I always preferred to turn off all the implicit rules and define them explicitly. You can see them better, have more granular control, you can set the order as needed, and they upgrade just as well as any other rules. If you don't want to have them clogging up your policy view, just hide them like implicit rules would be.
The only hang up is, you have to know how to define them since they aren't automatically provided. On 2/9/06, Chris McGill <[EMAIL PROTECTED]> wrote: > > The CMPI resource which is used to connect the SMARTConsole to the > SMARTCenter is an implcit rule in Global Properties, which is applied before > the encryption rule, hence will be presented to the peer gateway will be > unencrypted. > > You can edit the implied_rules.def on the SMARTCenter, then create an > explicit rule for CPMI and assign it ot a VPN community. > > SK25867 > > > 1. Edit $FWDIR/lib/implied_rules.def on the SmartCenter Server. > > 2. Locate and comment the define ENABLE_CPMI line (by adding "//"): > > Before: > #define ENABLE_CPMI > > Change to: > //#define ENABLE_CPMI > > > 3. Locate and modify :#define accept_cpmi_reverse. This modification > varies depending on the Gateway version: > > NG with Application Intelligence R55: > Line 270 : #define accept_cpmi_reverse > > Change to: > : #define accept_cpmi_port_reverse > > NGX R60: > Line 327 : #define accept_cpmi_reverse > > Change to: > : #define accept_cpmi_port_reverse > > > 4. Create specific CPMI rules for VPN Communities. > > 5. Install the Security Policy. > > Note: > This change does not survive upgrades. Back up this file for reference, if > installing an HFA or upgrading. > > Workaround: > If you have VPN-1 SecureClient available with Visitor Mode and Office Mode > enabled, you can use SecureClient in Visitor Mode to connect to the Security > Gateway that protects the SmartCenter. Then use the SMART client > (SmartDashboard) over the Visitor Mode connection. > > You will have to use the ipassignment.conf file on the Gateway, to assign > SecureClient users a static IP address and also allow that IP address as a > GUI client. This enables clients behind an Edge XU (for example) to obtain a > static IP when necessary. > > > > > ________________________________ > > From: Mailing list for discussion of Firewall-1 on behalf of Michael Kelly > (HRG) > Sent: Wed 08/02/2006 18:07 > To: [email protected] > Subject: [FW-1] SmartDashboard to SmartCenter Server over VPN fails to > connect > > > > When I try to connect to the SmartCenter server using SmartDashboard over > a > VPN, it fails to connect. > The logfile shows "encryption failure: Different community ID, possible > NAT > problem (VPN Error code 02)". > The strange thing is, I can ssh to the same SmartCentrer server from the > same PC over the same VPN without any problems. > I can also connect to any other device on the internal LAN without any > problems. > The VPN is between a VPN-1 Edge box and a ClusterXL system running NG AI > R55. > > What do I need to do to get GUI connectivity? > > Thanks in advance, > Michael. > > > > **************************************************************************** > ******* > This email and any files transmitted with it are confidential and may be > legally privileged and are intended solely for the use of the individual > or > entity to whom they are addressed. If you are not the intended recipient > please note that any disclosure, distribution, or copying of this email is > strictly prohibited and may be unlawful. If received in error, please > delete > this email and any attachments and confirm this to the sender. > Although Stortext FM operates anti-virus programs and this email has been > scanned it does not accept responsibility for any damage whatsoever that > is > caused by viruses being passed. Any views or opinions presented are solely > those of the author and do not necessarily represent those of Stortext FM > Ltd or either of its subsidiaries Stortext Document Solutions Ltd and FM > Image Management Ltd > > For more information about StortextFM and our services visit > http://www.stortextfm.com > > **************************************************************************** > ******* > > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
