Re: [FW-1] Office Mode SecureClient
A belated follow-up I'm wrestling with a similar problem which I believe is due to my firewall object having the internal address. My license is keyed to the external correctly, however. If I simply change the address in the object, do I expect the whole firewall to come crashing down? Rules to fail? Clients to disconnect? Ancient evils to rise from their watery slumber? Or should everything simply be ducky? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Tuesday, October 11, 2005 7:12 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Office Mode SecureClient Does your firewall object have the external IP or the internal IP? It has to be the external IP. If it works with hub mode, that tells me it's a routing issue. SecureClient doesn't know how to find the policy server until it's already inside the firewall. Ray From: cp user [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Office Mode SecureClient Date: Tue, 11 Oct 2005 11:45:06 +0200 May any one please give me the steps to configure Office Mode-IP POOL on SecureClient R55? I tried to follow steps described on VPN-1 guide but I still have problems (my SecureClient cannot communicate with policy server)! My architecture consists on the following: - some hosts on the LAN. - a SmartCenter server that lies on the LAN - a VPN-1 Pro gateway that has two interfaces: an external one and a local one (connected to the LAN) - a remote access client (the SecureClient) whose default gateway is set to the VPN-1 Pro gateway. I actually have no router. As David suggested, my VPN domain is actually a Group with exclusions. It is the LAN except Office Mode IP POOL subnetwork addresses'. I noticed that tunnel test succeeds when I activate both Office Mode and Hub mode. But the tunnel test fails when I only activate Office mode. Communication with policy server always fails. Kind regards --- David S. Barker [EMAIL PROTECTED] a ecrit : I've been reading this thread and now I'm confused. Not on how this is supposed to work but how the terminology is being used, seems like POOL is being used to describe the encryption domain. When someone says POOL in reference to Check Point I'm thinking one of two things, IP POOL NAT or OFFICE MODE IP POOL. In the case of IP POOL NAT these can be used for Gateway to Gateway or for Remote Access. These are allowed as a global property (NAT) and then assigned on gateways, encrypted connections are translated to these ip addresses to help eliminate asyncronous routing. The only other mention of POOL has to do with Office mode IP POOL. Now, with Office Mode it is important that these networks are NOT part of your Remote access encryption domain. These addresses are assigned to your clients on the client side, so think of them as the Remote encryption domain. Also, If you want to use a subset of your existing internal address space for your Office Mode addresses then you need to also make sure that the topology for all of the internal interfaces NOT include these networks. You can do this by using Groups with Exclusions. The exclusions will be the Office Mode networks. Finally, you'll have to make sure that if you use any generalized routes like 10/8 points to a router inside, and your office mode is 10.10.10.0/24, you'll have to specifically add a route on your gateways to not point 10.10.10.0/24 to the inside router. It doesn't really matter where you point the route as long as it's being reflected externally, in general I point this to the default gateway. As a general practice I use different Office Mode networks from my local networks/encryption domain networks so that I don't have to do this. With larger networks I had to use the Group with exclusions frequently. Also note if you're using both Office Mode and IP POOL NAT, by default the Office Mode addresses will be NATted to the IP POOL NAT addresses too. You can prevent this by creating a No NAT rule for the Office Mode Network, or by setting the om_prevent_ippool_nat_for_users property to true in the objects_5_0.C on the management server. Compuquip TECHNOLOGIES Providing Solutions Since 1980 David Barker Senior Security Engineer Internet Security Division Phone: 305.436.7272 X 1364 Fax: 305.436.9149 email:[EMAIL PROTECTED] -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cp user Sent: Saturday, October 08, 2005 5:46 PM To:
Re: [FW-1] Office Mode SecureClient
I thought I'd follow myself up since I've had a couple of responses OOB. The address cut over without a single problem. Everyone stayed connected, nothing crashed. An ancient evil did rise from the watery deep but I gave it some coconut shrimp and it was cool. -- be - MOS Innovation is hard to schedule. --Dan Fylstra -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of East, Bill Sent: Thursday, November 03, 2005 3:46 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Office Mode SecureClient A belated follow-up I'm wrestling with a similar problem which I believe is due to my firewall object having the internal address. My license is keyed to the external correctly, however. If I simply change the address in the object, do I expect the whole firewall to come crashing down? Rules to fail? Clients to disconnect? Ancient evils to rise from their watery slumber? Or should everything simply be ducky? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Tuesday, October 11, 2005 7:12 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Office Mode SecureClient Does your firewall object have the external IP or the internal IP? It has to be the external IP. If it works with hub mode, that tells me it's a routing issue. SecureClient doesn't know how to find the policy server until it's already inside the firewall. Ray From: cp user [EMAIL PROTECTED] Reply-To: Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Office Mode SecureClient Date: Tue, 11 Oct 2005 11:45:06 +0200 May any one please give me the steps to configure Office Mode-IP POOL on SecureClient R55? I tried to follow steps described on VPN-1 guide but I still have problems (my SecureClient cannot communicate with policy server)! My architecture consists on the following: - some hosts on the LAN. - a SmartCenter server that lies on the LAN - a VPN-1 Pro gateway that has two interfaces: an external one and a local one (connected to the LAN) - a remote access client (the SecureClient) whose default gateway is set to the VPN-1 Pro gateway. I actually have no router. As David suggested, my VPN domain is actually a Group with exclusions. It is the LAN except Office Mode IP POOL subnetwork addresses'. I noticed that tunnel test succeeds when I activate both Office Mode and Hub mode. But the tunnel test fails when I only activate Office mode. Communication with policy server always fails. Kind regards --- David S. Barker [EMAIL PROTECTED] a ecrit : I've been reading this thread and now I'm confused. Not on how this is supposed to work but how the terminology is being used, seems like POOL is being used to describe the encryption domain. When someone says POOL in reference to Check Point I'm thinking one of two things, IP POOL NAT or OFFICE MODE IP POOL. In the case of IP POOL NAT these can be used for Gateway to Gateway or for Remote Access. These are allowed as a global property (NAT) and then assigned on gateways, encrypted connections are translated to these ip addresses to help eliminate asyncronous routing. The only other mention of POOL has to do with Office mode IP POOL. Now, with Office Mode it is important that these networks are NOT part of your Remote access encryption domain. These addresses are assigned to your clients on the client side, so think of them as the Remote encryption domain. Also, If you want to use a subset of your existing internal address space for your Office Mode addresses then you need to also make sure that the topology for all of the internal interfaces NOT include these networks. You can do this by using Groups with Exclusions. The exclusions will be the Office Mode networks. Finally, you'll have to make sure that if you use any generalized routes like 10/8 points to a router inside, and your office mode is 10.10.10.0/24, you'll have to specifically add a route on your gateways to not point 10.10.10.0/24 to the inside router. It doesn't really matter where you point the route as long as it's being reflected externally, in general I point this to the default gateway. As a general practice I use different Office Mode networks from my local networks/encryption domain networks so that I don't have to do this. With larger networks I had to use the Group with exclusions frequently. Also note if you're using both Office Mode and IP POOL NAT, by default the Office Mode
[FW-1] ClusterXL sync not happening
Replaced our previous firewall with a pair of IBM 3650s running SPLAT. The management console is installed on a third Windows server inside the network. I'm 95% happy with the install, failover even works, but state synchronization does not. The configuration is one external interface on each, plus one internal interface set in the cluster object as Cluster + 1st sync. After some reading I made sure that the sync type was multicast and added a rule to allow TCP FIBMGR traffic from the three hosts to each other (SRC: fw1, fw2, mgmt; DST fw1, fw2, mgmt; SVC: FIBMGR). I see in the logs that this rule is being hit. cphaprob state shows Cluster Mode: New High Availability (Active Up) Number Unique Address Assigned Load State 1 200.1.1.22 100%Active 2 (local) 200.1.1.23 0% Down One funny thing, if I look at the logs I'll see Action: Drop SVC: FW1 SRC: [NAT address for internal net] DST: [firewall internal address] Message info: Address spoofing. and also Action: Drop SVC: FIBMGR SRC:[NAT address for internal net] DST: [firewall internal address] Message info: Address spoofing. Could it be trying to send the information over the external, non-sync interface? Please let me know what other information might be useful. This is my first clustering attempt so my ignorance is even less bounded than usual. This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] ClusterXL sync not happening
1) Interface by interface, it does not seem to make a difference. 2) Ran out of Ethernet ports. I may have to rectify this. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Eugeniu Patrascu Sent: Tuesday, September 16, 2008 12:40 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL sync not happening East, Bill wrote: Replaced our previous firewall with a pair of IBM 3650s running SPLAT. The management console is installed on a third Windows server inside the network. I'm 95% happy with the install, failover even works, but state synchronization does not. The configuration is one external interface on each, plus one internal interface set in the cluster object as Cluster + 1st sync. After some reading I made sure that the sync type was multicast and added a rule to allow TCP FIBMGR traffic from the three hosts to each other (SRC: fw1, fw2, mgmt; DST fw1, fw2, mgmt; SVC: FIBMGR). I see in the logs that this rule is being hit. cphaprob state shows Cluster Mode: New High Availability (Active Up) Number Unique Address Assigned Load State 1 200.1.1.22 100%Active 2 (local) 200.1.1.23 0% Down One funny thing, if I look at the logs I'll see Action: Drop SVC: FW1 SRC: [NAT address for internal net] DST: [firewall internal address] Message info: Address spoofing. and also Action: Drop SVC: FIBMGR SRC:[NAT address for internal net] DST: [firewall internal address] Message info: Address spoofing. Could it be trying to send the information over the external, non-sync interface? Please let me know what other information might be useful. This is my first clustering attempt so my ignorance is even less bounded than usual. First make sure your antispoofing settings are ok. One quick way to do this is to disable antisppofing completely and then enable interface by interface basis. Second: is there a valid reason why you did not use another ethernet port on the firewall as a dedicated SYNC ? Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = __ This email has been scanned by the MessageLabs Email Security System. __ This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =
Re: [FW-1] ClusterXL sync not happening
Now that I have a bit more time to look at it: [ccfw0808b]# cphaprob -a if Required interfaces: 2 Required secured interfaces: 1 eth0 UP sync(secured), multicast eth1 UP non sync(non secured), multicast Virtual cluster interfaces: 2 eth0x.x.x.253 eth1x.x.x.254 ** [EMAIL PROTECTED] cphaprob list Built-in Devices: Device Name: Interface Active Check Current state: OK Registered Devices: Device Name: Synchronization Registration number: 0 Timeout: none Current state: problem Time since last report: 12.8 sec Device Name: Filter Registration number: 1 Timeout: none Current state: OK Time since last report: 12.8 sec Device Name: cphad Registration number: 2 Timeout: 2 sec Current state: OK Time since last report: 0.8 sec Device Name: fwd Registration number: 3 Timeout: 2 sec Current state: OK Time since last report: 0.8 sec Device Name: FIB Registration number: 4 Timeout: none Current state: problem Time since last report: 226033 sec So FIB definitely is being grumpy. As for the third interface, I agree that that would be wise. I did not familiarize myself with ClusterXL sufficiently before implementation, I'll have to retrofit a third if in my copious free time. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: Wednesday, September 17, 2008 8:48 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL sync not happening I would definitely go for an extra interface on each member exclusively for sync, BUT using a crossover cable for such purposes is not recommended. Te reason is in case of a cable failure, there is not reference point for both members to find out which one is having problems as both loose link on their interfaces. Best practice regarding a sync link is to create a small 2-port VLAN on a switch. Going back to your issue and as said by others in the list, check the output of the cphaprob -a if command to find out how your cluster is seeing the interaces of your members, also cphaprob list might help you find out which of the cluster components is causing the down state. Other usefull commands when troubleshooting a cluster are: cpstat ha and fw ctl pstat. Regards On Wed, Sep 17, 2008 at 1:09 AM, Eugeniu Patrascu [EMAIL PROTECTED]wrote: East, Bill wrote: 1) Interface by interface, it does not seem to make a difference. 2) Ran out of Ethernet ports. I may have to rectify this. As another list member said, what does 'cphaprob -a if' shows on both members ? My suggestion would be to get two more ethernet cards and use a crossover cable for synchronization purpouses. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = -- Sergio Alvarez (506)8301342 Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] = __ This email has been scanned by the MessageLabs Email Security System. __ This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set
Re: [FW-1] ClusterXL sync not happening
Thanks for the suggestion. Is there a rule that needs to be created to allow the broadcast traffic to propagate, or will it be passed due to implicit rules? -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Odendaal Sent: Wednesday, September 17, 2008 11:51 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL sync not happening It looks like you have a problem with your switch not allowing multicast. If you have a Cisco switch, then you might have the no ip igmp snooping option turned on which would prevent the synchronization from occurring correctly (at least this is what has happened in my experience). You could either examine your switch config and disable any option that would prevent multicast, or you could bypass that issue altogether by changing your sync method to broadcast instead. I typically prefer broadcast as it seems to be more compatible. To enable broadcast sync instead of Multicast, you need to run cphaconf set_ccp broadcast from the command line of each node. Then reboot the nodes in the cluster and it should be working. In general Check Point always recommend that you have dedicated sync link, which should NOT have anything else on it, especially not the management station, as the amount of traffic that traverses the sync network can become quite high and could affect certain services on the management station (logging for example). I also would suggest a cross-over cable as your sync link, as the chances of a problem occurring with the cable is lower than the chances of a switch failing (IMHO). Good luck. Matthew Information Security Architects (Pty) Ltd. South Africa -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of East, Bill Sent: 17 September 2008 04:29 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL sync not happening Now that I have a bit more time to look at it: [ccfw0808b]# cphaprob -a if Required interfaces: 2 Required secured interfaces: 1 eth0 UP sync(secured), multicast eth1 UP non sync(non secured), multicast Virtual cluster interfaces: 2 eth0x.x.x.253 eth1x.x.x.254 ** [EMAIL PROTECTED] cphaprob list Built-in Devices: Device Name: Interface Active Check Current state: OK Registered Devices: Device Name: Synchronization Registration number: 0 Timeout: none Current state: problem Time since last report: 12.8 sec Device Name: Filter Registration number: 1 Timeout: none Current state: OK Time since last report: 12.8 sec Device Name: cphad Registration number: 2 Timeout: 2 sec Current state: OK Time since last report: 0.8 sec Device Name: fwd Registration number: 3 Timeout: 2 sec Current state: OK Time since last report: 0.8 sec Device Name: FIB Registration number: 4 Timeout: none Current state: problem Time since last report: 226033 sec So FIB definitely is being grumpy. As for the third interface, I agree that that would be wise. I did not familiarize myself with ClusterXL sufficiently before implementation, I'll have to retrofit a third if in my copious free time. -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: Wednesday, September 17, 2008 8:48 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] ClusterXL sync not happening I would definitely go for an extra interface on each member exclusively for sync, BUT using a crossover cable for such purposes is not recommended. Te reason is in case of a cable failure, there is not reference point for both members to find out which one is having problems as both loose link on their interfaces. Best practice regarding a sync link is to create a small 2-port VLAN on a switch. Going back to your issue and as said by others in the list, check the output of the cphaprob -a if command to find out how your cluster is seeing the interaces of your members, also cphaprob list might help you find out which of the cluster components is causing the down state. Other usefull commands when troubleshooting a cluster are: cpstat ha and fw ctl pstat. Regards On Wed, Sep 17, 2008 at 1:09 AM, Eugeniu Patrascu [EMAIL PROTECTED]wrote: East, Bill wrote: 1) Interface by interface, it does not seem to make a difference. 2) Ran out of Ethernet ports. I may have to rectify this. As another list member said, what does 'cphaprob -a if' shows on both members ? My suggestion would be to get two more ethernet cards and use a crossover cable for synchronization purpouses
Re: [FW-1] VPN for dummy
-Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1- mailingl...@amadeus.us.checkpoint.com] On Behalf Of pkc_mls Sent: Thursday, July 26, 2012 8:05 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] VPN for dummy Le 24/07/2012 4:10, East, Bill a écrit : Single external IP on Comcast's network, static public address. Single internal IP on the LAN ports, RFC 1918. So you can get to the subnet I'm on either by going through the tunnel or through the MPLS network (when it's up). Was this what you were looking for? I was just wondering if it could be possible to use dynamic routing and loopback interface on the edge, but I'm not sure this device supports it. I assume MPLS is connected to the remote LAN via a dedicated router. You can allow management on remote IP and restrict this via the rules to your public IP on the local site. But it means in case of a failover you'll have to change the management IP address in the browser. (and it means also that smartcenter will loose connection to the edge when MPLS is not up). Is it really too complex to use a remote rdp server for edge admin ? (it assumes this node is also up and running); Nah, it's just inelegant. But I can live with it. What I can't live with is what I found after some testing - once I defined the VPN domains (on the Edge, just the remote subnet, on the central FW, all our other subnets), I started to see traffic returning from the Internet (while MPLS is up) hitting the firewall, then attempting to route through the VPN. I assume it's being dropped at the other end because there's an ACK but no SYN there. Some Googling suggests that you can leave the subnets out of the VPN domain but add static routes at different weights to the central firewall. I don't know. I know other people have used the Checkpoint VPN as a backup before so I'm sure it's not impossible but I'm starting to look at hiring a professional who's done this before. It's getting complicated. This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. Scanned by Check Point Total Security Gateway. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Scanned by Check Point Total Security Gateway.