Re: [FW-1] How I can edit secure remote topology ??

[Luiz H. Guimarães Filho]

Thanks a lot Lindsay for your hwlp.

This weekend I will try new changes. I don't like to use Secure Remote in 
internal network, BUT the client whant this.

Thanks again.


From: Lindsay Hill <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1              
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] How I can edit secure remote topology ??
Date: Fri, 7 Oct 2005 07:11:14 +0100

Hmmm, I'm not sure you're going to be able to do what you want here.  
Although in theory you could add the external objects to your  topology, 
you'll still have the problem that when your users are  internal, their 
clients will think that they are inside the  encryption domain -> no 
encryption required.

I would also think that your IP pool would need to be a range of  public 
addresses.

Wonder if you'd get anywhere using hub mode?

One other thing - FW-1 might not like it that the encrypted traffic  would 
be coming into the internal interface of the firewall - it  would be 
expecting it to come into the external interface (the  interface that has 
the IP address configured on the clients).

You might want to sit down and review what you're trying to do, and  
whether it's achievable with SecuRemote.

 - Lindsay


On 7 Oct 2005, at 00:38, Luiz H. Guimarães Filho wrote:

Hi Lino,

To connect between Firewalls, I use the VPN in FW (Branch to  Branch), and 
works fine.

I have troubles only with Secure Remote, connecting from inside  network, 
to my firewall, trying to access a external host (In  internet).

Thanks a lot.


From: Lino Eduardo Avila Rodríguez               <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1               
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] How I can edit secure remote topology ??
Date: Thu, 6 Oct 2005 18:17:56 -0500

Do you mean that you want to allow those users to connect to  another fw? 
Or
do you want to encrypt all the connections they do??



Lino E. Avila

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of  Luiz H.
Guimarães Filho
Sent: Jueves, 06 de Octubre de 2005 04:40 p.m.
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] How I can edit secure remote topology ??

Thanks Lindsay. You are helping me a lot (More than Checkpoint  support).

I will say to you my problem. Outside guys (using secure remote)  can 
access
the internal network without no troubles.

BUT, some users MUST use Secure Remote in internal network, to access
external (Internet). My problem is with these users. These guys  can 
connect
in FW using Secure Remote, BUT, the traffic don't pass through on  VPN 
tunnel

(And are dropped in my last rule).

Do you know how I can solve this ? I tried to put some external  hosts in 
VPN

group used for Topology, but, don't work.

Thanks again for your BIG help !


>From: Lindsay Hill <[EMAIL PROTECTED]>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>Subject: Re: [FW-1] How I can edit secure remote topology ??
>Date: Thu, 6 Oct 2005 22:13:35 +0100
>
>In that group, you want to put all the objects that represent  the  
hosts
>that you want SecuRemote users to access. E.g. if your internal   
network
>has a range of networks like 10.0.1/24, 10.0.2/24, 10.0.3/24,   then 
you
>would put all those networks into your topology group.
>
>That way, when SecuRemote looks at outgoing traffic, it can  compare  
the
>destination with the contents of that group, and encrypt it if   
necessary.
>Any destinations not in that group will go out cleartext  as normal.
>
>HTH,
>
>On 6 Oct 2005, at 22:00, Luiz H. Guimarães Filho wrote:
>
>>Thanks a lot Lindsay. I tried this, but doesn't work. In this   
topology
>>group, I must put the source IP address or destination ? I   think 
this can

>>be the trouble.
>>
>>Thanks a lot.
>>
>>
>>
>>>From: Lindsay Hill <[EMAIL PROTECTED]>
>>>Reply-To: Mailing list for discussion of Firewall-1
>>><FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
>>>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>>>Subject: Re: [FW-1] How I can edit secure remote topology ??
>>>Date: Thu, 6 Oct 2005 21:48:20 +0100
>>>
>>>Create a group containing the topology you want, then on the   
topology
>>>tab of the firewall object, set topology to manual. and  use  that  
group.

>>>The default is to use all addresses behind the  firewall based   on 
the
>>>topology information, which may not be what  you want.
>>>
>>>Install policy, then update the site from the client.
>>>
>>>  - Lindsay
>>>
>>>
>>>On 6 Oct 2005, at 21:36, Luiz H. Guimarães Filho wrote:
>>>
>>>
>>>>Hi guys,
>>>>
>>>>Someone know how I can change (manually) the secure remote   
topology  in

>>>>fw manager server ??
>>>>
>>>>Thanks for any help !!!
>>>>
>>>>_________________________________________________________________
>>>>MSN Messenger: instale grátis e converse com seus amigos. http://
>>>>messenger.msn.com.br
>>>>
>>>>=================================================
>>>>To set vacation, Out-Of-Office, or away messages,
>>>>send an email to [EMAIL PROTECTED]
>>>>in the BODY of the email add:
>>>>set fw-1-mailinglist nomail
>>>>=================================================
>>>>To unsubscribe from this mailing list,
>>>>please see the instructions at
>>>>http://www.checkpoint.com/services/mailing.html
>>>>=================================================
>>>>If you have any questions on how to change your
>>>>subscription options, email
>>>>[EMAIL PROTECTED]
>>>>=================================================
>>>>
>>>>
>>>
>>>=================================================
>>>To set vacation, Out-Of-Office, or away messages,
>>>send an email to [EMAIL PROTECTED]
>>>in the BODY of the email add:
>>>set fw-1-mailinglist nomail
>>>=================================================
>>>To unsubscribe from this mailing list,
>>>please see the instructions at
>>>http://www.checkpoint.com/services/mailing.html
>>>=================================================
>>>If you have any questions on how to change your
>>>subscription options, email
>>>[EMAIL PROTECTED]
>>>=================================================
>>>
>>
>>_________________________________________________________________
>>MSN Messenger: instale grátis e converse com seus amigos. http://
>>messenger.msn.com.br
>>
>>=================================================
>>To set vacation, Out-Of-Office, or away messages,
>>send an email to [EMAIL PROTECTED]
>>in the BODY of the email add:
>>set fw-1-mailinglist nomail
>>=================================================
>>To unsubscribe from this mailing list,
>>please see the instructions at
>>http://www.checkpoint.com/services/mailing.html
>>=================================================
>>If you have any questions on how to change your
>>subscription options, email
>>[EMAIL PROTECTED]
>>=================================================
>>
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================

_________________________________________________________________
MSN Messenger: instale grátis e converse com seus amigos.
http://messenger.msn.com.br

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


_________________________________________________________________
MSN Messenger: instale grátis e converse com seus amigos. http:// 
messenger.msn.com.br

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

_________________________________________________________________
MSN Messenger: instale grátis e converse com seus amigos. 
http://messenger.msn.com.br

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================