firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Slow FTP transfers (sky)
2. Re: Palo Alto Networks (Paul Hutchings)
3. Re: Palo Alto Networks (Cassell, Damon Z.)
----------------------------------------------------------------------
Message: 1
Date: Thu, 08 Oct 2009 15:05:06 -0700
From: sky <aptgetd@gmail.com>
Subject: Re: [fw-wiz] Slow FTP transfers
To: Chris Smith <csmith1@1pointe.com>
Cc: "'firewall-wizards@listserv.icsalabs.com'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4ACE6212.4070603@gmail.com>
Content-Type: text/plain; charset=utf-8
Hi Chris,
There are no tracking module(s) that I know of. These servers are
located behind FWSM.
I haven't tried different server but active mode seems to cause
intermittent problem whereas passive mode seems to be the work around.
regards,
sky
Chris Smith wrote:
> Sky does the device that the ftp server sits behind have any kind of ftp connection tracking module?
>
> What happens with a different ftp server behind the same firewall using active mode and the same 50 MB file?
>
> This test will at least tell you if the firewall is the issue.
>
> Perhaps it could be an issue with the ftp server or the tcp stack on the host OS?
>
> Have you tried starting the service in a debug mode?
>
> Hope this helps.
>
> ----- Original Message -----
> From: firewall-wizards-bounces@listserv.icsalabs.com <firewall-wizards-bounces@listserv.icsalabs.com>
> To: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
> Sent: Wed Oct 07 14:49:41 2009
> Subject: Re: [fw-wiz] Slow FTP transfers
>
> Hi,
>
> I've looked at every possible aspect of this connection based on the
> feedback I've received w/ no avail.
>
> FSWM module is running v1.1(4) and CATOS v7.6(16).
>
> Any further insight will be appreciated.
>
>
> regards,
> sky
>
> sky wrote:
>> Hi,
>>
>> I'm having an issue when ftp'ing (default port mode) large file (50megs)
>> to a remote server sitting behind FWSM. The transfer gets real slow and
>> at times just timeouts.
>>
>> Now when I change ftp mode to passive the same file transfer works w/o
>> any issues. Why?
>>
>> Have inspect ftp and mtu is set for 1500. I've checked for duplex
>> settings as well which is good.
>>
>> Any thoughts will be great.
>>
>> regards
>> sky
>>
>>
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Fri, 9 Oct 2009 17:27:36 +0100
From: Paul Hutchings <paul@spamcop.net>
Subject: Re: [fw-wiz] Palo Alto Networks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <FA49E11A-3B99-4AF0-8EEC-BD91C3A0973C@spamcop.net>
Content-Type: text/plain; charset=WINDOWS-1252; delsp=yes;
format=flowed
Thanks all.
Frank, We would only be looking at one unit so management shouldn't
be an issue. You mentioned "home grown apps" and giving them a
definition, this will hopefully all be clear once I have a units GUI
in front of me, but presumably if you need/want it to the PA boxes
can also act as dumb stateful firewalls i.e. "Simply allow port XYZ
from X to Y"?
Arkanoid, I've learned not to trust the marketing hence lurking on
technical forums and lists like this. Also (again may become clear
when in front of one) but how does the SSL inspection/MITM actually
work i.e. what would I need to change on my clients and could it also
be used to apply inspection to inbound SSL traffic to look for
nasties i.e. Outlook Web Access?
As a general question, what strategies are people taking these days
regards "layering" firewalls? We currently use a back to back
approach with a dumb stateful firewall at our perimeter almost as a
"doorman" so that only the ports we need to allow in get in, and then
we get a little smarter i.e. does it conform to RFCs etc. at the LAN
edge firewall. I'm wondering if the general consensus is that this
is still a sensible idea?
Paul
On 8 Oct 2009, at 20:47, Francois Yang wrote:
> I've worked with them before and they're pretty good.
> easy setup and maintenance, good integration with Active Directory,
> good application detection engine.
> Over all it's a good product, but you have to test it in your own
> environment to see if it fits.
> here are the draw backs that I can remember. all firewalls have some
> kind of issues.
> here are the issues I see and maybe they have been fixed by now. I
> don't know it's been a while.
> I remember it didn't have a central management, so having a few of
> those boxes may be ok, but when you're looking at 20+ clusters, it
> becomes time consuming to manage.
> Application detection engine would automatically drop the traffic of
> unknown apps into a low priority pool. So if you have home grown apps
> which requires alot of bandwidth, you need to make sure you find it
> and give it a definition or work with their team to create custom rule
> otherwise it will crawl.
> I'm sure there's more pros and cons, but that's all I can think of.
> Let me know if you have more questions.
>
> Frank
>
>
>
> On Thu, Oct 8, 2009 at 12:00 PM, Paul Hutchings <paul@spamcop.net>
> wrote:
>> Getting one of their boxes on eval for a couple of weeks. Quite a
>> broad and
>> generic question I know, but does anyone have any experience(s)
>> they wish to
>> share?
>>
>> Cheers,
>> Paul
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
>
>
> --
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked. ? White House Cybersecurity
> Advisor, Richard Clarke
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Tue, 13 Oct 2009 09:46:20 -0400
From: "Cassell, Damon Z." <dcassell@mitre.org>
Subject: Re: [fw-wiz] Palo Alto Networks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<B473C76B9C857542A758DF792F159DF20CFB7EC415@IMCMBX1.MITRE.ORG>
Content-Type: text/plain; charset="utf-8"
> I remember it didn't have a central management, so having a few of
> those boxes may be ok, but when you're looking at 20+ clusters, it
> becomes time consuming to manage.
Palo Alto does have central management by using an additional product called Panorama.
http://www.paloaltonetworks.com/products/panorama.html
One observation on the topic of management; the Palo Alto logging scheme seemed clunky, especially with a lot of logging enabled. If you are a frequent user of, say, Check Point SmartView Tracker then you might be annoyed with a web-based viewer and have some trouble with the query capabilities. Maybe the experience improves when you spend more time with the product, but it was an initial concern. Look at this in your own environment if logs are important to you...
Again, this may have changed with PanOS 3.
Damon
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 42, Issue 8
***********************************************
No comments:
Post a Comment