---

Q = Question A = Answer
Contributed By dreamwvr@dreamwvr.com
Q > Where do I obtain the current patches for firewall 1?
A > They can be obtained via ftp at ftp://ftp.sunsolve1.sun.com/pub/patches
Q > What service is ICQ on port 4000?
A > It is used for ICQ a form or variant of IRC. See http://www.mirabilis.com for full details.
Q > What should I backup when I do a software upgrade?
A > See the Architecture and Administration Guide at http://www.checkpoint.com/support/technical/faq/firewall-1/setupinfo.html
Q > Does any one know where One could formally study firewall 1?
A > Yes Check the following Point at http://www.checkpoint.com/services/training.htmlwhich describes all the authorized learning centers.
Q > I am installing the Firewall 1 on Solaris 2.6 using version 3.apl and am having problems with Install?
A > Upgrade to Firewall Version 3.0b as this is the First to Work Cleanly with Solaris 2.6.
Q > Is Firewall 1 3.0b Year 2000 compliant?
A > Yes the 3.0b patch is y2k compliant and includes support for 4 digit numbering of years and the db is updated automagically.
Q > I have been having problems running SecureRemote 3.0a I am running DHCP.
A > You cannot run SecureRemote with DHCP it requires a static ip to operate.
Q > I have 100% CPU utilization and can't seem to tune the CPU load how do I drop it?
A > Run fwstop and the CPU utilization should drop signifigantly.
Q > Is Traffic travelling between the GUI and the Management Server Protected?
A > Yes Via Authentication as well as encrypted if you are using the Encryption Module.
Q > Which protocols are know to not work properly with NAT?
A > The protocols currently to be aware of are Microsoft File Sharing, NetMeeting, Vxtreme, and H. 323
Q >How do I enable internal access to the Internet using user authentication?
A >Here are Items to Check.
1- Be sure to enable the HTTP Security server.
2- Specify the Firewall as the proxy in your browser.
3- Specify valid Source or Destinations for the user definition.
4- Remember to modify the Properties of User Auth Action and the Allowed Servers from Predefined to Any.
Q > How do I disable the ability to ftp from web browsers using the Firewall 1 porduct?
A > Disable PASV FTP which is the method used by browsers to do file transfers. Also enable the HTTP proxy on the Firewall so that it denies the ability to ftp period through the proxy. The HTTP proxy does not allow ftp traffic connections presently so your in the clear.
Q > Is Firewall 1 Y2K compliant?
A > With the patch 3045 for 3.0b it is 100% year 2000 compliant.
Contributed By akalat@netrex.com
Q > How do I remove the banner that announces that I have a Checkpoint Firewall from an Authentication?
A > 1) Edit the /conf/objects.C file. 2) Find the "props" line, add the following line: ":undo_msg (true)". 3) Reinstall the policy.
Q > Why do I have to retype my authentication information every time I go to a new web page?
A > Because you are using transparent authentication. To fix this, point to the FW as a proxy server, i.e.. proxy authentication should be used.
Q > What port does the Citrix Winframe service run on?
A > port 1494
Q > How does FW deal with non-IP traffic?
A > If there is a non-IP protocol stack, such as IPX, installed on the FW, this traffic will pass unfiltered. This is a bad thing! If there is no stack for the other traffic, it is simply ignored by the FW and not passed.
Q > How can I allow Multicast through my FW?
A > 1) Define an object with an IP of 224.0.0.0 and whose netmask is 240.0.0.0. 2) Create a rule with the mutlicast object as the destination, and whatever appropriate services you'd like to pass.
Q > How many interfaces will FW v3.0 support?
A > Up to 32 physical interfaces. It will also support 255 virtual interfaces less the number of physical interfaces.
Q > Is FW written to use multiple processors?
A > FW is not specifically coded to use multiple processors(i.e., not multithreaded), but the OS will load balance the daemon's across multiple CPU's.
Q > What IP address should I license my FW to?
A > You can technically license to any IP address, but things run much smoother if you license to the IP which is associated with the system's name is DNS's and hosts files, or any other name resolution system. If you run encryption, you need to license to the IP of the interface that the encrypted packets will be entering and leaving the FW, usually the external interface.
Q > How do I get the host ID?
A > Under Solaris or SunOS, type "hostid" On HPUX, type: "uname -i" On NT: You can use the volume serial number of the Hard Drive, retrieve it with "dir."
Q > Does it matter if I run FW on NT Server over NT Workstation?
A > No, the FW will function exactly the same on either version of NT.
Q > Does FW run on Solaris 2.6?
A > FW Version 3.0b or above runs fine on Solaris 2.6/
Q > How many rules can I have in my rulebase?
A > Technically you can have any number of rules. The more rules you have, the slower compilation and inspection will be. Most people don't run more then about 50 rules.
Q > Is FW "NCSA Certified?"
A > Yes. Version 3.0 on NT was certified.
Contributed By jorge.fernandes@inst-informatica.pt
Q >How the rules are processed?
A >The packet is checked with the first rule. If it succeeds the action specified in that rule is executed. Otherwise it is checked with the next rule, and so on. For security reasons (the main purpose of a firewall) the last rule should be ANY ANY ANY DROP or REJECT.
Q >Is FireWall-1 year 2000 compatible?
A >(Thanks to tstala@riscman.com) FireWall-1 3.0b build 3045 patch is year 2000 compatible.
Contributor eravin@panix.com
Q >I would like to search the Firewall 1 Mailing list and where might I find it?
A > Goto the Dejanews archives at www.dejanews.com and look under dtc.mailinglist.fw-1-mailinglist choose "Browse Groups" and type "dtc" browsing from there.
Contributor jerald.josephs@iprg.nokia.com
Q >How do i get the 'fw logswitch' to work properly since the applying of patch 3064 as can't seem to get it to start a new log.
A >Here is another method to skin the logswitch by cron job.
fw logswitch
fwstop
/bin/rm $FWDIR/log/fw.logtrack
fwstart

---

VIEWSLETTER