Re: [FW-1]

[Ray]

Hi Raul,

Yes, I caught that and the reference to split tunneling so your answer is
correct (and I use it).

We don't want our end users to EVER browse the Internet without using our
virus-scanning proxy, so we block all outbound HTTP traffic unless it's
headed to our proxy server internal interface or to a private network range.
If they're at home, they cannot browse the Internet without connecting in
via SecureClient.

Some hotels require that you accept their Terms and Conditions of service a
web page before they will grant any outbound access, so we had to allow the
private ranges so people could acknowledge the page and then connect up via
SecureClient.

I want to make sure that they never browse the internet without coming
through our network.

The "never" was the part I keyed on. Unfortunately once they are not VPNed
in, they are open to getting infected with malware which can open an
outbound connection from behind the firewall unless you have a restrictive
outbound policy. That doesn't always work politically. :-)

Take care,

Ray

From: "Millan, Raul" <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1]
Date: Sat, 8 Jan 2005 22:02:59 -0500

We'll she mentioned that they're using SecureClient, so it shouldn't be a
problem... and the proxy idea is great, all users should be proxied even
those connected via VPN.

      -----Original Message-----
      From: Mailing list for discussion of Firewall-1 on behalf of Ray
      Sent: Sat 1/8/2005 9:22 PM
      To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
      Cc:
      Subject: Re: [FW-1]

      That will only work if they are connected in via SecureClient. If they're
      not connected it won't work. The only real hope is if they use a proxy
      server. A desktop security rule, connected or not, can drop all HTTP/HTTPS
      traffic that's not headed for the proxy.

      Ray

      >From: "Millan, Raul" <[EMAIL PROTECTED]>
      >Reply-To: Mailing list for discussion of Firewall-1
      ><FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
      >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
      >Subject: Re: [FW-1]
      >Date: Sat, 8 Jan 2005 11:19:47 -0500
      >
      >Route all traffic thru gateway option, should work.
      >
      >-----Original Message-----
      >From: Mailing list for discussion of Firewall-1
      >[mailto:[EMAIL PROTECTED] On Behalf Of Lucero,
      >Michael F
      >Sent: Thursday, January 06, 2005 12:54 PM
      >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
      >Subject: [FW-1]
      >
      >We use SecureClient and would like to disable split tunneling for users;
      >I want to make sure that they never browse the internet without coming
      >through our network.  Any ideas how this is/or can be done?
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >
      >Confidentiality Notice: This e-mail,including all attachments is for the
      >sole use of the intended recipient(s) and may contain confidential and
      >privileged information. Any unauthorized review,use,disclosure or
      >distribution is prohibited unless specifically provided under the New
      >Mexico Inspection of Public Records Act. If you are not the intended
      >recipient, please contact the sender and destroy all copies of this
      >message.  -- This email has been scanned by the MessageLabs Email
      >Security System.
      >
      >=================================================
      >To set vacation, Out-Of-Office, or away messages, send an email to
      >[EMAIL PROTECTED]
      >in the BODY of the email add:
      >set fw-1-mailinglist nomail
      >=================================================
      >To unsubscribe from this mailing list,
      >please see the instructions at
      >http://www.checkpoint.com/services/mailing.html
      >=================================================
      >If you have any questions on how to change your subscription options,
      >email [EMAIL PROTECTED]
      >=================================================
      >
      >=================================================
      >To set vacation, Out-Of-Office, or away messages,
      >send an email to [EMAIL PROTECTED]
      >in the BODY of the email add:
      >set fw-1-mailinglist nomail
      >=================================================
      >To unsubscribe from this mailing list,
      >please see the instructions at
      >http://www.checkpoint.com/services/mailing.html
      >=================================================
      >If you have any questions on how to change your
      >subscription options, email
      >[EMAIL PROTECTED]
      >=================================================

      =================================================
      To set vacation, Out-Of-Office, or away messages,
      send an email to [EMAIL PROTECTED]
      in the BODY of the email add:
      set fw-1-mailinglist nomail
      =================================================
      To unsubscribe from this mailing list,
      please see the instructions at
      http://www.checkpoint.com/services/mailing.html
      =================================================
      If you have any questions on how to change your
      subscription options, email
      [EMAIL PROTECTED]
      =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================