In most P-1 deployments I deal with there is no NAT for the CMA's. I would have to say don't NAT if possible. No SIC, fetch, push or logging issues. There is a problem with NGX and natting the manager in a standard distributed environment, haven't tested this with P-1. I have posted this to the group before and also opened a case with CP on it several months back and have still not found a good resolution for it. When the manager is statically natted behind a CP FW you will loose logging from the local FW, dumps show the logs on the local FW trying to go to the natted IP. Using the object.DLL gui replacement CP has provided (so you can select use local definitions for log servers and it stay selected) has not worked reliably. The work around I am currently using is defining an object as a log server with the internal IP of the manager and use it as the defined log server. The option for FW-1 control connections under NAT was introduced for the opposite problem with getting logs back from remotely managed FW's, up through FP-3 remote FW's would send logs to the IP listed under general props. Several work arounds exist for this too, one was to define a log server with the public IP and use it on the remote FW's. Looks like a complete 180 turn with NGX, OK maybe a 179 1/2.
-GS -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Friday, March 03, 2006 8:24 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] NGx Provider-1 deployment question This question is for gurus in this forum. I need advice on Provider-1 NGx deployment. We are looking at deploying Provider-1 NGx R60A or R61 to manage about 500 Enforcement Modules over the Internet for 250 customers (H/A solution). The enforcement modules will be a mixture of Nokia and SPLAT. We're looking at running Provider-1 NGx on Intel hardware (8 CPUs and 64GB of RAM but that will be determined later). Since we will be managing customers firewall over the Internet, does it make sense to assign public IP addresses to provider-1 as well as the CMAs themselves instead of assigning private IP addresses to the Provider-1 and CMAs and then make them available via static NAT. My reason for assigning public IPs to Provider-1 and CMAs is as follows: 1) Starting with NG with AI R55, under the "NAT" feature of the CMA, one can check the box and specify the CMA is behind a firewall and tell it to accept firewall control connection. However, this method only applies if the firewall in front of the provider-1 and CMAs is a "checkpoint" firewall. If the firewall protecting Provider-1 and CMAs is a Cisco Pix or Netscreen, this method will not work. I know this because I got burned before with Provider-1 & CMAs deployment that was protected by a Cisco Pix firewall. Static NAT will not work if the firewall protecting Provider-1 is anything but a checkpoint firewall. 2) Even if Provider-1 & the CMAs are protected by the Checkpoint firewall, due to the nature of SIC and used of certificated, I was told by checkpoint (back in 2004) that there are still limitations to static NAT the CMAs. For example, you can push the policy from the CMA to the enforcement module; however, you can not "fetch" the policy on the Nokia or SPLAT enforcement modules because the CMA has private IP and it is being NATed by the checkpoint firewall, "fetch" from the enforcement module will not work. Is this still true in NGx in 2006? 3) By assignning public IPs to Provider-1 and CMAs, I can place a firewall from any vendors in front of provider-1 and CMAs to protect them. I can go with Checkpoint, Cisco Pix or Netscreen. The Enforcement modules will see the CMAs with the actuall public IP addresses, not the NAT address. The firewall in front of Provider-1 will NOT be doing any address translation. Therefore, I will not have the SIC and certificate issues. The reason I like to go with either Cisco Pix or Netscreen to protect the Provider-1 & CMAs is because the performance on these firewalls are excellent. I also know that I am trading performance for stateful inspection but that is something I can tolerate. 4) As long as the firewall in front of Provider-1 and CMAs has a strong security policy, I should not have any issues exposing to hackers on the Internet. The firewall in front of Provider-1 and CMAs will be doing routing and inspecting NOT packet manipulation (i.e. static NAT). Therefore, my SIC and certificate are solved. Those are my reasons for assigning public IPs addresses to Provider-1 & CMAs. Are there any advantages of assigning private IP addresses to Provider-1 & CMAs and static NAT them to manage remote Enforcement Modules? Your comments are very appreciated. TIA cisco4ng __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================