Yes, I only have one public ip address. I like the idea of "spooling" the mail on the firewall first and using the SMTP-->RESOURCE to "weed out" script tags, applet tags, activex tags, ftp links, and port strings. Using the SMTP-->RESOURCE also gives me the ability to define the internal IP address of my email server so I don't have to define a NAT rule. At least it works this way in NG FP3.
After NGX R61 upgrade, The Tracker Log shows the email coming into the firewall, but it is being "rejected" for Content Security by Standard Rule #23, which is my last ANY ANY DROP rule. I'm testing this in a lab, so inbound email is not down right now... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: Friday, August 04, 2006 9:00 PM To: [email protected] Subject: Re: [FW-1] NGX and SMTP Hello, I noted you have a resource associated with the smtp traffic on the rule you described, as far as I understand, a resource is used when you have some sort of extra feature, for example a gateway antivirus that will check mail before it is passed to the mail server itself, but you do not mentioned anything about something like that on your message. To be completely honest with you, I'm not knowledgeable of NG FP3, I've been working with CP stuff just for 3 years and by the time I started, NG AI R54 was already out, so I don'y really know how FP3 used to manage smtp traffic. What I can tell you is that if in fact you do NOT have anything extra for your email and the smtp traffic is supposed to just arrive to your firewall and from there to your mail server, then you do NOT need any resources configured on your rule, something like: SRC DST Service Action Any <mail server Object> SMTP Accept Should be enough. Here the "<mail server object>" is in fact the object you should have with the Mail server's IP address also you must have some sort of NAT rule to make sure the traffic received by the firewall will be forwarded to your Mail server, judging by the fact that your current rule has the firewall itself as the destination, I would say most likely you do not have a public IP recerved just for a static NAT for this server, but you are using the same public IP of the firewall, which means that besides the rule above, you will need to create a manual NAT rule on the NAT tab of your Dashboard specifiying that when SMTP traffic is received by the firewall on its external IP, it should be NATed to the IP of the Mail server. I hope this info helps. Regards On 8/4/06, Jason Ebersole <[EMAIL PROTECTED]> wrote: > > Hello, > > I am currently running NG FP3 Enterprise on SecurePlatform. I took a > spare PC and installed NG FP3 and duplicated the configuration by > installing all the same patches and "restoring" from a "backup all" > file, then I upgraded to NGX R61 Pro, not Express or Edge (which went > very well). I then temporarily pulled the production box running NG > FP3 and put the test box running NGX in it's place. > > Everything seemed to be working fine, including a SecuRemote user a > few states away running an old client, but mail coming in from the > outside would not get through to my Exchange server. Here is how I > have NG FP3 configured to get mail to my Exchange Server: > > Source Destination If Via Service Action > Any firewall any smtp->resource accept > > In the smtp->resource: > General tab: > I have the ip address of my internal Exchange Server in the Mail > Delivery Server field. > > This config works great in NG FP3. The Tracker Log shows the email > coming into the firewall, but it is being "rejected" for Content > Security by Standard Rule #23, which is my last ANY ANY DROP rule. I > nosed around in the SmartDefense configuration but didn't see anything > obvious, but could easily have missed something being that I was in a > hurry to figure it out (which I didn't) and get the production box > back in place. I'm guessing there is a completely different way to > spool mail on my gateway, then send it to my internal mail server, for NGX R61. > > Regards, Jason > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
