Keepalives over Checkpoint Firewall

Hello!
I'm having some problems, with CSS Keepalives over a Checkpoint Firewall.
It is not a CSS Problem, but may anyone expected the same and can help me how i can solve it.
We do some TCP or HTTP Head Keepalives over the Firewall to some Application servers.
The Firewall seems to terminate the TCP Connecten and also the HTTP Requests and the Service is always alive, because the Firewall answert the requests.
The guys who administrate the firewall do not know, why the firewall do this and do not know how to disable that feature.
Has anyone an idea how the firewall must by modified to not answer the keepalives?
This problem does only appear on TCP Port 80. All other TCP Ports work.
Best regards
Sven

Hello Gilles,
thanks for that fast response.
Not sure if this is the feature.
But my Head Keepalives does not work. Because the Firewall is generating a Error Webpage with a Responsecode of 200 OK
Leets have a look into this:
REQUEST: **************\nGET /monitor/alive?op=css HTTP/1.1\r\n
Host: 172.21.86.135\r\n
Accept: */*\r\n
Authorization: Basic U3ZlbkJ1dHplazo=\r\n
\r\n
RESPONSE: **************\nHTTP/1.0 200\r\n
Pragma: no-cache\r\n
Cache-Control: no-cache\r\n
Content-Type: text/html\r\n
Content-Length: 108\r\n
\r\n
Error\n\n
Error\nFW-1 at fw1gsb2bln: Failed to connect to the WWW server.\r\nWWWConnect::Close("172.21.86.135","80")\nclosed source port: 2314\r\n
finished.
The IP 172.21.86.135 is not configured on any device.
Doing HTTP Get Keepalives would solve this on CSS, but not on CSM and i also want to include more das 256 keepalives per CSS.
Sven

Similar Messages

  • No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

    Hello!
    We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
    From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
    The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
    Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
    Any help would be very much appreciated!
    Jakob J. Blaette

    Hi Jakob,
    Adding my two cents here.
    You always need to confirm that the following ports and protocol are opened:
    1- UDP port 500 --> ISAKMP
    2- UDP port 4500 --> NAT-T
    3- Protocol 50 ---> ESP
    A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
    HTH.
    Portu.
    Please rate any helpful posts and mark this post as answered.

  • ACE - Probe suggestion for CheckPoint Firewall ?

    Hi to all,
    Assume that inbound interface of FW1 side cable unplugged. In this scenario the probes are still up. Probes cannot detect this situation and fail over doesn't take place. As you can see it is impossible to detect cable tear down unless we have an IP address from different vlan. I have an idea about to solve this issue, I need to create a new vlan (for instance vlan 200) on the ACE_INSIDE. We will insert a static route on ACE_OUTSIDE. That static route will try to access vlan 200 via FW1 outside interface. Then we will be sure when the FW1 fails. Of course vice versa will be valid. We can use similar configuration for the FW0 too. According to the configuration that I have attached and my solution, can you give me a configuration example or do you have a better way to accomplish this task. I will be waiting for your suggestion or solution as soon as possible. I have little time to solve this. Thanks in advance.
    Best Regards.
    Note: Topology and all necessary configs are attached.

    First of all, this is the FIRST time I've heard
    someone is running Securreplatform NGx R65
    in Active/Active WITHOUT ClusterXL. I could
    be wrong, though unlikely, but that is not
    possible. Take a look at the pair of Checkpoint
    firewall NGx R65 Secureplatform in Active/Active
    Unicast mode:
    [Expert@NGx-lab2]# cphaprob state
    Cluster Mode: Load Sharing (Unicast/SDF)
    Number Unique Address Assigned Load State
    1 10.0.0.1 30% Active (pivot)
    2 (local) 10.0.0.2 70% Active
    [Expert@NGx-lab2]# cphaprob -a if
    Required interfaces: 4
    Required secured interfaces: 1
    eth0 UP non sync(non secured), broadcast
    eth1 UP non sync(non secured), broadcast
    eth7 UP non sync(non secured), broadcast
    eth13 UP sync(secured), broadcast
    Virtual cluster interfaces: 3
    eth0 65.129.75.1
    eth1 129.174.1.1
    eth7 192.168.128.1
    [Expert@NGx-lab2]#
    Again, I think it is NOT possible to run
    Checkpoint in Active/Active mode without
    ClusterXL. You may want to check the
    configuration again. You can NOT have
    active/active without VIP IPs.

  • Oracle server and Checkpoint firewall

    When setting block Findricset SQL Injection
    on Checkpoint firewall and try to login by sqlplus
    to the db server (8.1.7) behind that firewall
    the following error messages occur:
    ORA-24323: value not allowed
    ERROR:
    ORA-03114: not connected to ORACLE
    Error accessing PRODUCT_USER_PROFILE
    Warning: Product user profile information not loaded!
    You may need to run PUPBLD.SQL as SYSTEM
    ORA-24323: value not allowed
    ORA-24323: value not allowed
    Error accessing package DBMS_APPLICATION_INFO
    ERROR:
    ORA-03114: not connected to ORACLE
    SP2-0575: Use of Oracle SQL feature not in SQL92 Entry Level
    ORA-24323: value not allowed
    Can anyone tell me where's the problem?

    It appears that the firewall is blocking the connection to the database. Since this appears to be something more than a basic firewall product (i.e. it is doing more than allowing and denying requests on particular ports for particular IP addresses), you would need to talk to your firewall vendor to determine why it thinks a SQL*Plus connection is a SQL injection risk and how to get around the problem.
    Of course, you could set up something like Oracle Connection Manager to proxy the connection through the firewall, but that may well defeat the point of an active firewall product.
    Justin

  • Checkpoint Firewall Management Server Lost Identity in MARS

    About a month ago, we added our Checkpoint firewall to MARS as well as the 2 Firewall agents who reported to the device. The devices were recognized and running properly.
    At some point in the last week, the Checkpoint management server lost it's identity within MARS. Instead of being recognized as a Checkpoint device, the server is now considered a "Generic Router Version Unknown" via the Device Type.
    The agent firewalls beneath this device still exist as desired, but MARS is no longer recording logs for the primary device.
    I'm ready to remove and recreate the device, but I'm interested to figure out how this could have happened. Nothing in the Audit Trail points to any weird configuration changes.
    I've posted a picture here: http://pixpin.com/viewer.php?file=mars-checkpoint-j1zc.jpg

    It might have to do with bug CSCse03097 - CheckPoint LEA record comes to MARS later and later for better understanding

  • NAC and Checkpoint firewall

    Hi to all,
    Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
    Thanks in advance for your help

    Mark,
    If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
    HTH,
    Faisal

  • NMAS based token for radius authentication towards checkpoint firewall

    hi,
    i'm looking for token based access towards a checkpoint firewall. i found
    out about radius, and think that's the way to go.
    our user administration is NW65SP2 & Edir 8.7.3 based.
    has anyone a success story about a token based radius server based on this
    configuration ?
    which token ?
    additional software ?
    anyone ?

    Hi Peter,
    have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
    chris
    > We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
    > authentication, and iChain 2.2 RADIUS authentication. The current
    > RADIUS.NLM that we use is from the iChain authentication CD.
    >
    > The only problem I can think of to mention is the "Unknown RADIUS client"
    > error that we got after NW6 SP5. That was solved by the latest NMAS
    patches
    > and an upgrade from eDir 8.6.2 to 8.7.3.
    >
    >
    > "Peter van de Meerendonk" <[email protected]>
    wrote in
    > message news:JNiQd.595$[email protected]..
    > > > Well, just let me cover my hiney a little. We did have extremely bad
    > > > results with Activcard ACO000 tokens, but that is an old product from
    > > about
    > > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
    > > >
    > > OK, but the licensing policy makes activcard a costly alternative.
    we've
    > got
    > > a good deal on RSA, and are negociating a deal on Vasco. eventually we
    > might
    > > need 250+ tokens.
    > >
    > > I am very interested in configuration details of your setup. do you use
    > the
    > > tokens only for checkpoint authentication, or for novell
    authentication as
    > > well?
    > >
    > >
    > >
    >
    >

  • Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

    Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
    Could the last CISCO Security Manager product help in this process ?
    thanks in advance

    Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
    Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
    http://www.lumeta.com/
    Also reference this thread, it may help.
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
    HTH
    Jorge

  • With CheckPoint Firewall

              I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
              with a E10K machine. The application is running fine without the firewall. However,
              when I run a stress test within the firewall. The system is down around an hour,
              even the whole network will go down. Any Advise ?
              

    Could you please elaborate more on "the system is down around an hour, even the whole
              network will go down" ?
              Friend wrote:
              > I am using CheckPoint firewall and running a cluster with 2 nodes on the same machines
              > with a E10K machine. The application is running fine without the firewall. However,
              > when I run a stress test within the firewall. The system is down around an hour,
              > even the whole network will go down. Any Advise ?
              Rajesh Mirchandani
              Developer Relations Engineer
              BEA Support
              

  • Checkpoint Firewall

    Do you know about any problem with checkpoint firewall and SGD4.2?
    I've a costumer with that firewall and he is disconnected quite often. Without firewall no problem. We check firewall log and see that some times it blocks traffic to our site...
    Any help?
    Thank You

    Define "some times". A snip of the log with successful connections compared to unsuccessful connections would be helpful.

  • WAAS Cached content access through Checkpoint firewall

              Hello,
    I would like to open access to the cached content on the WAAS from a server through a Checkpoint firewall. The server has to have L3 access to the actual WAE device, from what I understand. Is this feasable? What ports would I need to open in the Checkpoint?
    Thanks
    Doug Bradfield      

    Hello Douglas,
    You're correct, if you see an optimized connection  is probably being cache ( probably not the whole file)  there is a big difference between "cache data" and "preposition data" .
    Cache data is not for you to control or manually retrieve from the WAE box. WAAS controls what is being cache or delete when more new data comes through.
    Preposition data is something you can manually store on the Remote WAE so remote users are benefit of a faster access to files already preposition. But this is uppon remote users request to the server( Users don't know that WAAS exist they just see the  server-share they've always use) so WAAS notice that a user is requesting a file that a remote WAE already got in their preposition files, so it provide faster access to the file.
    Neither of this two options above will let you access WAAS content like you describe on the initial question, you said you want open access to WAE files from a server right ?  you can still get the files on your server and this files can be optimazed if you  server is behind the WAAS optimization path, but you'd need to go and from the server copy the files one by one just like if you were retrieving them from a  client PC.
    hope this helps!

  • Cisco 8851 phones registering through Checkpoint firewall

    We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs.  We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register.  The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69.  The 7900 phone never generates TFTP on port 69 at all.  What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router.  I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
    Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones.  I have done key-word searches on the Forum for this issue, but have not found anything significant.  I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue.  Any help would b e greatly appreciated.
    Thanks,

    Hi Andrew
    The attached document may assist:
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
    A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
    Hope this helps.
    Barry Hesk
    Intrinsic Network Solutions

  • Itunes store - cannot download movies over 4gb ,firewall problem

    Here's something odd
    Once I purchased dumb and dumber from itunes I immediately begun the download but something strange
    happened,it only downloaded to 375mb then the download restarted then when it reached 375mb
    it tells me that the download was interrupted and I look in my downloads to see that it
    has stopped along with a 9006 error
    I've been trying to download the movie repeatedly with no success
    and I tried other movies that are over 4gb and have met with the same result
    then I ran a network diagnosis and it said that everything is fine except that
    the firewall was not enabled for itunes(even though it is) but when I download something from my purchases
    and do the network diagnoses it says that the secure link to the itunes store has failed
    I'm able to download everything else just fine despite this
    any solutions?

    I'm having the same exact problem. Bought Nightmare Before Christmas yesterday, tried to install it last night. Same error message, billed for it (said it was downloaded). Tried to report problem, re-directed to itunes store help page. EVERY SINGLE TIME! I've never had a problem purchasing movies from the itunes store.
    Does ANYONE know how to fix this?!?
    Message was edited by: macinspired

  • Nexus vPC keepalive over FEX

    Any issues with running the vPC keepalive link over routed fex ports? I have 2 7710s with connected to each 2248PQ, and have setup fex port 1 to fex port 1 router for peerkeepalive link. It works, and I have had no issues with it. What are the disadvantanges, beside the obvious of if you lose a fex all vPC are down. That can happen with a 7700 module too.
    N77---->2k(Port1)--------vPC keepalive-------2k(port1)<-----------N77

    Jason,
    Welcome to the community!
    I do not see any problem in here, we can actually see this recommendation below, which is not the same but still has a Mgnt switch in the middle:
    http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
    When using mgmt0 port for vPC peer
    keepalive link in a dual supervisor configuration, always use an intermediate
    L2 switch to interconnect the different supervisors together
    What I can see is that you are actually adding more point of failures, IMHO I rather have a direct point-to-point connection between the switches to have less dependency on components.
    -Kenny

  • SCOM Management pack for Checkpoint Firewall & Fortigate UTM

    HI ,
    Any body knows that is there Management pack for Checkpoint ( <cite>www.checkpoint.com ) </cite>and
    Fortigate Appliance ( http://www.fortinet.com/products/fortigate/index.html ).
    please advise me.
    Regards, COMDINI

    Hi,
    If you cannot find them in system center marketplace:
    http://systemcenter.pinpoint.microsoft.com/en-US/home
    you can contact the vendors for management pack.
    Alex Zhao
    TechNet Community Support

Maybe you are looking for

  • Firewall in 10.5, how to open ports and how to manage?

    I am pulling my hair out with the new firewall in 10.5. In 10.4 I could just set ports as I liked in the control panel, in 10.5 there is no such thing. I need to for example open port 49999 to allow PageSender to function in my network. I need to ope

  • Using XSL-FO for Interactive Report PDF printout

    I am using XSL-FO, Apache FOP and use FO Designer to produce a PDF from SQL Based Report (not IR). This is working fine. How can use the same concept for Interactive Report. I can not see how to make IR to use XSL-FO and Apache FOP. It looks that IR

  • How can I extract .rar files that are dependent on the next in order to finish the extraction?

    Ex: Part 1 finishes, then asks for part 2, so on so forth! Trying to open something a colleague sent me, but is rather large. I have 5 .rar files. I cannot extract them seperatly or it errors/fails. Yet I cannot find a program that asks or searches f

  • How do i return my earpods?

    My name is narick. I Purchased my iphone 5 in november and it is currently march, but my earpods dont work as well as when i first got them. I ws wondering if they were still under warranty and how i could return them?

  • Please anyone help me with this

    Hi guys, Check this out: http://www.large-online.nl/partnerimg/4/436794.jpg How do you remove the letter in photoshop cs5? I wanted it removed while maintaining the hair. please explain me step by step. thank you!