Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1950
Views
0
Helpful
3
Replies

Keepalives over Checkpoint Firewall

Sbutzek
Level 1
Level 1

‎03-17-2006 02:50 AM

Hello!

I'm having some problems, with CSS Keepalives over a Checkpoint Firewall.

It is not a CSS Problem, but may anyone expected the same and can help me how i can solve it.

We do some TCP or HTTP Head Keepalives over the Firewall to some Application servers.

The Firewall seems to terminate the TCP Connecten and also the HTTP Requests and the Service is always alive, because the Firewall answert the requests.

The guys who administrate the firewall do not know, why the firewall do this and do not know how to disable that feature.

Has anyone an idea how the firewall must by modified to not answer the keepalives?

This problem does only appear on TCP Port 80. All other TCP Ports work.

Best regards

Sven

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-17-2006 03:47 AM

Sven,

seems like the equivalent of Cisco HTTP inspection feature.

Looking on checkpoint website, this features seems to be called Web Intelligence.

http://www.checkpoint.com/products/downloads/Web_Intelligence_External_FAQ.pdf

However, I do not see how to disable it.

Since you do head keepalive, I believe that if your server is down, the firewall will still accept the HTTP connection but it wont be able to respond for the server and it should return a 500 Error message which should bring the service down.

is not the case ???

Gilles.

0 Helpful

Sbutzek
Level 1
Level 1
In response to Gilles Dufour

‎03-17-2006 06:32 AM

Hello Gilles,

thanks for that fast response.

Not sure if this is the feature.

But my Head Keepalives does not work. Because the Firewall is generating a Error Webpage with a Responsecode of 200 OK

Leets have a look into this:

REQUEST: **************\nGET /monitor/alive?op=css HTTP/1.1\r\n

Host: 172.21.86.135\r\n

Accept: */*\r\n

Authorization: Basic U3ZlbkJ1dHplazo=\r\n

\r\n

RESPONSE: **************\nHTTP/1.0 200\r\n

Pragma: no-cache\r\n

Cache-Control: no-cache\r\n

Content-Type: text/html\r\n

Content-Length: 108\r\n

\r\n

Error\n\n

Error

\nFW-1 at fw1gsb2bln: Failed to connect to the WWW server.\r\n

WWWConnect::Close("172.21.86.135","80")\nclosed source port: 2314\r\n

finished.

The IP 172.21.86.135 is not configured on any device.

Doing HTTP Get Keepalives would solve this on CSS, but not on CSM and i also want to include more das 256 keepalives per CSS.

Sven

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to Sbutzek

‎03-17-2006 07:05 AM

definitely an error on the firewall side.

Clearly they should return a 5xx code if there is an error per the RFC.

You should contact your Checkpoint vendor or replace the firewall with a Cisco one :-)

G.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card