You're asking for the firewall to route Office Mode IP pool addresses outbound but only if a particular address is assigned and in use at that moment. I'd do a Request for Enhancement if you need that functionality built into the firewall.
You could drop the Office Mode subnet on your border router if you manage it. Since the Office Mode addresses are encapsulated in the VPN tunnel after they leave the firewall, they would not be visible to the router IF someone was using it. If someone did not have the address assigned, they would look like all other traffic and be visible to the router. Ray > Date: Fri, 21 Dec 2007 09:29:05 +0100 > From: [EMAIL PROTECTED] > Subject: [FW-1] AW: [FW-1] Office-Mode egress filtering > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > Ray, Reinhard, > > thanks for your replies! > Ray, > > Since you can use any IP range at all for Office Mode, it would be tough. > > Why is this an issue? > Because this means that a) Routing Loops can happen in complicated > environments and b) Traffic can spill to the internet as far as the upstream > provider allows, which is most likely not what one would want. > > Reinhard, > >I guess if you set a manual route on the firewall > >to some external device (not your default router > >but any other IP out there) these packets will not access the internet. > >did you try a rule "lan -> office-mode-IP -> block"? > Then I'd not be able to open connections to the office mode IPs, for remote > access and management for example. I thought about the easy solution ;) > I didn't try adding a dummy route, though, and noticed that the office mode > IPs do not show up in the routing table of the OS (SPLAT in this case). > > I'll give that a shot. > > If anyone else has good ideas, I'm all ears. > > Thanks, > > Joerg > > -- > > Joerg Weber M. A. > Chief Security Officer > > infoServe GmbH > Am Felsbrunnen 15 > 66119 Saarbrücken - Güdingen > > T: (0681) 8 80 08 - 59 > F: (0681) 8 80 08 - 33 > www.infos.de > mailto: [EMAIL PROTECTED] > > Handelsregister: Amtsgericht Saarbrücken, HRB 11001 > Erfüllungsort: Saarbrücken > Geschäftsführer: Dr. Werner Stein > Ust-IdNr.: DE168970599 > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= _________________________________________________________________ Don't get caught with egg on your face. Play Chicktionary! http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_dec Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
