Hi Gurus,
I am in desparate need of help from you gurus.
Scenario:
Background:
I am running IPSO 3.7.1 build 20 on the Nokia IP530 with Checkpoint NG
Feature
Pack 3 and HFA_325. The Nokia is being managed by Provider-1 NG Feature Pack
3
with HFA318. Provider-1 is running on Solaris 9. In the Nokia configuration,
I put in
3 different IP addresses of the DNS servers (199.0.216.222, 129.174.1.8 and
129.174.1.13). From the CLI of the Nokia, I can do NSLOOKUP for yahoo.com,
comcast.net and cox.net so name resolution is correct. For testing purposes,
I even have this in the implied rule with DNS (udp) to be first.
Problem:
In the security policy, we have the following rule (let call it rule #5):
Source Dest. Service Action
Install on
.cox.net 7.7.7.7 http/https accept
Nokia
.comcast.net
where 7.7.7.7 is natted by the firewall to 192.168.1.7. In term of
connectivity,
hosts on the Internet can ping this server fine.
Whenever a host on the Internet try to do http or https to host 7.7.7.7 from
either .cox.net or .comcast.net, I see the connection is being dropped by the
"cleanup" rule. Upon further investigation, I notice that whenever the
connection
comes from .cox.net or .comcast.net, the Nokia never bothers to do a reverse
DNS
lookup.
Upon further investigation, I found out that Checkpoint had an isuse with
domain
object dropping the connection on cleanup rule. However, that issue was fixed
in HFA_317 (actually HFA_317-11 is what it said in the released note). I am
running
HFA_325 on the Nokia and HFA_318 on Provider-1 so the fixed is already
included.
We're currently in a situation now that upgrading to AI or even HFA_327 is
NOT an
option for us.
The thing that bothered me is that we have another customer with identical
setup
and domain objects works for that customer. Same IPSO, hardware and
checkpoint
version.
I opened a TAC case with Nokia and those useless Nokia TAC engineers have no
answers for me. They suggested that (suprise) we should upgrade to AI or NGx.
They told me that they will escalate this issue to checkpoint. Knowing
Checkpoint
TAC as well as I do, they are not much help either. I got better answers in
this group
than both Checkpoint and Nokia combined.
Anyone run into this issue regarding domain-object before? How do you fix it?
Thank you everyone.
cisco4ng
---------------------------------
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
