StoneBlog.stonesoft.com

Have you ever been in the situation where you needed Stonesoft Support to help you troubleshoot a problem you are having only to be told to send them an sginfo and they will investigate?  Ever wonder why?

Continue reading »

written by SideKick - 290 views \\ tags: firewall, IPS, SMC, SSL VPN

Dear StoneBlog community,

from now on, we will reward select StoneBlog authors with a “I FW 127.0.0.1“  or “I eat hackers for breakfast” T-shirt, and maybe with an occasional mousepad.  The criteria for these rewards if totally subjective – basically, whenever we read something nice, beautiful, funny, witty, something that makes us smile and/or makes our day, the T-shirt (or something else) is on its way. “Us” refers primarily to Stonesoft marketing department, but can, and hopefully will, be extended to include just about anyone.

So, whenever you think a StoneBlog post earns a T-shirt (or something else), please drop a line with a link to heli.harri(AT)stonesoft.com  and tell us why. Happy StoneBlogging!

—-
PS. The first T-shirt goes to Ray Maurer for his utterly sincere, positive and enthusiastic real-life, real-world customer experience with StoneGate. This not only made our day, it made our whole week . Thanks, Ray!

written by helih - 778 views \\ tags: 127.0.0.1, firewall, hackers, StoneBlog Community

One of our new customers was eager to switch all of their competitor’s firewalls in their network to StoneGate firewalls. I arrived onsite midday the day before the scheduled cutover and was planning to go through the normal routine of interviewing the staff and so I could make sure to avoid any pitfalls and make sure the cutover was as smooth as possible. However, the customer had other plans for me. After two days of rebooting the  firewalls four to five times a day, they asked if I could have the StoneGate firewalls ready by 7:30 pm that night. Keep in mind I didn’t arrive until 1 pm. Well long story short I said “sure no problem” with a muted smile. I got the firewalls configured and was ready to make the swap when the customer suggested taking a quick break for dinner before we made the cut. When we came back we found the  firewalls down again and thought we might as well leave them down. We powered on the new StoneGate cluster, made initial contact, pushed the policies and had life breathing back into the network. The StoneGate solution made us look like champs. Thank you Stonesoft! We would not have been able to do this with any other system as fast and as easy. The StoneGate Management Center interface is like none other and far exceeds ASDM and other similar interfaces. You gave me the power and the training to hit this curveball out of the park!

written by RayMaurer - 779 views \\ tags: Cutover, firewall, Partner, story

I like to move it,move it
She likes to move it,move it
He likes to move it,move it
You like to (“move it”)

This is the smash hit of Madagascar, where funny lemurs were singing and dancing… well, given the potential and features of VMware technology this could easily become the catchphrase of Virtual Datacenter managers very soon.

This page contains links to a 5 minutes movie to show how smoothly Virtual Appliance Clustering is working in VMWare ESX Virtual Infrastructure, offering maximum compatibility with VMotion.

The tested setup is the one reported below:

And for those who want the full 15 MB Flash version, right-click here and choose “Save as…”

Or if you want to see it bigger (will open up a new browser windows), click here.

written by RoarinPenguin - 662 views \\ tags: clustering, firewall, Virtualization, vmotion

Current StoneGate SMC and Firewall version, (4.3.x at time of writing) supports setting MTU size on each interface as shown in picture below:

Since acronym stands for Maximum Transmission Unit, the effect is to have firewall sizing the transmitted frames on given interface according to MTU value set, o use default in case of no setting present.
For example, if firewall receives a frame on, say, eth0 a frame of 1500 bytes MTU size and it needs to trasmit on eth1, where we set MTU to be 1214 bytes, it will fragment it and then issue packets accordingly.
In case the frame has DF (Don’t Fragment) bit set, the firewall must honor this request, avoiding fragmentation. Thus it will send back a type 3 – code 4 ICMP packet on eth0 interface, AKA “Fragmentation Needed and DF set”, so that source knows that fragmentation is needed along the way.

This is perfect behavior of good tcp/ip node, therefore it is not possible (for instance) to set parameters on firewall to “ignore” DF request received for the sake of faster (although dirty) communication.
One should also remember that MTU should be the same size on all machines in same broadcast domain… to avoid odd situations

To help some of these situations, however, StoneGate supports setting MSS (Maximum Segment Size) on a per rule basis in Security Policy, as shown below:

written by RoarinPenguin - 1,208 views \\ tags: df, firewall, fragmentation, mss, mtu