Ray,
Try to uninstall Checkpoint packages on Nokia (from Voyager) and reboot.
Then reinstall Checkpoint on your Nokia.
BR,
-jamal-
PS. Before uninstall Checkpoint packages, backup your Checkpoint packages
to the other directory !!!
Ray Li <[EMAIL PROTECTED]>
Sent by: Mailing list for discussion To:
[EMAIL PROTECTED]
of Firewall-1 cc:
<[EMAIL PROTECTED] Fax to:
point.com> Subject: Re: [FW-1]
Fw: [FW-1] Anti-spoofing warning
09/25/2002 04:40 PM
Please respond to Mailing list for
discussion of Firewall-1
Bill,
Firstly I appreciate you patient and time to give me detail reply.
Unfortunately, I am still unable to get it thru. Firstly, under the
Topology page, there are only 3 columns: start from the left - Name, IP
Address, Network mask. There is no IP Addresses behind interface column.
After I select the interface and click Edit button, the Interface
Properties comes out but there is no "Topology" tab. Therefore, I cannot
set External, Internet or IP range. Could it be due to different version
of CheckPoint (I am using CP FP2 NG) or did I look at different area?
Thanks,
Ray
----- Original Message -----
From: Bill
To: [EMAIL PROTECTED]
Sent: Wednesday, 25 September, 2002 01:28 p
Subject: Re: [FW-1] Fw: [FW-1] Anti-spoofing warning
I will answer the questions inline -- see below.
Thanks for your advice. I believe network object means the CheckPoint
Host (Firewall) and opened it to Topology tab in Policy Editor. There
were two interfaces: eth-s1p1co and eth-s2p1co inside the table.
[Bill] In the "topology" sectin there is a summary section which lists
the interfaces. In the columns to the right, you will see what
anti-spoofing option (if any) is already selected for each interface.
The first one is connected to internet using a public IP and the second
one to the local LAN using a private IP for the firewall. After I clicked
"Get Topology .." button, a caution showed that "Topology and
anti-spoofing settings that are already defined will be overwritten by
results of this operation that contradict them, if any. Do you want to
continue?" It seems the anti-spoofing has been set before. I have a
query about the IPs to be filled in before I continue and seek your
further advice.
[Bill] First of all, that message is a default. You will always see it
"just in case." Anyway, you can view or edit settings by selecting the
interface (i believe you can double-click or hit the "edit" button after
selecting). This will allow you to select an interface and view the
current configuration. From here you can change the options without
"getting" your interfaces again. You will only need to "get" the
interfaces again if they are not correct. Use your Nokia Voyager to
verify that the interfaces are correct.
1. For the interface to internet, what should I put in the IP column?
[Bill] You should choose the "external interface" option in general. This
is what most people would do. If the firewall is only used for limited
purposes AND external ip addresses, you could limit this further by
creating a network object which contains the necessary ip addresses and
select that.
2. For local LAN interface, our workstations are in the range of
192.168.0.11 to 192.168.0.40. How can I put a range of IP as there is
only one space available? Other IPs, i.e., network printer IPs, are not
needed to be included here since they do not need to pass thru the
firewall.
[Bill] There are various ways to deal with interfaces in general. You
can choose the option which allows for all ip addresses contained within
the configuration of the interface. If for example your interface was
configured as 192.168.0.1/24 it would allow any 192.168.0.1 through
192.168.0.255 addresses through. You can also choose the option which
allws for selecting a "single" network object. I am not sure about the
total list of what type of objects can be used here maybe somebody else
can help you there. One option though, is to create a group with all the
individual workstations (in your case 11 through 40) and select that
group. This does not scale well, but it is an option. Another option
might be able to create an "ip address range" object and use that here. I
am not sure if this option is allowed. The "ip address range object" had
very specific uses in the past. Another option would be to create a
network object or objects which is/are a subset of the actual network
which would account for the necessary ip addresses. This can also be
tedious and is probably not necessary. In your case, I would probably
recommend using the network interface option and using the policy rulebase
to further limit that to necessary objects. No point in making your life
more difficult than necessary for minimal gains ;~}. Use your common
sense here. Use the principle of least privilege where possible.
Thanks,
Ray
From: Bill
Sent: Wednesday, 25 September, 2002 03:27 a
Open up the network object in the policy manager. Click on the topology
tab. "Get" all your interfaces and verify that they are correct. Then
drill down into each interface and choose from the options. I believe they
are (not necessarily in the same order or words):
--network defined by your interface configuration
--a network object or group which would define all allowable networks
--external interface
The anti-spoofing is used to tell the firewall what source ip addresses
are valide for traffic INBOUND on the port/interface in question. Be very
careful and make sure that you are accounting for all necessary networks.
I would recommend that you log this information as well so you can "see"
when something is not being allowed through and determine the cause --
right or otherwise.
----- Original Message -----
From: Ray Li
To: [EMAIL PROTECTED]
Sent: Tuesday, September 24, 2002 12:38 PM
Subject: [FW-1] Anti-spoofing warning
I notice that my Nokia firewall shows a warning that "The 2 interface is
not protected by the anti-spoofing feature. Your network may be at risk.
In the future, it is recommended that you define anti-spoofing protection
before installing the Security Policy." during bootup. I am using
CheckPoint VPN Pro NG. To fix this problem, can someone help me configure
the anti-spoofing on the CheckPoint NG version.
Thanks,
Ray
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
