Hi Markus,
Out of curiosity, why is it important? It's also odd because in a simplified
VPN policy, which is required for managed Edge boxes, the external interface
of regular FW-1 boxes are automatically included in the encryption domain.
Is it possible that the Edge external interfaces are but the traffic you're
using is getting accepted on an implied rule (which are always before the
VPN rules)? It doesn't sound like it because of the group thing you're
doing, though.
Ray
From: Markus Schmidt <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] Gateway allways in Encryption Domain?
Date: Wed, 29 Nov 2006 17:05:09 +0100
Hi
We're talking about VPN-1 edges with the latest firmware and a NGX
R61_HFA01 Gateway/Management.
I have the following Situation: A central Gateway and some Edges (with
dynamic Adresses) living in a Star Community. The Traffic from beheind the
edges (their encryption Domains) goes perfectly through the VPN, while the
traffic originating directly from the edges does not.
In SmartDashboard, I have Network Objects for the edge's encryption
Domains. These Network Objects are used for manually defining the edge
encryption Domains.
A workarround is to replace these network Objects by group Objects,
containing the network Objects AND the edge Object. This seems ugly to me,
but it works.
Is there a better way? Is there a switch like "the gateway is allways in
the encryption Domain, or something like that?
--
http://schmidt.bs-server.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
_________________________________________________________________
Talk now to your Hotmail contacts with Windows Live Messenger.
http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://get.live.com/messenger/overview
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
