Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Install on ..

To: Mohamed Maraikayar <[email protected]>
Subject: Re: [FW1] Install on ..
From: CryptoTech <[email protected]>
Date: Wed, 26 Sep 2001 15:19:34 -0400
Cc: [email protected]
References: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

Mohamed,
    No worries, mate.  Here goes:
    If you look into the Policy->Properties menu on the toolbar, you
will see an enforce on interface direction option.  This allows you to
set a particular behavior as a global policy, that is,


External-net->fw-IF->Inbound-Check->Route-Nat->outbound-Check->internal-net 
(internal and external are relative to the source of transmission)

So, Eitherbound uses both policy checks, validating that even users on
the firewall box will have the relevant policy applied
      Inbound prevents hacks to the firewall by checking packets before
they arrive at the IP stack
      Outbound only checks packets after they have passed routing.

These options were instituted in the days of low processor capability,
but because of large enterprise customers who had learned to deal with
behavior of NAT with regard to these rules, check point apparently left
them in.

Now to your question:
If you manually specify and install-on target such as "ClusterobjectA",
the rules will automatically be enforced Eitherbound
If you specify Destination, this will have policy enforced on the
inbound direction, and Source will refer to the outbound.

You can contact me in a private email should you desire more
clarification.

Cheers,
CT

Mohamed Maraikayar wrote:

> this may be an elementary question,but i am helpless now.In checkpoint rule base,What is the difference between Install on source,destination or routers or gateways? i read the secadmin pdf of checkpoint, but coudlnt understand the differnce.i have ,by default choose install on gateways.but if we give install on source,all outbound connections from that source is checked.the prime objective is also achieved when we give install on gateways.could anyone clear me with simple words ?
> thanks
> mohamed.
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Install on ..
  - From: "Mohamed Maraikayar" <[email protected]>

Prev by Date: RE: [FW1] New worm on the road?
Next by Date: [FW1] external.if
Previous by thread: RE: [FW1] Install on ..
Next by thread: RE: [FW1] Install on ..
Index(es):
- Date
- Thread