Re: [FW-1] Shealth rule

["Mellor, Derin" <derin.mellor@FW1-NOSPAMDNS.CO.UK>]

Ray,

 

Although you can tunnel Voyager through the SSH it is simpler to configure Voyager to use SSL. You will then have to add a rule like:

 

source=Mng PC   dest=Firewall   service=HTTPS   action=accept

 

You need to configure a Certificate (unless you have your own CA) for the firewall within Voyager and then you must enable Voyager to use SSL. Although this sounds fairly simple is is not obvious and can be rather confusing.

 

Rather than waste space here I have a rather large document that goes into this and many other aspects in far more detail. If you like I could email this direct to you?

 

Regards Derin

-----Original Message-----
From: Ray Li [mailto:Ray282828@YAHOO.COM.HK]
Sent: Fri 06/09/2002 08:10
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Cc:
Subject: Re: [FW-1] Shealth rule

T Jani,

 

Sorry to bother you again.  Today I use Voyager to access the firewall without success.  Looked at the log view.  It used http to access the firewall so it was dropped.  I have enabled  SSH daemon in Voyager already.  Do I need to add http service in the rule?

 

Thanks,

 

Ray

----- Original Message -----

From: Huovinen Jani

To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com

Sent: Thursday, 05 September, 2002 03:23 p

Subject: Re: [FW-1] Shealth rule

Yes. Sorry those infos were to FW-1 version 4.1  heres info for NG FP2

 

New -> Node -> host

 

and ssh is already defined in NG I can see that =)

 

and rule comes from Rule menu on NG not edit.. Checkpoint changes everything on every version =)

hope that helps. remember to enable SSH daemon for ipso from voyager or otherwise its useless.. check also LOG btw for this rule!

 

meant  SOURCE DESTINATION ACTION                                                 (TRACK) field, choose there LOG

 

T: Jani

 

-----Original Message-----
From: Ray Li [mailto:Ray282828@YAHOO.COM.HK]
Sent: 5. syyskuuta 2002 9:14
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Shealth rule

 

Jani,

 

Many thanks for your detailed procedure.  I am very new to CheckPoint NG FP2 and just tried to use it a few times.  As I have not created a new defined object, I am unsure the correct procedure and your explanation is very helpful.

 

However, I could not create the object "ssh client computer" following your procedure.  In the drop-down list of New object, I could not find "Workstation"- under the New drop-down list, it has Check Point, Node, Interoperable Device, Network, Domain OSE Device, Group, Logical Server, Address Range, Dynamic Object, VoIP Domains.  Probably, you are referrring to an old version of CheckPoint and we just installed a new CheckPoint software.  Any idea about the equivalent object in my version.

 

Thanks,

 

Ray

----- Original Message -----

From: Huovinen Jani

To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com

Sent: Thursday, 05 September, 2002 04:33 a

Subject: Re: [FW-1] Shealth rule

 

You mean how to make that rule?

I may be telling you really easy things here but I am not sure what did you mean =)

 

if so make network object to your "ssh client computer" (manage -> network objects -> new -> workstation. and put there its name  and static ip for it, name can be what ever you wish

 

you may also have to define SSH service ( manage -> services -> new -> tcp > name SSH, port 22

 

add new rule to top of rule base ( edit -> add rule -> top )  now you should see rule like ANY ANY ANY DROP

 

Change new rule as below use your new objects that just greated.

source(New network object you just greated)         destination(Firewall object)               service(SSH/telnet)

 

Jani

 

 

 

 

-----Original Message-----
From: Raymond Li [mailto:Ray282828@YAHOO.COM.HK]
Sent: 4. syyskuuta 2002 13:33
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Shealth rule

 

Jani,

 

Thanks for your suggestion.  Could you please advise how to create the source (ssh/telnet client).

 

Best regards,

 

Ray

----- Original Message -----

From: Huovinen Jani

To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com

Sent: Wednesday, 04 September, 2002 12:57 a

Subject: Re: [FW-1] Shealth rule

 

For normal operations for box you should use SSH and maybe configure port forwarding aswell for ssh voyager or just put voyager to user ssl.

and you should make another rule above stealth rule to allow ( SSH / Telnet  ) to your fw  from computer you want

 

source(ssh/telnet client)         destination(Firewall)               service(SSH/telnet)

 

Regards, Jani Huovinen

 

-----Original Message-----
From: Ray Li [mailto:ray282828@YAHOO.COM.HK]
Sent: 3. syyskuuta 2002 17:18
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Shealth rule

 

Alok,

 

Thanks for your kind advice.

 

In the Stealth rule, I use drop as the action.  Should your suggested rule be placed above or below the Stealth rule?

 

Regarding your kind advice about security hole, currently I use CheckPoint GUI to manage the firewall software and telnet + browser to manage the Nokia IPSO.  Do you mean I can use only the browser to manage the IPSO?  I am a new administrator of firewall and I have not compared all features of these two ways.  Does Nokia has similar CheckPoint GUI to manage all functions of IPSO?

 

Thanks,

 

Ray

----- Original Message -----

From: Gupta, Alok Mohan (Samtech)

To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com

Sent: Tuesday, 03 September, 2002 08:19 p

Subject: Re: [FW-1] Shealth rule

 

Hi Ray,

Enable the Stealth rule which should look like this:

Any    Firewall Object    Any    Drop/Reject

Enable it by saying Accept in the Action field AND Put a rule as follows:

Telnet Machine    Firewall Object    Telnet    Accept

But I'll advice you not to use Telnet in such a scenario (as this will open a security hole in your network) instead use the remote GUI client feature to log onto the Nokia Firewall.

 

Regards,

 

Alok Mohan Gupta

-----Original Message-----
From: Raymond Li [mailto:Ray282828@YAHOO.COM.HK]
Sent: Tuesday, September 03, 2002 3:34 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] Shealth rule

I have a shealth rule as the first rule.  I cannot telnet the nokia firewall.  Can someone tell me if I can modify it to accept telnet within internal network or need a new rule.

 

Thanks,

 

Ray

 

----------------------------------------------------------------------------

The information contained in this Message is confidential and intended only for the use of the individual or entity identified. If the reader of this message is not the intended recipient, any dissemination, distribution or copying of the information contained in this message is strictly prohibited. If you received this message in error, please notify the sender immediately.

 



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.

This footnote also confirms that this email message has been swept
for the presence of known computer viruses.

**********************************************************************