[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] GRE Decoding
This is precisely why enabling encapsulation to plow through a firewall is generally a bad idea. You'll need to determine how this type of traffic violates your intentions when you designed the policy and look toward another solution. If simple accounting and tracking of traffic across the tunnel is what you're interested, throw together a cheap IDS. If you're interested in firewalling off in/outbound traffic over the tunnel, toss a cheap firewall on the end you control. I suppose it would be possible if CP was capable of inspecting the encapsulated payload, but the overhead on such a task would render the firewall even more useless for other types of security policy enforcement. -peter On Tue, 6 Feb 2001 [email protected] wrote: > > Here's an odd question that I'm not sure there's an answer to, but I'll ask > anyways..... > > We are looking to implemenet Cisco-Cisco Tunnels between sites that are > connected via Frame Relay AND a FW-1 VPN tunnel. The reason being is that we > can control routing decisions at each cisco by having the remote LAN > available via a Frame Relay (128Mbs) and a T-1 to the internet on each side > with a VPN tunnel. It's hard to describe in brief in an email, but that's > not the point.... > > The point is: with the Cisco to Cisco tunnel, it will encapsulate everything > in GRE. So, in the FW logs, I will see GRE traffic from router to router, > and not HTTP/FTP/Netbios/etc traffic from host to host. Does anybody know a > way for the FW to decode that encapsulated packet when it writes into the > logs. If everything is in GRE, it will minimize the ability of the FW logs > for troubleshooting and management. It's not a show stopper, but I would > like to know if it's possible. > > Any information would be greatly appreciated. > > TIA, > > Dave O. > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|