Thanks a lot.To conclude,i can achive all my objectives if i choose eitherbound and
apply on gateways.i specify rule base for each and every traffic,i think i can
achieve maximum security.for instances i need to check only outbound then i apply the
policy on source.thanks for clarifying me.
mohamed.
On Thu, 27 Sep 2001 CryptoTech wrote :
> Mohamed,
> No worries, mate. Here goes:
> If you look into the Policy->Properties menu on the
> toolbar, you
> will see an enforce on interface direction option.
> This allows you to
> set a particular behavior as a global policy, that is,
>
>
> External-net->fw-IF->Inbound-Check->Route-Nat->outbound--
> Check->internal-net
> (internal and external are relative to the source of
> transmission)
>
> So, Eitherbound uses both policy checks, validating
> that even users on
> the firewall box will have the relevant policy applied
> Inbound prevents hacks to the firewall by
> checking packets before
> they arrive at the IP stack
> Outbound only checks packets after they have
> passed routing.
>
> These options were instituted in the days of low
> processor capability,
> but because of large enterprise customers who had
> learned to deal with
> behavior of NAT with regard to these rules, check point
> apparently left
> them in.
>
> Now to your question:
> If you manually specify and install-on target such as
> "ClusterobjectA",
> the rules will automatically be enforced Eitherbound
> If you specify Destination, this will have policy
> enforced on the
> inbound direction, and Source will refer to the
> outbound.
>
> You can contact me in a private email should you desire
> more
> clarification.
>
> Cheers,
> CT
>
> Mohamed Maraikayar wrote:
>
> > this may be an elementary question,but i am helpless
> now.In checkpoint rule base,What is the difference
> between Install on source,destination or routers or
> gateways? i read the secadmin pdf of checkpoint, but
> coudlnt understand t
e install on gateways.but if we give install on
> source,all outbound connections from that source is
> checked.the prime objective is also achieved when we
> give install on gateways.could anyone clear me with
> simple words ?
> > thanks
> > mohamed.
> >
> > ======================================================-
> ==========================
> > To unsubscribe from this mailing list, please
> see the instructions at
> > http://www.checkpoint.com/services/mail-
> ing.html
> > ======================================================-
> ==========================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
