I have a problem with VRRP all settings are correct (I assume) interfaces
are set correctly, vrrp settings are correct. when typing chhaprob stat it
shows that both are active. However after going into iclid, show vrrp shows
both as master.
Platform is Nokia IP 130
Just rebuilt, factory install etc.
Help?
On 9/26/06, FW-1-MAILINGLIST automatic digest system <
LISTSERV AT amadeus.us.checkpoint DOT com> wrote:
There are 10 messages totalling 847 lines in this issue.
Topics of the day:
1. FW-1 and Asterisk PBX (2)
2. Connecting Clustered firewalls to two cisco ports?
3. exclude CP firewall from the encryption domain in VPN simplfied mode
(2)
4. High Availability VRRP Outgoing traffic behavior (2)
5. IPSO 4.x and Checkpoint NGx combination explaination needed
6. Need help on upgrading (2)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
----------------------------------------------------------------------
Date: Mon, 25 Sep 2006 09:46:26 +0200
From: Markus Hauke <markus AT FAMILIE-HAUKE DOT DE>
Subject: FW-1 and Asterisk PBX
Hi there,
I've just configured an Asterisk PBX with some SIP-Phones connected to
it on the LAN and an ISDN link. So far everything is working fine. But
now I've tried to connect the PBX to an external SIP provider
(sipgate.de in this case) through my VPN-1 NGX R61. I configured static
NAT for the Asterisk machine, but the SIP registrations fails all the
time. I observed some strange behavior in the NAT. The SIP registration
packet (source port 5060, destination port 5060) reaches the firewall,
changes the source port at the interior interface and to another high
port at the exterior interface. But the answer packet will not be
translated correctly. This is what I see in fw monitor (n.n.n.n is my
external IP address, 217.10.79.9 is the sipgate proxy):
eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 5060 -> 5060
eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 17973 -> 5060
eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 17973 -> 5060
eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0
UDP: 40625 -> 5060
eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495
UDP: 5060 -> 40625
eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
So you can see, the answer packet does not get translated back to
destination port 5060 and will not be accepted by the Asterisk machine
(it answers with an ICMP port unreachable...)
Has anyone a hint for me? There are no SmartDefense settings for SIP and
I tried to configure a VoIP Domain SIP Proxy rule with no success.
Thanks
Markus
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Mon, 25 Sep 2006 10:40:36 +0200
From: Fabrice Barutel <fabrice.barutel AT STERIA DOT COM>
Subject: Re: Connecting Clustered firewalls to two cisco ports?
Hi,
If your customer wants to have high availability, then he needs two
switches
or hub between router and the two firewalls (each firewall is on a
different
switch/Hub). Switches are connected with two links (crossover cables for
example).
At the end, the last "point of failure" could be the router or the
external
link connected to the router.
--
Fabrice Barutel
Administrateur réseau et sécurité
fabrice.barutel AT steria DOT com
-----------------------------
Date: Sun, 24 Sep 2006 14:39:55 +0200
From: Hadmut Danisch <hadmut AT DANISCH DOT DE>
Subject: Re: Connecting Clustered firewalls to two cisco ports?
On Sat, Sep 23, 2006 at 01:32:42PM -0600, Sergio Alvarez wrote:
>
> BTW... why is it that you don't want to put a sw o hub between the
> cluster and the router?
Customer Request. The Customer does not want to setup a high availability
firewall on one hand, and then add another single point of failure on the
other hand.
regards
Hadmut
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Mon, 25 Sep 2006 03:12:16 -0700
From: cisco4ng <cisco4ng AT YAHOO DOT COM>
Subject: Re: FW-1 and Asterisk PBX
This will NOT work as long as your local sip proxy is behind a checkpoint
firewall,
Juniper/NetScreen or Cisco Pix firewall. These vendors claim to be
"sip" compliant;
however, it is not a guarantee thing. For this to work properly, you
would need
something like Session Border Controller (SBC) nearend and farend.
I've gone through a few months ago with with something similar to
Asterisk for
Juniper/Netscreen firewall.
HTH
Markus Hauke <markus AT FAMILIE-HAUKE DOT DE> wrote:
Hi there,
I've just configured an Asterisk PBX with some SIP-Phones connected to
it on the LAN and an ISDN link. So far everything is working fine. But
now I've tried to connect the PBX to an external SIP provider
(sipgate.de in this case) through my VPN-1 NGX R61. I configured static
NAT for the Asterisk machine, but the SIP registrations fails all the
time. I observed some strange behavior in the NAT. The SIP registration
packet (source port 5060, destination port 5060) reaches the firewall,
changes the source port at the interior interface and to another high
port at the exterior interface. But the answer packet will not be
translated correctly. This is what I see in fw monitor (n.n.n.n is my
external IP address, 217.10.79.9 is the sipgate proxy):
eth1.10:i[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 5060 -> 5060
eth1.10:I[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 17973 -> 5060
eth0:o[502]: 172.17.1.167 -> 217.10.79.9 (UDP) len=502 id=0
UDP: 17973 -> 5060
eth0:O[510]: n.n.n.n -> 217.10.79.9 (UDP) len=510 id=0
UDP: 40625 -> 5060
eth0:i[404]: 217.10.79.9 -> n.n.n.n (UDP) len=404 id=5495
UDP: 5060 -> 40625
eth0:I[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
eth1.10:o[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
eth1.10:O[398]: 217.10.79.9 -> 172.17.1.167 (UDP) len=398 id=5495
UDP: 5060 -> 17973
So you can see, the answer packet does not get translated back to
destination port 5060 and will not be accepted by the Asterisk machine
(it answers with an ICMP port unreachable...)
Has anyone a hint for me? There are no SmartDefense settings for SIP and
I tried to configure a VoIP Domain SIP Proxy rule with no success.
Thanks
Markus
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Mon, 25 Sep 2006 07:44:04 -0700
From: cisco4ng <cisco4ng AT YAHOO DOT COM>
Subject: Re: exclude CP firewall from the encryption domain in VPN
simplfied mode
Scott,
Thanks for the info. The checkpoint sk ID sk25675.
That being said, I performed "cpstop" on both the Active and Standby
SmartCenter
and edit the $FWDIR/lib/user.def file with vi editor. I performed
"cpstart" on both the
Active and Standby SmartCenter after that. The problem is that after
the policy is
pushed, I checked the user.def file again and it seems like the changes
I made
was not there anymore.
I looked at the sk solution again and it specifically stated that this
solution is for
NG AI and not NGx R61. It seems to me that CP is doing something in NGx
R61.
Any ideas? Thanks.
cisco4ng
Scott Tobias <stobias14 AT GMAIL DOT COM> wrote:
I have seen some documentation from Check Point that allows excluding
traffic from a certain IP address to not be encrypted. The changes they
discuss in the user.def are
#define NON_VPN_TRAFFIC_RULES \
(icmp, src=212.150.30.22)
You could try setting it so traffic from the source and destination from
the
VRRP address is not encrypted. So it should look something like the
following
#define NON_VPN_TRAFFIC_RULES \
(icmp, src=192.168.1.1)
(icmp, dst=192.168.1.1)
I am sure there is a better way to do this but it might accomplish
what you are trying to do.
On 9/24/06, cisco4ng wrote:
>
> Martin,
>
> Well, in the checkpoint firewall, I manually create a group object
> called
> "CP_Encryption_Domain" and place LAN_B (network 192.168.1.0/24) in
> CP_Encryption_Domain group object. 192.168.1.2/24 is the physical
> IP address of the firewall and 192.168.1.1 is the VRRP ip address of
> the CP firewall. Are you telling me that I should "exclude" both the
> 192.168.1.2 and 192.168.1.1 ip addresses from the CP_Encryption_Domain
> group object?
>
> Another thing is that if I "exclude" the 192.168.1.2 and .1 from the
> "CP_Encryption_Domain" group ojbect, then the encryption on the Cisco
> side will NOT match and the VPN tunnel will fail due to encryption
> domain
> mismatch
>
> Any ideas?
>
> cisco4ng
>
> Martin Hoz wrote:
> On 9/24/06, cisco4ng wrote:
> > With VPN "traditional" mode, the Checkpoint FW itself, by
> > default, is NOT part of encryption domain but in
> > simplified mode, it is. Is there a way to exclude the
> > Checkpoint itself from the encryption domain in NGx in
> > VPN "simplified" mode?
>
> This is the defaults, as you said. But you can as well specify the
> encryption domain
> manually on the topology tab and specify whatever you want as encryption
> domain
> there, including just the network objects you need...
>
> Are you doing it this way (manually specified) and doesn't work, or
> are you leaving
> the defaults so the encryption domain is calculated based on the
topology?
>
> - Martín.
>
> --
> **** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
> to save water? - O que você têm feito hoje para conservar a água?
> ** Mi página web: http://gama.fime.uanl.mx/~mhoz/
> * "Somos consecuencia del pasado, y causa de nuestro futuro."
> ** My Linux - http://www.slackware.com == My BSD -
http://www.openbsd.org
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Get on board. You're invited to try the new Yahoo! Mail.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
All-new Yahoo! Mail - Fire up a more powerful email and get things done
faster.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Mon, 25 Sep 2006 11:34:01 -0500
From: =?iso-8859-1?Q?Lino_Eduardo_Avila_Rodr=EDguez?= <
leavila AT SCITUM.COM DOT MX>
Subject: Re: High Availability VRRP Outgoing traffic behavior
Well
First of all, I should say or you use cluster xl or you use vrrp, I think
that your problem resides there. I've never seen this configuration and I
don't think is correct at all. Try using only vrrp. And verify if
everything
is working fine.
Best regards
lino
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Pedro
Boavida
Sent: Viernes, 22 de Septiembre de 2006 06:06 a.m.
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] High Availability VRRP Outgoing traffic behavior
Hi,
I'd like some clarification regarding the following situation:
Environment:
Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX R60 HFA04) using
3rd
Party VRRP High Availability and Cluster XL for the SyncNetwork
VRRP:
VRRP Monitored Circuits using Legacy Configuration 3rd Party Configuration
(Cluster Object) Support for non-sticky connections - Disable Hide Cluster
Members outgoing traffic behind the ClusterIP address - Enable Forward
Cluster Incoming traffic to Cluster Members IP address - Enable
Problem:
Assuming this, whenwe initiate a connection from the active member,if we
make a tcpdump, the connection SourceMac is the VRRP_MAC and SourceIP is
the
VIP, and in the SmartTracker we see the ip of the active member being
Translated to theCluster IP (VIP) by a implied rule, well this is the
normal behavior.
If we make a connection from the Standbymemberwe see the connection
getting out (SYN),the SourceMac is the LocalMac and SourceIP is the
VIPfrom
themember,and in the SmartTracker we see the ip of thestandby member
being Translated to theCluster IP (VIP) by a implied rule, the connection
is unsuccessful because the SYNACK will return to the VIP address and will
be processed by the active member and so I cannot initiateany
connectionusing the standby member, well this should be the normal
behavior
also.
The problem is that, this behavior is not true on all interfaces of the
standby member,in some interfaces the connection is initiated with
SourceMAC=LocalMAC and SourceIP=LocaIP and in the SmartTracker we don't
see
the ip of themember being Translated totheCluster IP (VIP) by a implied
rule and of course with this behaviorthetcp handshakeis doneand the
connection is made.
Can anyone tellwhich behaviorto expect when initiating a connection from a
standby member of a VRRPmc configuration regarding Source Mac address and
source IP address used by the member?
Withthe checkbox "Hide Cluster Members outgoing traffic behind the
ClusterIP address" enable should not I expect the same behavior on all
interfaces? Is there a configuration per interface?
Thanks in advance.
Pedro Boavida
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Mon, 25 Sep 2006 18:14:02 +0100
From: Pedro Boavida <pboavida AT CESCE DOT PT>
Subject: Re: High Availability VRRP Outgoing traffic behavior
Hi,
This is a very common scenario when you want to have vrrp and state sync.
In such scenario ClusterXL is only used for state synchronization.
Best regards,
Pedro Boavida
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Lino Eduardo
Avila Rodríguez
Sent: segunda-feira, 25 de Setembro de 2006 17:34
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] High Availability VRRP Outgoing traffic behavior
Well
First of all, I should say or you use cluster xl or you use vrrp, I think
that your problem resides there. I've never seen this configuration and I
don't think is correct at all. Try using only vrrp. And verify if
everything
is working fine.
Best regards
lino
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Pedro
Boavida
Sent: Viernes, 22 de Septiembre de 2006 06:06 a.m.
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] High Availability VRRP Outgoing traffic behavior
Hi,
I'd like some clarification regarding the following situation:
Environment:
Nokia IP1260 Cluster with 2 Members (IPSO 4.0 with NGX R60 HFA04) using
3rd
Party VRRP High Availability and Cluster XL for the SyncNetwork
VRRP:
VRRP Monitored Circuits using Legacy Configuration 3rd Party Configuration
(Cluster Object) Support for non-sticky connections - Disable Hide Cluster
Members outgoing traffic behind the ClusterIP address - Enable Forward
Cluster Incoming traffic to Cluster Members IP address - Enable
Problem:
Assuming this, whenwe initiate a connection from the active member,if we
make a tcpdump, the connection SourceMac is the VRRP_MAC and SourceIP is
the
VIP, and in the SmartTracker we see the ip of the active member being
Translated to theCluster IP (VIP) by a implied rule, well this is the
normal behavior.
If we make a connection from the Standbymemberwe see the connection
getting out (SYN),the SourceMac is the LocalMac and SourceIP is the
VIPfrom
themember,and in the SmartTracker we see the ip of thestandby member
being Translated to theCluster IP (VIP) by a implied rule, the connection
is unsuccessful because the SYNACK will return to the VIP address and will
be processed by the active member and so I cannot initiateany
connectionusing the standby member, well this should be the normal
behavior
also.
The problem is that, this behavior is not true on all interfaces of the
standby member,in some interfaces the connection is initiated with
SourceMAC=LocalMAC and SourceIP=LocaIP and in the SmartTracker we don't
see
the ip of themember being Translated totheCluster IP (VIP) by a implied
rule and of course with this behaviorthetcp handshakeis doneand the
connection is made.
Can anyone tellwhich behaviorto expect when initiating a connection from a
standby member of a VRRPmc configuration regarding Source Mac address and
source IP address used by the member?
Withthe checkbox "Hide Cluster Members outgoing traffic behind the
ClusterIP address" enable should not I expect the same behavior on all
interfaces? Is there a configuration per interface?
Thanks in advance.
Pedro Boavida
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Mon, 25 Sep 2006 17:21:55 -0700
From: no-need to-list <ogos69 AT YAHOO DOT COM>
Subject: Re: IPSO 4.x and Checkpoint NGx combination explaination needed
Neither DOES Microsoft.....but we still buy their products...Dont we?
The software companies need to be responsible of the software they put
on in the market...just like manufacturing....so we can sue the hell of
them.
Maybe, just maybe after that, they would do a lot more quality
assurance on their products before releasing and stop hiring programmers
from 3rd world countries by paying them few dollars a day.
On 9/21/06, joe smith <interrupt_handle_this_00100 AT yahoo DOT com> wrote:
>
> Sorry I wasnt able to examine all "zillion" states. but i dont think
CP
> checks all those states before releasing code to public.
>
---------------------------------
Stay in the know. Pulse on the new Yahoo.com. Check it out.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Tue, 26 Sep 2006 11:51:33 +1000
From: Clive Luk <clive AT ILANET.NET DOT AU>
Subject: Need help on upgrading
Hi Guru,
I want to ask if there is a easy method to do a management server upgrade?
Actually I want to move all configuration and license from a piece of old
hardware to a new hardware.
Anything I need to pay attention?
Thanks in advance!
Cheers,
Clive
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Tue, 26 Sep 2006 13:35:32 +0800
From: "Joseph Carlo C. Quiambao" <jcquiambao AT GMAIL DOT COM>
Subject: Re: exclude CP firewall from the encryption domain in VPN
simplfied mode
Accept ICMP requests: before last ?
On 9/24/06, cisco4ng <cisco4ng AT yahoo DOT com> wrote:
>
> LAN_A---(i)Pix(o)---Internet---(Ext)CP_FW(Int)---LAN_B
>
> I have a site-to-site VPN between Cisco Pix and Checkpoint
> Firewall NGx. Traffics are encrypted bewtween LAN_A
> and VLAN_B without any NAT translation. Everything
> is working properly. I am using VPN simplified mode.
> One of the requirements is that LAN_A must be able
> to ping LAN_B and that the icmp traffics between LAN_A
> and LAN_B must be encrypted via IPSec
>
> I also have a requirement from the customer that from the
> Pix "outside" interface, the customer wants to be able
> to ping the Checkpoint "External" interface and that
> the icmp traffic will not be encrypted. The problem is
> that Checkpoint, by default, also includes the CP firewall
> itself, as part of the encryption domain. Yes, the icmp
> from the pix outside interface, will arrive to the CP
> External interface as "clear" but the CP expects this
> traffic to be encrypted.
>
> Well, I can exclude "icmp" from the VPN traffics but
> it also means that LAN_A, will not be able to ping LAN_B.
> With VPN "traditional" mode, the Checkpoint FW itself, by
> default, is NOT part of encryption domain but in
> simplified mode, it is. Is there a way to exclude the
> Checkpoint itself from the encryption domain in NGx in
> VPN "simplified" mode?
>
> Thanks.
> cisco4ng
>
>
> ---------------------------------
> Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
Date: Tue, 26 Sep 2006 07:51:03 +0200
From: Mark Elsen <mark.elsen AT GMAIL DOT COM>
Subject: Re: Need help on upgrading
> Hi Guru,
>
> I want to ask if there is a easy method to do a management server
upgrade?
> Actually I want to move all configuration and license from a piece of
old
> hardware to a new hardware.
>
> Anything I need to pay attention?
>
Open a command prompt window :
> cd %FWDIR%\bin\upgrade_tools
> upgrade_export SmartCenter.tgz
Install CP on your new server
- transfer SmartCenter.tgz to the new box
- goto upgrade_tools dir
> upgrade_import SmartCenter.tgz
M.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
------------------------------
End of FW-1-MAILINGLIST Digest - 24 Sep 2006 to 25 Sep 2006 (#2006-256)
***********************************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
