Hello,
i've done an upgrade from R60 to R61. The customer uses CVP with eSafe to scan SMTP, HTTP and ftp.
Starting with R61 you get an error message "Compressed HTTP responses (containing a 'Content-Encoding:' header) are not allowed when using CVP or weeding" whenever http 1.1 is used and the server answers compressed. This is well documented in
http://updates.checkpoint.com/filese...y_Security.pdf but i can't follow the suggestion to lift security for these connections.
I tried to fix the problem with http_force_down_to_10 = 1 but it has no effect. The client request still leaves the firewall with HTTP/1.1 as tcpdump shows.
I checked why we don't had this problem with R60 and found, that http_force_down_to_10 = 1 is not working on R60 (without and with HFA_03) and that 'Strip SCRIPT Tags' is NOT working (as described for R61) without any message on sites using compression.
Testing is easy. Create a resource with 'Strip SCRIPT Tags' and test it as a transparent proxy with
www.google.de. Configure your IE 6 internet options to use HTTP/1.1 (note, you have to restart the IE after changing this setting, clear your IE cache!) With R61 you see an error message in the Tracker, with R60 the SCRIPT-Tag passes unmodified(!). To crosscheck you can switch to HTTP 1.0 and you will see the SCRIPT-Tag changed to <scrip!>.
Any suggestions beside configuring all clients to use http 1.0?
Why is http_force_down_to_10 not working (since which release)?