 | ||
 Installing NGX-R65-HFA02 remotely (running normally you're disconnected with FW down) | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-10-22 | |||
| |||
 Installing NGX-R65-HFA02 remotely (running normally you're disconnected with FW down) If anyone didn't notice 3 days after HFA01 HFA02 was posted on Checkpoint. (you have to search for it, just search for "R65" from download selector) Don't forget to patch the management box first! I manage allot of remote firewalls, most are SPLAT R65 (still have a couple of Windows 2003 based) Hint for applying the patches: SSH into the remote box. Expert mode FTP the patch to a directory you create on /VAR (I used /var/NGX-R65-HFA02) VPN-1_R65_HFA_02_wrapper.SecurePlatform.tgz from an ftp server you use, I keep one for this purpose. tar -xvzf VPN-1_R65_HFA_02_wrapper.SecurePlatform.tgz CPSTOP (important, you lose SSH during cpstop that happens during patch if you don't do this and you won't be able to reboot remotely) reconnect with SSH expert mode cd /var/NGX-R65-HFA02 ./UnixInstallScript reboot when it finishes. When it comes up everything is done. also I would suggest you set "fw ctl set int fwtcpstr_max_window 60000" to make it survive reboot: in expert mode cd $FWDIR/boot/modules vi fwkern.conf add the line "fwtcpstr_max_window=60000" save This one resolves an issue I have always had since NGX R60 with large file copies in a VPN connection from failing.  |
| 2007-10-23 | |||
| |||
| Re: Installing NGX-R65-HFA02 remotely (runing normaly your disconnected with FW down) I agree with the fwtcpstr_max_window change. We ran in to issues with websites developed on .net that caused large requests to timeout. Web requests would fail on a regular basis. By default the tcp streaming window on Windows XP/2003 is MSS x 44. On Windows 2000 it was generally set to 17,520. On SPLAT the default is 10240 on NGX. Because of this low setting, packets are actually dropped by the firewall, though no dropped packets show up as dropped in the log server. We determined that because the packets are being dropped at the OS level, not the firewall level, that nothing ever shows up in the logs. Only through debugs will you see the dropped packets. The below change can be done via SSH script and will survive a reboot: echo fwtcpstr_max_window=65536 > $FWDIR/boot/modules/fwkern.conf fw ctl set int fwtcpstr_max_window 65536 Microsoft Knowledgebase Article on TCP Streaming Window: Description of Windows 2000 and Windows Server 2003 TCP Features |
| 2007-10-23 | |||
| |||
| Re: Installing NGX-R65-HFA02 remotely (runing normaly your disconnected with FW down) I even put in a request to Checkpoint that the default be changed to the higher number... They said nobody else is having this issue... I don't know about anybody else but in my experience I have the problem all the time if this is not set to a larger number. So they won't make it the default. John |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
