching for the solution, I discovered I needed to reset SIC, which I
> did. In doing so, I created a new Internal CA and invalidated all my
> users. I instructed everyone to update their sites which worked for the
> majority, however others needed a complete reinstall or upgrade.
>
> Nevertheless, I still have a select few users that cannot connect to the
> server. The errors are "Update failed" or if creating a new site, they
> get
> timeouts. Strangely in the logs, I don't see any activity of the attempt
> to
> connect which leads me to believe something is blocking it on their site
> or
> somewhere in the middle. One particular user has both cable and DSL
> connections and could not connect while on DSL. Switching to cable did
> the
> trick. Now that the site has been created, he can successfully reconnect
> over DSL. Unfortunately most of my users have only a single broadband
> connection.
>
> I consider myself an advanced Check Point admin. Can someone give me any
> clues as to where to investigate now, either within the GUI, CLI, or on
> the
> client end. Of course, all the unsuccessful users left are Directors and
> VPs!!
>
> Thanks in advance,
> Chris
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
