Wish to
reopen a thread for anyone working on OPSEC with ISS Network Sensor and
Checkpoint Firewall NG FP3. Has anyone experimented enough to change the
sam_server auth_port to 0 to see if clear text is allowed ? Otherwise, for
all those out there who claim that they did manage to get an NG firewall working
COMPLETELY with ISS Network Sensor 6.5...even though your acclaimed source of
expertise is from a document drawn upon a Checkpoint Firewall 4.1
configuration....please enlighten the user forum on what exactly the
fwopsec.conf file looks like on the firewall module....as well as the contents
of the fwopsec.conf file on the firewall management server...and if not too much
trouble, please attach a few fw logs that show evidence of an actual FW_SAM
command working....this does not mean that you see a green FW_SAM log that shows
the connection taking place and that occurs pretty much every 1-2 minutes for
quite some time. What we really wish to see is this:
Based upon
a pre-configured event where ISS sends an OPSEC over to the firewall module or
the firewall management server, the fw log will show a green FW_SAM
connection....based on the OPSEC specifying at least a 1 minute inhibit,
reproduce the event and if OPSEC is working correctly, the fw logs should now
show red rejects for this particular event or host.
I am mostly
curious how many people claim emphatically that they have managed to get this
OPSEC functionality working on a NG firewall using the OFFICIAL document from
"Agapitos
Chrysochoos" that is specifically targeted toward a 4.1 Checkpoint
Firewall. More specifically, if you are not just basing the "yes it is
working" upon seeing green FW_SAM connections from either the management server
to the firewall module or from the ISS Network Sensor to the Firewall
module...rather than showing logs evidencing subsequent "rejects" as a result of
the FW_SAM command actually being issued, then please share your configuration
files and findings with the user forum.
Why force
everyone to resort to Checkpoint or ISS user suppot when they do NOT have the
answer ? Anyone out there support this proposal ? And for those
who "claim" they have OPSEC working between a NG firewall and 6.5 Network
Sensor, that they provide the contents of the fwopsec.conf files as well as logs
proving that the FW_SAM commands (inhibt or inhibit and close...etc..) were
actually issued ?
It is my
belief that far too many people are eschewing providing answers and solutions
for this particular topic. For those who state they have this working but
refuse to provide any answers or proof, there is an air of skepticism about the
authenticity of their claims. If you have OPSEC working between NG and 6.5
NS....PROVE IT !!
