Because that which is not specifically allowed is
denied.
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Jason Witty <[EMAIL PROTECTED]> 6/21/00 9:03:23 AM >>>
>
>Tim,
>
>I personally havn't had much chance to play with 4.1, so I'm not exactly
>sure what has changed since 4.0. You are correct that ISAKMP/OAKLEY now
>equals IKE. But as far as why you have to explicitly allow that traffic
>even though it's not considered a "control connection", I am also
>baffled. I'll be at the Check Point OPSEC Conference in Chicago
>tomorrow and will ask about it.
>
>Jason
>
>[EMAIL PROTECTED] wrote:
>>
>> Forgot to mention that we do have "Accept Firewall-1 Control Connections"
>> unchecked but still don't quite get the 'IKE' bit...
>>
>> Tim Higgins
>>
>>
>> [EMAIL PROTECTED]
>> Sent by: To: Jason Witty
><[EMAIL PROTECTED]>
>> [EMAIL PROTECTED] cc:
>[EMAIL PROTECTED],
>[EMAIL PROTECTED]
>> kpoint.com Subject: Re:
>[FW1] Secure Remote - required rules.
>>
>>
>> 21/06/00 13:24
>>
>>
>>
>> Hi
>>
>> Is this changed in 4.1(2000) ? - we just use the "Firewall" group which
>> includes ISAKMP - I believe that this is the IKE 'protocol' ?
>>
>> Tim Higgins
>>
>> Jason Witty <[EMAIL PROTECTED]>
>> Sent by: To: Jim
>> Shaw <[EMAIL PROTECTED]>,
>> [EMAIL PROTECTED]
>> "'[EMAIL PROTECTED]'"
>> kpoint.com
>> <[EMAIL PROTECTED]>
>> cc:
>> Subject:
>> Re: [FW1] Secure Remote - required rules.
>> 21/06/00 11:45
>>
>> According to a few of my friends at Check Point, you must use a "Any FW IKE
>> ACCEPT) rule, if you uncheck the "Accept Firewall-1 Control Connections"
>> box in the policy properties. Had that box been checked, you wouldn't need
>> an explicit rule to allow IKE\SecuRemote - but then you'd be allowing a lot
>> more... Hope this helps!
>>
>> Jason
>>
>> At 03:35 PM 6/21/00 +1200, Jim Shaw wrote:
>> >
>> >I have resolved a problem I had with SR but now find that unless the
>> >client can do a key exchange using IKE to the firewall it does not
>> >connect. The client sits saying "Exchanging Keys" and then errors out.
>> >
>> >I am using SR build 4157 - the most recent I think, talking to
>> >Checkpoint 2000. I am using IKE with VPN-1 username/password
>> >authentication.
>> >
>> >I downloaded the topology while on an internal network with a rule
>> >permitting some clients to connect directly to the firewall. No problem
>> >there. Dialing in from outside with the LAN card disabled I get a
>> >connection failed error with log entries in the FW log indicating that
>> >it is refusing IKE port connections because of my "Any, FW, Any Any
>> >Drop" rule.
>> >
>> >I have a rule preceding that that permits "SRUsers@Any, MyNet, Any,
>> >Client Encrypt" which is what I understand was all that is necessary to
>> >get SR clients working.
>> >
>> >It works if I add a rule that says "Any, Firewall, IKE, Accept". I don't
>> >like that but appear to have no option.
>> >
>> >Anyone got any ideas?
>> >Jim
>> >
>> >Ryan Finnesey wrote:
>> >>
>> >> Is this the same thing has Mail Prory in Firewall 4.1. Because I am
>> running
>> >> 4.0 soon to be 4.1 on a Sun box. I need something to take the mail from
>> the
>> >> Internet and pass it to the Exchange Server that is on the LAN. What is
>> the
>> >> best thing to use ?
>> >>
>> >> Ryan V. Finnesey
>> >> Network Administrator
>> >> @tmosphere Interactive
>> >> 1375 Broadway, 11th floor
>> >> New York, NY 10018
>> >> 212 827 2507 phone
>> >> 212 827 2525 fax
>> >> [EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================