You should ask for a refund. And charge them with loss of business (taslk with your lawyers for this).
what good is a firewall if any one can access from anywhere any available service? ANY-FIREWALLS-ANY-ACCEPT -> this means that I can access your firewalls from outside your network. this should most likely be: INTERNAL-FIREWALL-ANY-ACCEPT is there a bottom rule (last rulen in your policy) like this: ANY-ANY-ANY-DROP? if not add it. You might only want to FORWARD your HTTP and SMTP traffic to the machines that are your web and mail server. I pressume that the firewalls are not your web or your mail server. Pete -----Original Message----- From: LAN Guy [mailto:enzo_the_baker@;HOTMAIL.COM] Sent: Monday, October 21, 2002 11:00 AM To: [EMAIL PROTECTED] Subject: [FW-1] Incompetent Checkpoint Partner?? I recently engaged a CP Partner to upgrade my 4.1 firewall to a pair of NG enforcement modules running ClusterXL. The next day when all hell started breaking loose (VPNs not working, no SMTP traffic allowed, interfaces bouncing), I took a look at the way the firewalls and policy were set up and discovered what I believe to be some pretty major no-no's. I think I know the answers to the following questions, but I'd appreciate opinions and a "sanity check" from some of the experts out there on the following: 1) In a CP NG fp2 cluster running on Win2K, what would be the effect or risk of the following rule? ANY---{both firewalls and the management station}---ANY---ACCEPT 2) Given the previous condition, what would be the effect or risk of having the following services running on both firewalls? (output from port scanner): Open Ports (7) 21 [ Ftp ] 220 {system name} Microsoft FTP Service (Version 5.0). 25 [ Smtp ] 220 {system name} Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Wed, 9 Oct 2002 12:56:58 -0400 80 [ Http ] 135 [ epmap ] 139 [ Netbios-ssn ] 443 [ HttpS ] 445 [ Microsoft-Ds ] 3) The big question: Should a CheckPoint authorized "Value Added Solution Provider" who set up a firewall in this manner be considered competent? This was their second attempt at this upgrade-- should I give them another another chance to get it right or cut my losses and move on? Thanks for your input and insights. _________________________________________________________________ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
