[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] VPN and "Security Policy Tab"
Takashi, To see what the firewall is doing when the options in the policy properties is checked, click on View->Implied Rules. This will show you what each of the implied rules look like in your rule base. They will be in yellow(green if highlighted) under the windows GUI. With that one property, you see many implied rules generated! You will not be able to directly edit these, since they are controlled by the software. Just create the ones you need and then uncheck the property. To see the changes to the rulebase, you may have to turn off, then back on the view implied rules. There have been suggestions in the past, that you should only enable that which you need and disable all else. Here is where you can learn from them and improve where needed, since CP opens more than you normally want with implied rules and you have less control with them. OK. When you disable that property, you'll need to add a few rules of your own. You'll need rules to allow the site topology(encryption domain) to be downloaded to the SR client, key exchange and encryption to be negotiated. You also need add your RADIUS/TACACS systems. I would suggest looking at www.phoneboy.vom/fw1 and follow the Secure Remote and VPN/Encryption links. Robert - - Robert P. MacDonald, Network Engineer e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> takashi kouda <[email protected]> 9/29/00 4:17:00 AM >>> > >Hi! > >We configure FireWall-1/VPN-1(ver4.1) and SecuRemote, so it is success >in connecting! > >But when it is below configuration, it is failed > >1.Remove check of "Accept VPN-1 & FireWall-1 Control Connections" at >"Security Policy Tab" of "Properties". > >2.RuleTable is below > > souce | destination | service | action > ------------------------------------------ > test | CPFW-1 |FireWall | Accept > > Test is NetworkObjects to include SecuRemote > CPFW-1 is NetworkObjects to include "FW Module" and "FW Management" > FireWall is default ServiceObjects > > >I examined manual, so "Accept VPN-1 & FireWall-1 Control Connections" >Check is used when "FW demon" connect to External Server as RADIUS or >TACACS etc.. > >When check is removed, what we add to RuleTable or Server > >Please tell me how to that ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|