Re: [FW1] Install on ..

Wed, 26 Sep 2001 20:51:31 -0700 


Mohamed,
    No worries, mate.  Here goes:
    If you look into the Policy->Properties menu on the toolbar, you will see an 
enforce on interface direction option.  This allows you to set a particular behavior 
as a global policy, that is,


External-net->fw-IF->Inbound-Check->Route-Nat->outbound-Check->internal-net  (internal 
and external are relative to the source of transmission)

So, Eitherbound uses both policy checks, validating that even users on the firewall 
box will have the relevant policy applied
      Inbound prevents hacks to the firewall by checking packets before they arrive at 
the IP stack
      Outbound only checks packets after they have passed routing.

These options were instituted in the days of low processor capability, but because of 
large enterprise customers who had learned to deal with behavior of NAT with regard to 
these rules, check point apparently left them in.

Now to your question:
If you manually specify and install-on target such as "ClusterobjectA", the rules will 
automatically be enforced Eitherbound
If you specify Destination, this will have policy enforced on the inbound direction, 
and Source will refer to the outbound.

You can contact me in a private email should you desire more clarification.

Cheers,
CT

Mohamed Maraikayar wrote:

> this may be an elementary question,but i am helpless now.In checkpoint rule 
>base,What is the difference between Install on source,destination or routers or 
>gateways? i read the secadmin pdf of checkpoint, but coudlnt understand the 
>differnce.i have ,by default choose install on gateways.but if we give install on 
>source,all outbound connections from that source is checked.the prime objective is 
>also achieved when we give install on gateways.could anyone clear me with simple 
>words ?
> thanks
> mohamed.
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to