Jim, I fully agree with your logic which is similar to that of rule verification logic - this appears a bug - I had a chance to speak w/ CP RnD on these observations at CPX yesterday and they too preliminarily think so - you can perhaps open a ticket or if you would like to - let us talk offline ..
Rajeev. On 5/31/07, Jim Johnson <[EMAIL PROTECTED]> wrote:
Prior to upgrading to R65 I'm almost positive that I could ping a node via its automatic static NAT address if I allowed pings the network that contains the node object. Since upgrading to R65 I can only ping this host if I have a rule explicitly allowing ping access to this node object. Clear as mud? I thought so, an example follows: myHost IP = 1.1.1.1 myHost automatic static NAT IP = 2.2.2.2 myHostNet = 1.1.1.0/24 In the preR65 days I had one rule like this: rule 1: any myHostNet icmpEchoRequest accept log and I could ping 2.2.2.2. Now with R65 my pings to 2.2.2.2 don't match rule 1 and are instead dropped by my cleanup rule. If I change rule 1 to this: rule 1: any myHost icmpEchoRequest accept log the pings work again. To make things even stranger if I create two rules like this: rule 1: any myHostNet icmpEchoRequest accept log rule 2: any myHost icmpEchoRequest accept log I got an error message upon policy verification stating this: "Verifier warnings: Rule 1 Hides rule 2 for services echo-request" So obviously the policy verifier (like me) thinks that rule 1 should allow the pings through, but it just doesn't work. To try to state my problem another way, when a network object address space contains the IP defined in the general properties of a node object, the rule should apply to all traffic to both the node object's general IP and its automatic static nat IP. I'm almost certain this is the way it worked in pre-R65 days (I used R61, R60, R55). Can anyone confirm this for me? In the old versions of the firewall could you simply list the network object and have the rule work for host objects' automatic static NAT IPs? In my mind when you allow traffic to the network object it should allow all traffic to that network, regardless of if it gets there through a nat or not. Additionally, having to explicitly list host objects increases the rule base size and complexity and I'm a big fan of simplicity. TIA, Jim ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
