[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] AW: [FW1] GUI cannot connect to server
Hi, 1. I wonder if you use the dynamic IP assigned from you ISP to connect to your Firewall with ssh. That means you must have a rule like any---your_FW---ssh---accept, which I would consider as a huge security risk. Are you checking HostKeys at all ?? 2. You can manage your firewall by adding a rule like any---your_FW---FW_mgmt---accept which I would consider an even bigger risk. I don't want to offend you, but your company IS selling IT Security consultancy. Are you leaving the companies you advice with such big risks ? We have had that a few eeks ago on this list ::: the fact that some people do dare selling security as soon as they can spell the word FIREWALL correctly. --Joerg -----Ursprüngliche Nachricht----- Von: Christian Maxeiner [mailto:[email protected]] Gesendet: Freitag, 10. August 2001 11:06 An: [email protected] Betreff: [FW1] GUI cannot connect to server I have a big problem connecting to our FW1 with the fwpolicy gui. We have Check Point VPN-1 Version 4.1 Build 41716 [VPN + DES + STRONG]installed on a HP-UX Platform. The Management-Module is on the same server. The idea is to manage the FW with a gui from my home office by accessing the FW with ssh, adding the IP-address my ISP has given me to the gui-clients file and connect with the gui. But when I add my IP to gui-clients file and try to connect with gui, the gui says "cannot connect to server". I have a gui installed on a client in my office at work which works fine. Even if I want to add a new client in my office at work, the new gui client says it cannot connect to server. I have the implied rules activated and when I look in fwlog I can see that my request is dropped by the firewall with the rule "any -- firewall -- any -- drop" which is one of my last rules. When I allow the new client to connect with service "FW mgmt" explicitly in a new rule it works fine, but this can't be my solution because I want to connect to the firewall from my home office with changing ip-addresses. So the only way for me is to add the client's ip to the gui-clients file. Has anybody heard about this strange behaviour ? Thanks in advance for answerign me Christian Maxeiner [email protected] ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|