You
can definitely set it up to only download topology from the firewall, you no
longer need to get it from the mgmt station.
It's
been a while so some of what I say might be a little incorrect.
But...
I
think with strict FWZ encryption, you need to download topology from the mgmt
station. The firewall will complain about not being a control
station.
However, you can create uncheck the "Respond to
unauthenticated topology requests" box checked in Policy-> Properties.
Create a user, check IKE, edit his encryption properties, give him an IKE
password for topology downloads.
From
then on, I think you can do FWZ encryption, and download the topo from the
firewall, you just need to use the IKE user and password for the download, and
any FWZ user then for the encryption...
You
could, of course, do all this with IKE encryption as well.
Most
of the Checkpoint manuals talk about SecuRemote when used to a combined
management station/Firewall.
I
want to use SecuRemote to establish a VPN to a Firewall only module. The
mangamnet station for this module is hidden back on the LAN. Is it possible?
Is there anyway to make a Firewall module the Certificate
Authority?
Failing this I can punch holes in my Firewall to get
at the management station behind the Firewall to get to the CA, but where does
encryption and authentication take place?
The
way I see it, an incoming connection to the Firewall triggers an access rule,
user enters user name and password. Keys are then exchanged between client and
management station, but where does the encryption take place? Firewall or
Management station? If the CA is on the managment station does the management
station need a Firewall module active?
-Steve
|