Re: [FW-1] Secure Configuration Verification

[Paul Murphy <fw1@FW1-NOSPAMZENCORE.BIZ>]

Right...

So I have changed to Traditional Mode.  Now I have something weird going
on.

The clients sends scv_keep_alive packets to the gateway, which is fine.
But it is also sending them to the host it is trying to access.

So for instance if I have a webserver in the encrypted domain, if I http
to it from the client, a keep alive is issued with a destination IP of
the webserver.

If I don't allow these packets, then the client cannot connect to the
webserver... if I allow them it can.

This behaviour doesn't match the documentation - actually the
documentation is a bit vague on this part.

Does this match anyone elses experience?

Thanks,

Paul

>>> hannu.liljemark@LAUREA.FI 11/07/2003 06:04:53 >>>

On Thu, Jul 10, 2003 at 04:39:00PM +0300, Paul Murphy wrote:

> However under FP3 the Client Encrypt is implied by the VPN defined in
> the VPN Manager, and also in the Desktop Policy. Neither of these tabs
> appears to have a way of defining which rules only be in place if the
> Desktop is secure.

You have the setting under Global Settings / Remote Access /
SCV, first one there I think, that says apply the control also
to simplified. I haven't see simplified vpn allowing same kind of
control over access to internal resources if desktop is unsecure
like you get with traditional mode - it's just "apply to all
remote access" or "don't do it at all".

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================