No it hasn't changed. Check the "Accept VPN-1...
Connections" in the policy properties and then
view implied rules - there it be.
Depending on your security model/policy, you may
want to turn off the above check box and specify
exactly what you want to pass/drop/reject. The
'Firewall1' group turns them all on, but depending
on how your rule(s) is/are setup, may actually allow
more than the policy properties does.
In other words, notice how the implied rules are
setup vs your rule(s) for the same thing and then
think about what is actually being
allowed/dropped/rejected.
OK, that was the long winded version, just be careful
and think when/how you use these.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> <[EMAIL PROTECTED]> 6/21/00 9:24:06 AM >>>
>
>Hi
>
>Is this changed in 4.1(2000) ? - we just use the "Firewall" group which
>includes ISAKMP - I believe that this is the IKE 'protocol' ?
>
>Tim Higgins
>
>
> Jason Witty <[EMAIL PROTECTED]>
>
> Sent by: To: Jim Shaw
><[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
>"'[EMAIL PROTECTED]'"
> kpoint.com
><[EMAIL PROTECTED]>
> cc:
>
> Subject: Re:
>[FW1] Secure Remote - required rules.
> 21/06/00 11:45
>
>
>According to a few of my friends at Check Point, you must use a "Any FW IKE
>ACCEPT) rule, if you uncheck the "Accept Firewall-1 Control Connections"
>box in the policy properties. Had that box been checked, you wouldn't need
>an explicit rule to allow IKE\SecuRemote - but then you'd be allowing a lot
>more... Hope this helps!
>
>Jason
>
>
>At 03:35 PM 6/21/00 +1200, Jim Shaw wrote:
>>
>>I have resolved a problem I had with SR but now find that unless the
>>client can do a key exchange using IKE to the firewall it does not
>>connect. The client sits saying "Exchanging Keys" and then errors out.
>>
>>I am using SR build 4157 - the most recent I think, talking to
>>Checkpoint 2000. I am using IKE with VPN-1 username/password
>>authentication.
>>
>>I downloaded the topology while on an internal network with a rule
>>permitting some clients to connect directly to the firewall. No problem
>>there. Dialing in from outside with the LAN card disabled I get a
>>connection failed error with log entries in the FW log indicating that
>>it is refusing IKE port connections because of my "Any, FW, Any Any
>>Drop" rule.
>>
>>I have a rule preceding that that permits "SRUsers@Any, MyNet, Any,
>>Client Encrypt" which is what I understand was all that is necessary to
>>get SR clients working.
>>
>>It works if I add a rule that says "Any, Firewall, IKE, Accept". I don't
>>like that but appear to have no option.
>>
>>Anyone got any ideas?
>>Jim
>>
>>Ryan Finnesey wrote:
>>>
>>> Is this the same thing has Mail Prory in Firewall 4.1. Because I am
>running
>>> 4.0 soon to be 4.1 on a Sun box. I need something to take the mail from
>the
>>> Internet and pass it to the Exchange Server that is on the LAN. What is
>the
>>> best thing to use ?
>>>
>>> Ryan V. Finnesey
>>> Network Administrator
>>> @tmosphere Interactive
>>> 1375 Broadway, 11th floor
>>> New York, NY 10018
>>> 212 827 2507 phone
>>> 212 827 2525 fax
>>> [EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
