Hi,
I think you should draw and connect properly your networks behind some other
gateway/router (aka your 10.2.3.0/24) on the SmartMap. Indeed, changes on
SmartMap can modify th topology.
--
Fabrice Barutel
Administrateur réseau et sécurité
[EMAIL PROTECTED]
------------------------------
Date: Thu, 5 Jul 2007 15:47:22 -0700
From: Crist Clark <[EMAIL PROTECTED]>
Subject: Problems Fixed in >R60?
Just got finished trying to make some topology changes
on a firewall cluster. Note "trying." Had some problems
that kept me from finishing in the maintenance window.
I think I have workarounds for these R60 clusters and
SmartCenter, but I was wondering if anyone can confirm
or deny whether these issues are fixed in later versions.
Automated topology downloads doesn't understand gateways
on directly connected networks that aren't local to the
interface IP. For example (on a Solaris box), I've got an
interface with a network and IP of, 192.168.100.193/28,
and the network 192.168.100.120/29 is directly connected,
# route add -net 192.168.100.120 -netmask 255.255.255.248
192.168.100.193 -iface
Now there are a bunch of networks routed through a gateway
on that network,
# route add -net 10.2.3.0 -netmask 255.255.255.0 192.168.100.121
But an automated topology download doesn't understand that
10.2.3.0/24 is off of that interface. The networks just get
ignored.
The next problem is with anti-spoofing choosing the most
specific route. This is the most annoying. It makes automated
topology downloads useless. If I have the network 172.16.0.0/15
off of one interface, but any subnets, even one host 172.16.45.6,
from that network off of another, I can't do automated downloads.
Although this is trivial to do for routing,
# route add -net 172.16.0.0 -netmask 255.254.0.0 192.168.100.121
# route add 172.16.45.6 192.168.200.1
It doesn't work in the topology. I need to break down the supernet
into all of the smaller components necessary to specify the networks
with no overlap,
172.16.0.0/19
172.16.32.0/21
172.16.40.0/22
172.16.44.0/24
172.16.45.0/30
172.16.45.4/31
--> 172.16.45.6/32 <-- Here it is!
172.16.45.7/32
172.16.45.8/29
172.16.45.16/28
172.16.45.32/27
172.16.45.64/26
172.16.45.128/25
172.16.46.0/23
172.16.48.0/20
172.16.64.0/18
172.16.128.0/17
172.17.0.0/16
Which, as shown, can be very, very painful.
Anyone know if these are fixed in any versions >R60?
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
