Keep in mind that what you described here will work only if the Firewall in front of the SMC is a checkpoint firewall so that you have the check box to apply the rule for CP control connections. If the firewall in front of the SMC is a Cisco Pix, then you're out of luck.
If the firewall in front of the SMC is a Cisco Pix or Juniper, what you described will not work. You have to use the "dummy object" approach as as workaround. Even so, it is still ugly and not everything will work. cisco4ng Sergio Alvarez <[EMAIL PROTECTED]> wrote: Deploying a remote gateway is similar to work on any distributed environment, just bare in mind that if you go through Internet, NAT will be envolved in the communication between this new box and your Smartcenter. - The NAT tab of the SMC object has a check mark you must check to apply the NAT rule to CP control connections - You will need a static NAT for the SMC to be able to receive logs from the external gateway - Off course you must make sure security policies on any other gateways between SMC and remote gateway have required rules to allow traffic on both ways - Regarding the configuration of security rules for this particular remote gateway, just make sure only rules that are supposed to be used by it have the corresponding object in the "install on" column of the rule base. If you were already able to establish SIC, you should also be able to use SmartUpdate to attach the corresponding license. About the issue with Web Intelligence, the other guys above me have already touched all possibilities... I think. Hope this helps... Regards On 8/12/07, Jean-Paul Baillon wrote: > > Remotely managed gateway = Distributed Installation > > You will find a lot of docs on CP website > http://www.checkpoint.com/support/technical/documents/index.html > > > JP > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Alan > Choyna > Sent: Monday, 13 August 2007 9:10 AM > To: [email protected] > Subject: Re: [FW-1] Deploying new gateway to be remotely managed. > > Thanks Ray (and Sin) for your advice. > > Is there an SK for building and deploying a policy for a remotely > managed gateway? or can anyone give me the basics? > > Thanks in advance, > > Alan > > At 05:15 PM 8/12/2007, Ray wrote: > >There's an SK article on what protections require a WI license. > >CPMAD, SQL Injection, LDAP Injection, and one other thing, if I recall > >correctly. If you un-check those, you should be OK. > > > >Web Intelligence's biggest failing is that it does not work on SSL > >traffic, which is where you really want to protect this kind of stuff. > >FW-1 can't do SSL termination, which severely limits its inspection > >ability. > > > >Apparently there used to be an add-in OPSEC card that did allow FW-1 to > > >do SSL inspection, but the vendor got bought out late last year and the > > >product was discontinued. > > > >Ray > > > > > >>From: Alan Choyna > >>Reply-To: Mailing list for discussion of Firewall-1 > >> > >>To: [email protected] > >>Subject: [FW-1] Deploying new gateway to be remotely managed. > >>Date: Sat, 11 Aug 2007 14:41:48 -0500 > >> > >>Hi Guru's, > >> > >>We've just built a new SPLAT R62 gateway at a new data center to be > >>remotely managed by a management server (with the same version of > >>R62) at another data center. > >> > >>l was able to SIC the new gateway to the management server, so it is > >>now ready to have a policy pushed to it. > >> > >>This is our first experience of setting up a remotely managed gateway, > > >>and l don;t know how to set up it's policy on the management server. > >> > >>Can some please advise on the initial configuration of the policy for > >>the new gateway on the management server? > >> > >>After getting SIC with the new gateway on the management server l > >>cannot push policy to the cluster even when de-selecting the new > >>gateway. l get the error message: > >> > >>Security and Address Translation Policy Verification: > >>Additional licenses for Web Intelligence are required. > >>You have (0) Web Intelligence license installed, while (1) gateway is > >>.involved in Web Intelligence protection. > >> > >>How do l disable web Intelligence on the new gateway? Since l cannot > >>connect to it remotely as yet (no policy). l have not yet installed > >>it's correct license, it's still running on the eval license for now. > >> > >>Thanks in advance for your advise, > >> > >>Alan > >> > >> > >>Alan C. Choyna > >>Director of Infrastructure > >> > >>Pathfinder Associates, LLC > >> > >>http://www.pathfinderassoc.com > >>Internet Strategy Business Consultants > >>mailto:[EMAIL PROTECTED] > >>[EMAIL PROTECTED]>.com > >> > >>Business telephone (312) 372-1058 ext 6003. Mobile (773) 255-6662 > >> > >> > >>================================================= > >>To set vacation, Out-Of-Office, or away messages, send an email to > >>[EMAIL PROTECTED] > >>in the BODY of the email add: > >>set fw-1-mailinglist nomail > >>================================================= > >>To unsubscribe from this mailing list, please see the instructions at > >>http://www.checkpoint.com/services/mailing.html > >>================================================= > >>If you have any questions on how to change your subscription options, > >>email [EMAIL PROTECTED] > >>================================================= > > > >_________________________________________________________________ > >Tease your brain--play Clink! Win cool prizes! > >http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2 > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription options, > >email [EMAIL PROTECTED] > >================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > > ##################################################################################### > Important: This electronic message and attachments (if any) are > confidential > and may be legally privileged. If you are not the intended recipient do > not > copy, disclose or use the contents in any way. Please let us know by > return > e-mail immediately and then destroy this message. > > ##################################################################################### > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Pinpoint customers who are looking for what you sell. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
