NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Anti-spoofing, loading rules and license problem



Set the antispoofing (AS) of your public NIC to
"Others"

Set all other AS settings for other NICs to
"Specific", where it references a group of networks
behind that interface.

Say, you use 10.10.10.DDD and 172.5.5.DDD behind your
private interface.

Create a group with these networks, call it
InternalLAN (for example). So, you would use
"Specific" and reference the group InternalLAN as the
group "behind" that interface.

If you use a DMZ, or any other Statically NATed
devices behind your firewall, then you need to include
not only the private IP, but the external/public
staticNATed IP as well (you need to define an object
with the public IP as the IP address). Then, include
this object in the group referenced in "Specific".

AS is a sort of all-or-nothing setup. If you don't
have it right, it can break everything.

HTH -- Chris

--- Naresh <[email protected]> wrote:
> 
> Hi
> 
>   I had a similar problem with PDS 2100 using Check
> point small office. Anti
> spoofing setting has a bug.
> 
> Naresh
> 
> [email protected] wrote:
> 
> > Had a strange situation yesterday on a FW-1 4.0 on
> HP-UX 10.20 running both
> > FW-1 managment module and FW-1 gateway module.
> >
> > The firewall have one connection to the internet,
> one to our internal
> > network and three DMZ zones.
> >
> > For each DMZ interface, I changed the property
> settings:
> >
> >   Old setting: Valid addresses: Any + Spoof
> Tracking: None
> >   New setting: Valid addresses: This net + Spoof
> tracking: Log
> >
> > Then I reinstalled and lost connection. I ran the
> GUI from the internal
> > network.
> >
> > At the HP consol I took a "fwstop" and then a
> "fwstart". It failed to load
> > the ruleset. I then took a "shutdown -r now". When
> FW-1 was starting, it
> > complained that there was too many internal hosts
> - only 25 was allowed, and
> > it came with a dump of IP-addresses. And it could
> not load the ruleset.
> >
> > We have a unlimited license on this machine.
> >
> > After reboot, I manually edited objects.C and
> reset the interface properties
> > for the three DMZ interfaces to "Valid addresses:
> Any" and then compiled and
> > loaded the ruleset without any problems. I also
> rebooted the machine and it
> > did not longer complain about too many internal
> hosts.
> >
> > This sounds like a bug in the software? Comments?
> >
> > ---
> > Jørn Yngve Dahl-Stamnes
> > EDB Teamco, Trondheim
> > [email protected]
> 
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
> 


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.