Re: [FW-1] Policy Push

Subject:	Re: [FW-1] Policy Push
From:	fwguru <fwguru AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 17 Jul 2006 23:58:57 -0400

A packet is matched against the rule base only when a new connection
is established. Like Ray said, keeping all connections after changing
the policy will not enforce the new policy on existing connections.
For some, this can be a security issue.

Regards,
Neil Delacruz


On 7/11/06, Ray <sixsigma44 AT hotmail DOT com> wrote:

Odd. I use "rematch" and do not have this issue, running R55 HFA17 on IPSO
3.9, no VRRP.

Bear in mind that "keep" will keep all existing connections even if the new
security policy does not allow them. They will persist until they end
themselves.

Ray

>From: Peter Addy <waveman38 AT YAHOO DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Policy Push
>Date: Tue, 11 Jul 2006 14:11:15 -0700
>
>Excellent sorted, many thanks
>
>cisco4ng <cisco4ng AT yahoo DOT com> wrote:    You should stick with "keep all
>connections".  that way your vpn will not go
>   down after a policy is pushed.
>
>
>
>Peter Addy <waveman38 AT YAHOO DOT COM> wrote:
>   Hi
>
>Does anyone know why vpn connections would break each time a policy was
>pushed to a piar of firewalls running NGAI R55 ipso 3.9 running vrrp nokia
>IP740
>
>Vpn connectrions are only restored after another policy push, not seen this
>one before ??
>
>We have rematch connections set for each policy install
>Thanks again
>
>
>---------------------------------
>Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
>starting at 1¢/min.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>
>---------------------------------
>   Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
>countries) for 2¢/min or less.
>
>
>---------------------------------
>Want to be your own boss? Learn how on  Yahoo! Small Business.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Policy Push, (continued) [FW-1] Policy Push, Peter Addy Re: [FW-1] Policy Push, cisco4ng Re: [FW-1] Policy Push, Peter Addy Re: [FW-1] Policy Push, Ray [FW-1] Solaris 9 BGE card and NGX60, Clive Luk Re: [FW-1] Solaris 9 BGE card and NGX60, Ramki Security Re: [FW-1] Solaris 9 BGE card and NGX60, Clive Luk Re: [FW-1] Solaris 9 BGE card and NGX60, Ramki Security Re: [FW-1] Solaris 9 BGE card and NGX60, Clive Luk Re: [FW-1] Solaris 9 BGE card and NGX60, Ramki Security Re: [FW-1] Policy Push, fwguru <=

Previous by Date:	Re: [FW-1] CVP: R61 blocks http/1.1, R60 passes compressed traffic unchecked, fwguru
Next by Date:	Re: [FW-1] Firewall slowdown?, fwguru
Previous by Thread:	Re: [FW-1] Solaris 9 BGE card and NGX60, Ramki Security
Next by Thread:	Re: [FW-1] NGX Hotfix Confusion !, Ramki Security
Indexes:	[Date] [Thread] [Top] [All Lists]