[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Strange FW behaviour with Proxy
Greetings! Mike Glassman - Admin schrieb: > Yes, we use security servers (CVP). > Have you managed to find a workaround ? This causes major problems as I'm > sure you imagine when trying to shape the data to the internet, as I do not > want to shape data to and from the valid FW external leg. > > > -----Original Message----- > > From: Volker Tanger [SMTP:[email protected]] > > Mike Glassman - Admin schrieb: > > > my Router, using a shaping/logging tool we have, I see that the Proxy is > > > going out on the FW's legal Internet address and not as the NAT'd > > address I > > > gave it. > > > > You are using the security servers (i.e. rules with ressources) I assume? > > Checkpoint seems to be behaving like a standard proxy in that case It seems that that is a known "beature" - anytime security servers are used the Checkpoint behaves like a proxy - with NAT having no effect. See the FAQ articles: * http://www.phoneboy.com/faq/0190.html * http://www.phoneboy.com/faq/0049.html As for a workaround I cite the FAQ: "There is no way around this." One idea is to use the AntiVirus server as relay proxy - instead of using CVP. Then you could use HTTP without a ressource for outgoing - which will enable NAT. One weird, non-tested idea - if you do not want to configure all your clients: * set up the AV server (in DMZ) as proxy * allow "Interal" to "Any" using URI ressource and point to the AV as upstream proxy * allow the AV proxy HTML out (without resource) to "Any" Warning: this is just a quick shot - untested and non-researched. But I'd be highly interested wether this will work as thought. Bye Volker -- Volker Tanger <[email protected]> Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|