Ray,
Although you can tunnel Voyager through the SSH
it is simpler to configure Voyager to use SSL. You will then have to add a rule
like:
source=Mng PC
dest=Firewall service=HTTPS action=accept
You need to configure a Certificate (unless you
have your own CA) for the firewall within Voyager and then you must enable
Voyager to use SSL. Although this sounds fairly simple is is not obvious and can
be rather confusing.
Rather than waste space here I have a rather
large document that goes into this and many other aspects in far more detail. If
you like I could email this direct to you?
Regards Derin
T Jani,
Sorry to bother you again. Today I use
Voyager to access the firewall without success. Looked at the log
view. It used http to access the firewall so it was dropped. I
have enabled SSH daemon in Voyager already. Do I need to add http
service in the rule?
Thanks,
Ray
----- Original Message -----
Sent: Thursday, 05 September, 2002
03:23 p
Subject: Re: [FW-1] Shealth rule
Yes. Sorry those
infos were to FW-1 version 4.1 heres info for NG FP2
New -> Node
-> host
and ssh is already
defined in NG I can see that =)
and rule comes from
Rule menu on NG not edit.. Checkpoint changes everything on every version =)
hope that helps.
remember to enable SSH daemon for ipso from voyager or otherwise its
useless.. check also LOG btw for this rule!
meant SOURCE
DESTINATION ACTION
(TRACK) field, choose there LOG
T:
Jani
-----Original
Message----- From: Ray Li
[mailto:[email protected]] Sent: 5. syyskuuta 2002
9:14 To:
[email protected] Subject: Re: [FW-1] Shealth
rule
Many thanks for your detailed
procedure. I am very new to CheckPoint NG FP2 and just tried to use it
a few times. As I have not created a new defined object, I am unsure
the correct procedure and your explanation is very
helpful.
However, I could not create the
object "ssh client computer" following your procedure. In the
drop-down list of New object, I could not find "Workstation"- under the New
drop-down list, it has Check Point, Node, Interoperable Device, Network,
Domain OSE Device, Group, Logical Server, Address Range, Dynamic Object,
VoIP Domains. Probably, you are referrring to an old version of
CheckPoint and we just installed a new CheckPoint software. Any idea
about the equivalent object in my version.
----- Original
Message -----
Sent:
Thursday, 05 September, 2002 04:33 a
Subject: Re:
[FW-1] Shealth rule
You mean how to
make that rule?
I may be telling
you really easy things here but I am not sure what did you mean
=)
if so make
network object to your "ssh client computer" (manage -> network objects
-> new -> workstation. and put there its name and static ip
for it, name can be what ever you wish
you may also have
to define SSH service ( manage -> services -> new -> tcp >
name SSH, port 22
add new rule to
top of rule base ( edit -> add rule -> top ) now you should
see rule like ANY ANY ANY DROP
Change new rule as below use your new objects that
just greated.
source(New
network object you just
greated)
destination(Firewall
object)
service(SSH/telnet)
Jani
-----Original
Message----- From:
Raymond Li [mailto:[email protected]] Sent: 4. syyskuuta 2002
13:33 To:
[email protected] Subject: Re: [FW-1] Shealth
rule
Thanks for your
suggestion. Could you please advise how to create the source
(ssh/telnet client).
----- Original
Message -----
Sent:
Wednesday, 04 September, 2002 12:57 a
Subject: Re:
[FW-1] Shealth rule
For normal
operations for box you should use SSH and maybe configure port
forwarding aswell for ssh voyager or just put voyager to user
ssl.
and you should
make another rule above stealth rule to allow ( SSH / Telnet ) to
your fw from computer you want
source(ssh/telnet
client)
destination(Firewall)
service(SSH/telnet)
Regards, Jani
Huovinen
-----Original
Message----- From: Ray
Li [mailto:[email protected]] Sent: 3. syyskuuta 2002
17:18 To:
[email protected] Subject: Re: [FW-1] Shealth
rule
Thanks for your
kind advice.
In the Stealth
rule, I use drop as the action. Should your suggested rule be
placed above or below the Stealth rule?
Regarding your
kind advice about security hole, currently I use CheckPoint GUI to
manage the firewall software and telnet + browser to manage the Nokia
IPSO. Do you mean I can use only the browser to manage the
IPSO? I am a new administrator of firewall and I have not compared
all features of these two ways. Does Nokia has similar CheckPoint
GUI to manage all functions of IPSO?
-----
Original Message -----
Sent:
Tuesday, 03 September, 2002 08:19 p
Subject:
Re: [FW-1] Shealth rule
Enable the
Stealth rule which should look like this:
Any
Firewall Object Any
Drop/Reject
Enable it by
saying Accept in the Action field AND Put a rule as
follows:
Telnet
Machine Firewall Object
Telnet Accept
But I'll
advice you not to use Telnet in such a scenario (as this will open a
security hole in your network) instead use the remote GUI client
feature to log onto the Nokia Firewall.
-----Original
Message----- From:
Raymond Li [mailto:[email protected]] Sent: Tuesday, September 03,
2002 3:34 PM To:
[email protected] Subject: [FW-1] Shealth
rule
I have a
shealth rule as the first rule. I cannot telnet the nokia
firewall. Can someone tell me if I can modify it to accept
telnet within internal network or need a new
rule.
----------------------------------------------------------------------------
The information contained
in this Message is confidential and intended only for the use of the
individual or entity identified. If the reader of this message is not
the intended recipient, any dissemination, distribution or copying of
the information contained in this message is strictly prohibited. If
you received this message in error, please notify the sender
immediately.
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.
This footnote also confirms that this email message has been swept
for the presence of known computer viruses.
**********************************************************************
|