[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] TELNETING into the firewall??
Greetings! "Piedade, Rick" schrieb: > On the checkpoint firewall, we are doing a new install. > We were using raptor and now this is the 1st setup to replace them. Okay, common pitfalls and useful hints: - Raptor does harden the OS during install, but Checkpoint does not. You will have to do the necessary bastioning manually. - If you have a large ruleset you can transform at least your network entities with a small tool (Raptor2Ckp and others, see http://www.wyae.de/software/ ) to be included manually into objects.C - For the sake of better understanding always think (simplified): Raptor == Proxy and Checkpoint == Router-ACLs - With respect to the ruleset Raptor does "best fit only", whereas Checkpoint does "first match". - Do not forget the implicit rules (View / ImpliedRules) as set in Policy / Properties. - NAT and routing: Checkpoint does "Routing before NAT" - Make sure you have the Any --> Any : Drop (log) cleanup-rule installed as last one in the FW-1 rulebase. > We can telnet to the firewall from the outside. > The firewall doesn't even have anything in its logs saying we tried. See above: I guess "Implied Rules" and no hardening - and maybe a missing cleanup rule. Bye Volker -- Volker Tanger <[email protected]> Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|