Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Strange FW behaviour with Proxy

To: Mike Glassman - Admin <[email protected]>
Subject: Re: [FW1] Strange FW behaviour with Proxy
From: "Volker Tanger" <[email protected]>
Date: Tue, 10 Apr 2001 11:09:16 +0200
Cc: "'fw-1 listserv'" <[email protected]>
Organization: DiSCON GmbH
References: <[email protected]>
Sender: [email protected]

Greetings!

Mike Glassman - Admin schrieb:

> Yes, we use security servers (CVP).
> Have you managed to find a workaround ? This causes major problems as I'm
> sure you imagine when trying to shape the data to the internet, as I do not
> want to shape data to and from the valid FW external leg.
>
> > -----Original Message-----
> > From: Volker Tanger [SMTP:[email protected]]
> > Mike Glassman - Admin schrieb:
> > > my Router, using a shaping/logging tool we have, I see that the Proxy is
> > > going out on the FW's legal Internet address and not as the NAT'd
> > address I
> > > gave it.
> >
> > You are using the security servers (i.e. rules with ressources) I assume?
> > Checkpoint seems to be behaving like a standard proxy in that case

It seems that that is a known "beature" - anytime security servers are used the
Checkpoint behaves like a proxy - with NAT having no effect. See the FAQ
articles:
    * http://www.phoneboy.com/faq/0190.html
    * http://www.phoneboy.com/faq/0049.html

As for a workaround I cite the FAQ:  "There is no way around this."

One idea is to use the AntiVirus server as relay proxy - instead of using CVP.
Then you could use HTTP without a ressource for outgoing - which will enable
NAT.

One weird, non-tested idea - if you do not want to configure all your clients:
    * set up the AV server (in DMZ) as proxy
    * allow "Interal" to "Any" using URI ressource and point to the AV as
upstream proxy
    * allow the AV proxy HTML out (without resource) to "Any"

Warning: this is just a quick shot - untested and non-researched. But I'd be
highly interested wether this will work as thought.

Bye
    Volker


--

Volker Tanger  <[email protected]>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] Strange FW behaviour with Proxy
  - From: Mike Glassman - Admin <[email protected]>

Prev by Date: [FW1] Passed CCSA.
Next by Date: [FW1] Updated Index
Previous by thread: RE: [FW1] Strange FW behaviour with Proxy
Next by thread: RE: [FW1] Strange FW behaviour with Proxy
Index(es):
- Date
- Thread