Firewall-1 will not recognize the sub-interface at all. To prove this out,
create a dummy firewall object (purely to avoid accidentally making changes
to your production object) and use 'Get Interfaces'. It will display only
the physical interfaces.
Making manual changes to this list (defining a virtual interface manually or
renaming the interfaces to be different from the interface names reported by
the OS) could in fact cause you grief later with users not being asked for
authentication, connections through the security servers performing slowly
or not at all, policy installs failing or timing out, logs that do not show
the proper interface, NAT not working on outbound connections, external.if
file not working, and other OPSEC product problems.
Because FW-1 doesn't recognize the sub-interface (even if you do manually
define it in the firewall object's interface list), it doesn't perform
anti-spoofing inspection on it. This may be the issue on your system; if
you are doing anti-spoofing on the physical interface but have not told it
to allow the IP addresses received over the virtual interface, it will drop
all incoming virtual interface traffic.
Fix this by:
- Defining one network object for each subnet behind the interface (one for
each subnet behind the virtual interface, one for each subnet behind the
primary IP of the physical interface)
- Create a network group with both (or all) of the network objects in it.
- Define the interface's anti-spoofing entry using the network group.
See "Firewall-1 Architecture and Administration" manual, FAQ section,
article titled "Do Aliased (or Virtual) Interfaces Pose a Security Risk?"
(in v4.0 6/98 Edition it is on Chapter 14, pg 350).
Greg S.
-----Original Message-----
From: Aaron Ornelas [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 22, 2000 1:49 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Two Interfaces on the same nic
Importance: High
I have created a sub-interface in a SparcServer20 that is running Solaris
2.6.
Does anyone know how does the Firewall recognize the other interface, I mean
the IP address?
I have two ISP's and two routers
The subinterface le0:1 has the IP of the other network but the traffic don't
follow over there
I can reach the sites but the Firewall don't pass the traffic to my internal
network
What do I have to do?
Thank's
Aaron Ornelas
____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at
http://webmail.netscape.com.
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
