Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
61626364656667686970
Chapter 7 Troubleshooting Security Servers and Content Security
Resolving Common HTTP Security Server Problems
Advanced Technical Reference Guide 4.1 June 2000 62
URI Resource – In the Match tab the Host field contains URL name
In order for the VPN-1/FireWall-1 Security Server to be able to do match on that specific rule which contains a
URL name in the host filed of the match tab of the URI Resource, it has to do a Reverse DNS lookup for each
HTTP request.
In case it fails the connection will be dropped and the client will be notified with a message “Unknown WWW
server” or “The WWW server is not responding”.
How to use CVP for content security with HTTP and/or a URI service
on ports other than 80
1. First set up VPN-1/FireWall-1 to invoke the HTTP Security Server to send Port 80 traffic to the CVP
Server.
2. Define the CVP Server according to the instructions in the VPN-1/FireWall-1 Administration Guide.
3. Define a Resource of type "URI" according to instructions contained in the VPN-1/FireWall-1
Administration Guide, and be sure the "Host" field on the "Match" tab is
*:*
(asterisk, colon, asterisk)
4. Create a Rule with appropriate Source and Destination and specify the Service as
"http-->Resource"
If other ports are specified in a URL, and the CVP server must inspect the traffic for content, then:
1. CreateaUser_DefinedTCPserviceoftype"URI"andspecifytheporttobeused.
2. Create a Rule with appropriate Source and Destination and specify the Service as
"User_Defined-->Resource"
See the SecureKnowledge Solution (ID: 36.0.1952321.2504884) in the Check Point Technical Services site
What rules are needed when setting up Content Security
A rule allowing a connection from the FireWall to the CVP server on port 18181 for the control connection is
needed. The Rule also needs to allow TCP high ports between the firewall and the CVP server. This is for the
file transfer from the FireWall to the CVP server for inspection of the file.
Rules that specify CVP inspection do not replace rules that allow FTP, HTTP, or SMTP connections. Since
VPN-1/FireWall-1 examines the Rule Base sequentially, you must define rules in the appropriate order to
prevent unwanted traffic from entering your network.
Resource rules that accept HTTP, SMTP, and FTP connections must be placed before other rules which accept
these services. If you define a rule that allows all HTTP connections before a rule that specifies CVP inspection
on a URI Resource, you may be allowing unwanted traffic.
Similarly, CVP rules must be placed after rules that reject FTP, HTTP or SMTP Resource connections. For
example, a rule rejecting large email messages must come before a CVP rule allowing specific SMTP
connections.
See the SecureKnowledge Solution (ID: 36.0.608403.2485073) in the Check Point Technical Services site