The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Content-Encoding Type Not Allowed

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

If you see this message in the logs, it is likely because your web browser supports alternative encoding schemes like gzip, deflate, or compress encoding of documents and is talking to a website that can support these methods. The end result is the download is faster. However, the HTTP Security Server needs a little help in supporting this.

In FireWall-1 4.1 SP2, it is possible to enable support for this by adding the following to the :props( section of $FWDIR/conf/objects.C:

:http_disable_content_enc (true)
:http_disable_content_type (true)

If it exists, remove the line that says:

:http_use_cvp_reply_safe (true)

For guidelines on editing objects.C, see: How do I edit objects.C or objects_5_0.C?.

You will also need to make a change on the firewall module in how it tries to communicate with the CVP server. Edit $FWDIR/conf/fwopsec.conf. Change the line that says:

server  18181  auth_opsec

so it says

server  18181 opsec

Bounce the gateway (fwstop; fwstart) and reload the security policy.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.