I don't believe it's common to have non-routable addresses routed through an Internet connection (didn't think it was possible unless the external connection you are talking about is not the Internet, but instead a point to point link you own). Anyway, I've found success with Anti-Spoofing by defining my own groups that contain the networks related to each interface and applying those groups to the Anti-Spoofing properties for each firewall interface respectively. The routing table is key in defining the groups (you really shouldn't define the groups without going through each route). You can remove those Net-x.x.x.x networks that get auto created.
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Robinson, Darrin Sent: Monday, January 05, 2004 11:08 PM To: [EMAIL PROTECTED] Subject: Some q's about spoofing, user auth and VRRP All, Setting up Checkpoint NG AI R54 for the first time on two Nokia IPSO 350's running IPSO3.7Build31 in VRRP HA. Curious how others handle having private address ranges (ie. 10.x.x.x. for routers / switches etc) outside the external interface (when anti-spoofing is turned on). I find that checkpoint will drop my connection attempts to these routers/switches due to anti-spoofing. Is the only way to turn Anti-Spoofing off? Also, having troubles setting up partial automatic client user authentication. I have configured a rule (above the stealth rule): '[EMAIL PROTECTED]' to 'any' for 'telnet, ftp and http'. The properties of the authentication rule are set to standard and partial authentication. The authentication works fine for telnet and ftp (ie. it intercepts the connection and requests client authentication first) but for http I get no authentication dialog box, just a page can not be found. Sometimes I have also been getting http://10.x.x.x/fwauthredirect10.x.x.xid0000000720 in the address box and a page can not be found. If I use a user authentication rule instead then the authentication works fine for all telnet ftp and http. Any ideas? One last question - When configuring VRRP is it necessary to select the ticket box 'Cluster Interface' on the interface properties screen, for each interface involved in VRRP? When I do this I get warnings about "Interface x of cluster member y is marked as a shared cluster interface, however its IP address doesnt belong to any of the member networks of the cluster's interfaces'. Is this tick box only for using Nokia IP Clustering (not VRRP)? Thanks, iX ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************** This message and any attached documents contain information which may be confidential, subject to privilege or exempt from disclosure under applicable law. These materials are solely for the use of the intended recipient. If you are not the intended recipient of this transmission, you are hereby notified that any distribution, disclosure, printing, copying, storage, modification or the taking of any action in reliance upon this transmission is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not compromise or waive such confidentiality, privilege or exemption from disclosure as to this communication. If you have received this communication in error, please notify the sender immediately and delete this message from your system. ***************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
