[FW1] DHCP client and CheckPoint Firewall-1

Thu, 28 Jun 2001 21:59:18 -0700 


Hi, all

We have two CheckPoint Firewall-1 (4.0 SP5 with Solaris 2.6 on Ultra station 2) with 
failover each other through StoneBeat v3.0 with NT 4.0. The way for internal PC users 
with DHCP client enabled to access Internet is through our proxy server which sits on 
our DMZ zone. So every hit from internal users to access proxy server has to pass 
through our CheckPoint Firewall-1 and it works fine. Now I got a request from several 
users that they need to test to access a web server directly without proxy server. In 
the rule set, I appended a rule after the proxy server access rule:

    Source                Destination        Service        Action    Track    Install 
On
1.  internal_network    ProxyServers    http            accept    account    gateway
2.    test_users            test_web_site    http            accept    account    
gateway

When the browser of these DHCP client test users access that particular web server 
directly on the Internet, I saw the log of Firewall-1 shows the connection is accept 
according to rule 2 but the browsers say there is no response from the web server 
after a while with the message "connect: contacting web server". The interesting thing 
is some of the testing users' PC have static IP addresses and their browsers do get 
response from the web server directly without proxy server. As a test myself, I 
changed my NT PC and my HP-UX workstation to DHCP client and I can't access that web 
server but once I convert back my NT PC and HP-UX workstation back to static IP 
address then I can access the web server directly without proxy server no problem. By 
the way, all the DHCP clients access Internet through proxy server without problem. 
Now I am thinking that do I need to change the order of above two rules so rule 2 is 
been examed first but why static IP addresses box to access the web !
server no problem as rule 2? Anyone
 has any idea? Thanks in advance.

Ryan Jiang
Senior UNIX administrator
Liz Claiborne, Inc.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to