[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SunScreen SKIP and Firewall-1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > However when I install a Firewall-1 module on the remote > management station, > SKIP nolonger works. I'm not sure if you're able to get this setup working. If I understand you correctly the sunscreen management station is installed on the same machine as the Firewall-1 module. There is alot of different things you could try, but I can't guarantee that there is no conflict between the sunscreen management and the fw-1 module. >Basically the Firewall-1 inspection > module jumps in and > is dropped by rule 0 logging "Decryption Failure: Source object not > in database scheme". > My guess is that this is dropped because of the choice under Policy | Properties to Accept VPN-1 & Firewall-1 Control Connections. Since Firewall-1 does not know the sunscreen firewall as a known SKIP Gateway it will discard the packets based on the Firewall-1 internal rules. It could also be that the Enable Decryption on Accept interfers with this some how, but I never managed to get a good documentation on what this choice actually does (my guess is that this is used by the Implied Rules which is the only encryption rules which actually would be defined with accept instead of Encrypt or Client Encrypt). What I would try to do in your situation is: 1. Define the Control Connections in the Rulebase instead of in Policy Properties. If you use FWZ encryption this might not work, but everything else should be possible to define in the rulebase. Remember to open the communication between your management station - the firewall-1 module AND communication between the gui-clients and the management station. After that disable the Control Connections and install the rulebase. 2. Try to disable the Enable Decryption on Acceppt 3. If nothing else work you could try to change the direction where the gateway rules is applied. In a Default setup this setting is Eitherbound which would cause all packets to be inspected when they enter the gateway and when they leave the gateway. You also have two other choices; Inbound and Outbound. They give you the option to choose one of the above (and if performance is concern you might not want "double" inspection). Normally Inbound should be enough because then all packets entering the gateway will be inspected and the only packets not inspected is packets originating on the gateway itself. Which in most circumstances is trusted communication. In your case you could consider to use the Outbound choice, which will cause the Firewall only to inspect packets leaving the gateway. All communication that is terminated within the Firewall should not be inspected. As long as you don't use any encryption with Firewall-1 (IKE or SKIP) that interfers with the SKIP encryption of the sunscreen setup, this should work. BUT REMEMBER THAT THIS LEAVES YOUR FIREWALL WITHOUT ANY FIREWALL PROTECTION. If you have "secure" installation with only securly authenticated services this might be enough. This depends on your Security Policy. > Because its dropped by rule 0 adding rules to the rule base > to try and let > this through have no effect. > ....if you disable the rule 0 rules. The rulebase would be enough. > I had two thoughts: > > 1) Stop Firewall-1 being active on the interface with SKIP on > - everything > I've read suggests that Firewall cannot be selectively installed on > interfaces. > It is actual possible to choose which interface the policy is installed on. What you could do in the GUI is to disable the Security Policy from being installed on some interfaces. The Anti-Spoofing choice of the Firewall-1 Gateway Object in the GUI has the choice of "No Security Policy!". By choosing this you disable the interface for Rulebase Inspection...... You could also use the command line utility to install the policy. In the utility you can choose which interfaces to install the policy on. > 2) Disable SUNScreen SKIP on the remote management station and get > the SunScreen Firewall to exchange SKIP with Firewall-1 SKIP. > However SKIP is > set up using a manual key exchange rather than cert authorities. Is > it possible to set Firewal-1 SKIP parameters in a config file > somewhere rather > than generating a new key in the GUI? > As far as i know This is not possible. You would have to use the GUI for key management of SKIP. /erik -----BEGIN PGP SIGNATURE----- Version: PGP Desktop Security 7.0 Evaluation iQA/AwUBOy+EZC8isLQ+eI00EQKg2gCcCyI+S513F+3AwAxDM01RP+MMdt0Amwa8 0mgGgSMEbAC1ZahV/uyUfrcu =pMex -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|