Frequently Asked Questions

Frequently Asked Questions

4.1 Which Files Make Up My Security Policy?

4.2 How Do I Edit objects_5_0.C and rulebases.fws Manually?

4.3 Does Any Service Really Mean Any Service?

4.4 When Should I Reinstall My Security Policy?

4.5 Which Characters or Words Cannot Be Used When Naming Objects?

4.6 Are the Global Properties per Firewall or Global?

4.7 How Do I Enable DNS Verification When I Use the Rulebase Property to Allow DNS Queries?

4.8 Are the GUI Clients Backward Compatible?

4.9 How Do I Enable Specific Rules on Specific Interfaces?

4.10 My Rulebases Have Disappeared!

4.11 Using the GUI over Slow Links

4.12 I Cannot Fetch a Host's Interfaces

4.13 SmartMap (or VPE) Crashes When Logging into SmartDashboard/Policy Editor

4.14 FireWall-1 Error: No License for User Interface

6.1 How Do I Modify FireWall-1 Kernel Variables?

6.2 Can I Direct FireWall-1 Log Messages to syslog?

6.3 How Can I Disconnect Connections at a Specific Time?

6.4 How Many Interfaces Are Supported?

6.5 How Do I Create a Large Number of Objects via the Command Line?

6.6 Local Interface Anti-Spoofing

6.7 Tried to Open Known Service Port, Port xxxx

6.8 Virtual Defragmentation Errors

6.9 Too Many Internal Hosts

6.10 **Pth** scheduler internal error: No More Thread(s) Available to Schedule

6.11 Target localhost Is Not Defined as an NG Module, Please Use the -l Flag

6.12 Invalid Value in the Access Attribute: Undefined: File Exists

6.13 mbuf_alloc(1500): Cluster Alloc

6.14 Log Buffer Is Full, Error: Lost xxx Log/Trap Messages

6.15 Why Doesn't Windows Traceroute Work?

6.16 How Does FireWall-1 Support UNIX RPC?

6.17 How Do I Block AOL Instant Messenger?

6.18 How Do I Enable or Block Yahoo Messenger?

6.19 How Do I Block ICMP Packets of a Particular Length?

6.20 TCP Packet Out of State

6.21 Configuring FireWall-1 to Allow Out-of-State Packets for Specific TCP Services

6.22 SmartView Tracker Log Error: Rule 0: Reason: Violated Unidirectional Connection

6.23 th_flags X message_info SYN Packet for Established Connection

6.24 TCP Flags Do Not Make Sense

6.25 Unexpected SYN Response

6.26 Enabling the TCP Sequence Verifier

6.27 Adjusting TCP or UDP Timeouts on a Per-Service Basis

6.28 Disabling TCP Timeouts

6.29 Problems with Newline Characters

6.30 FTP on Ports Other Than 21

6.31 FTP Data Connections with a Random Source Port

6.32 FTP Servers Sending FIN Packets out of Sequence

6.33 FTP Servers That Require ident

6.34 Encrypting FTP Connections with SSL

6.35 Some Services Are Slow to Connect

6.36 The ident Service

6.37 Different DNS Definitions for Internet and Intranet

7.1 Things to Check When Getting SIC Failures

7.2 Syncing Clocks between Firewall and Management

7.3 Establishing SIC with a Module Using Dynamic Addressing

7.4 SIC General Failure (Error No. 148)

7.5 Certificate Authority Errors in a Management HA Configuration

7.6 Resetting SIC

7.7 Forcibly Resetting SIC

7.8 If All Else Fails, Debug

8.1 How Do I Use Users in an Authentication Server without Entering Them into FireWall-1?

8.2 How Do I Integrate FireWall-1 into a Windows NT Domain?

8.3 How Do I Allow People Access Based on Their Windows Usernames?

8.4 How Do I Import or Export Users from a FireWall-1 User Database?

8.5 How Do I Add My Own Custom Message for Authentication?

8.6 How Do I Forward Authenticated HTTP Requests to an HTTP Proxy?

8.7 Can I Use FireWall-1 as a Reverse HTTP Proxy?

8.8 How Do I Remove the Check Point Banner from Authentication?

8.9 Can I Use FireWall-1 as a Proxy?

8.10 Can I Use FireWall-1 as an FTP Proxy for My Web Browser?

8.11 How Do I Authenticate HTTP over Different Ports?

8.12 How Do I Authenticate Outbound HTTPS Traffic?

8.13 Can I Authenticate Access to Internal HTTPS Servers?

8.14 How Can I Authenticate with HTTP to a Site Requiring Its Own Authentication?

8.15 How Can Users Change Their Own Passwords?

8.16 Can a User Reset His or Her Own S/Key Chain?

8.17 Can I Customize the HTTP Client Authentication Pages?

8.18 This Gateway Does Not Support X

8.19 The Connection Is Closed by a Session Authentication Agent

8.20 Authentication Services Are Unavailable. Connection Refused.

8.21 Session Authentication Is Not Secure

8.22 Using Session Authentication with Content Security

8.23 Authenticating on Each URL

8.24 No Client Auth Rules Available

8.25 Policy Install Logs Out Client Authentication Users

8.26 Partially Automatic Client Authentication Redirects Site to an IP Address

8.27 Users Are Not Being Prompted for Authentication

8.28 Request to Proxy Other Than Next Proxy Resource

8.29 Cannot Telnet to the Firewall

8.30 When Accessing Certain Sites via HTTP, the Connections Are Dropped with Various Error Messages

8.31 SecurID Authentication Fails after One Try

9.1 Can I Filter HTTP on Other Ports (e.g., Port 81)?

9.2 Can the HTTP Security Server Forward Requests to a Caching Proxy Server?

9.3 Why Do I Get the Error "Request to Proxy Other Than Next Proxy Resource" When Filtering Traffic to a Proxy Server?

9.4 How Do I Redirect People to a Usage Policy Page?

9.5 How Do I Prevent People from Downloading Files or Accessing Streaming Media via HTTP?

9.6 Can I Allow Certain Users to Download Files Provided They Authenticate?

9.7 How Can I Set Up FireWall-1 to Support Content Security for Outbound HTTPS?

9.8 Can I Block the Use of KaZaA, Instant Messages, and Other Applications That Can Tunnel over HTTP?

9.9 Why Do I Have Problems Accessing Some Sites When the HTTP Security Server Is Enabled?

9.10 How Can I Permit Schemes Other Than FTP and HTTP through the HTTP Security Server?

9.11 How Can I Customize the Error Messages Given by the HTTP Security Server?

9.12 The HTTP Security Server Won't Work

9.13 My Users See the Error Message "FW-1 at Kyle: Unknown WWW Server"

9.14 My Users See the Error Message "Failed to Connect to WWW Server"

9.15 I Have Problems When I Try to Use Internet Explorer (or Other Browsers That Support HTTP 1.1) through FireWall-1

9.16 I Can't Access Certain Web Sites through the HTTP Security Server

9.17 The Memory Usage of in.ahttpd Keeps Growing

9.18 Why Won't the FTP Security Server Let Me Use Certain FTP Commands?

9.19 Why Do I Always Have Problems with Certain Sites When Using the FTP Security Server?

9.20 Why Do I Have a Problem FTPing to Any Site with the FTP Security Server?

9.21 When I Use the SMTP Security Server, to What Should the MX for My Domain Point?

9.22 Can I Have the Firewall Be the MX for My Domain?

9.23 Why Won't the SMTP Security Server Use the MX Records?

9.24 Can I Use the SMTP Security Server to Help Fight Incoming Spam?

9.25 Can the SMTP Security Server Accept E-mails of Any Size?

9.26 When Does CVP Get Performed on E-mails in the SMTP Security Server?

9.27 I See the Message "Connection to Final MTA Failed" in the SmartView Tracker/Log Viewer

9.28 Mail Appears to Get Stuck in the SMTP Security Server Spool Directory

9.29 Why Don't the Connections I Make through the Security Servers Appear to Originate from the Firewall?

9.30 Why Is the Security Server Used Even if the Rule Matched Does Not Use a Resource?

9.31 Can I Mix User Authentication and Content Security?

9.32 Can I Mix Session Authentication and Content Security?

11.1 Does FireWall-1 Interoperate with Third-Party VPN Products?

11.2 Does the Gateway Clusters Feature Interoperate with Third-Party VPN Products?

11.3 Can I Run Microsoft Networking Protocols through a VPN?

11.4 Can I Set Up a VPN with a Site without Giving It Access to All My Machines?

11.5 Can I Set Up More Than One VPN with Different Sites Each Using Different Encryption Schemes?

11.6 Can I Set Up More Than One VPN with Different Sites and Use a Different Source IP Address for Each Site?

11.7 Does FireWall-1 Support a Hub-and-Spoke Model Like Some VPN Hardware Devices Do?

11.8 How Does NAT Interact with Encryption?

11.9 How Can Two Sites That Use the Same Address Space Establish a VPN with One Another?

11.10 Can I Require User Authentication in Addition to Encryption?

11.11 Can the VPN Gateway Be behind Another Device That Does NAT?

11.12 Can a Gateway Be a Member of More Than One VPN Community?

11.13 General Troubleshooting Guidelines for VPN Problems

11.14 No Response from Peer

11.15 AddNegotiation: Try to Handle Too Many Negotiations

11.16 Debugging Interoperability Issues with IKE

11.17 Known Interoperability Issues

11.18 Encryption Failure: Packet Is Dropped as There Is No Valid SA

11.19 Traceroute Does Not Appear to Work through a VPN

11.20 VPN Fails When Transferring Large Packets

12.1 Can I Use SecuRemote if My Client Is Subject to NAT?

12.2 Can Multiple SecureClient Users Behind the Same NAT Device Access the Same Firewall?

12.3 How Do I Initiate an Encrypted Session to a SecuRemote Client?

12.4 What if My SecuRemote Client Must Pass through a FireWall-1 Gateway?

12.5 How Can I Use SecuRemote When I Am behind a Proxy?

12.6 How Do I Disable SecuRemote at Startup?

12.7 How Do I Tell FireWall-1 to Use a Different Port for SecureClient Topology Requests?

12.8 Can I Share an Internet Connection and Use SecuRemote?

12.9 Can I Install SecureClient on the Same Machine with a VPN Client from Another Vendor?

12.10 Can SecureClient Be Controlled via the Command Line?

12.11 SecuRemote Communication Ports Are Blocked

12.12 ISP Uses a Custom Adapter to Connect

12.13 Problems Adding the New Site

12.14 Determining the IP Address When Using IP Pool NAT

12.15 Encapsulation, Packet Sizes, and Failing Applications

12.16 Windows NT and File Permissions

12.17 Mixing NICs and Dial-up Adapters

12.18 NG FP1/FP2 System Status Viewer Shows No Response for Desktop Policy Server

13.1 How Do I Know State Synchronization Is Working?

13.2 Can I Change the MAC Address Used by the State Synchronization Mechanism?

13.3 Can I Perform State Synchronization between Two Platforms of Differing Performance Characteristics?

13.4 How Can I Prevent a Specific Service from Being Synchronized via State Synchronization?

13.5 Various Error Messages Occur during a Full Sync

13.6 Error Changing Local Mode from <mode1> to <mode2> because of ID <machine_id>

13.7 Inconsistencies Exist between Policies Installed on Cluster Members on My Console

13.8 CPHA: Received Confirmations from More Machines Than the Cluster Size

13.9 FwHaTimeWorker: Wait Failed (Status N)

13.10 fwha_reset_timer: Failed to Allocate Timer DPC or Timer Object

13.11 There Are More Than 4 IPs on Interface <interface name> Notifying Only the First Ones

13.12 fwha_create_icmp_echo_request: Failed to Create Packet

13.13 fwha_receive_fwhap_msg: Received Incomplete HAP Packet (Read <number> Bytes)

13.14 Inconsistencies Exist between Policies Installed on the Cluster Members

13.15 Sync Could Not Start Because There Is No Sync License

13.16 fwldbcast_timer: Peer X Probably Stopped

13.17 fwlddist_adjust_buf: Record Too Big for Sync

13.18 fwha_pnote_register: Too Many Registering Members, Cannot Register

13.19 fwha_pnote_register: foo Already Registered (#5)

13.20 fwha_pnote_reg_query: Pnotes Not Relevant in Service Mode

13.21 fwldbcast_update_block_new_conns: Sync in Risk: Did Not Receive ack for the Last 410 Packets

13.22 fwhandle_get: Table kbufs?Invalid Handle?Bad Entry in Pool 0