Ray,
Q1, i think your ISP have assigned some IP for you. Right
? just pick one and give this to your fw1 external interface. dats
the IP you need to register with fw1 license.
Q2,
umm.. the internal interface of fw1 will be the gateway of your
workstations on your local lan.
Andrew
Loh
Thanks for your advice. I believe network
object means the CheckPoint Host (Firewall) and opened it to Topology tab in
Policy Editor. There were two interfaces: eth-s1p1co and
eth-s2p1co inside the table. The first one is connected to internet
using a public IP and the second one to the local LAN using a private IP for
the firewall. After I clicked "Get Topology .." button, a caution showed
that "Topology and anti-spoofing settings that are already defined will be
overwritten by results of this operation that contradict them, if any.
Do you want to continue?" It seems the anti-spoofing has been set
before. I have a query about the IPs to be filled in before I continue
and seek your further advice.
1. For the interface to internet, what
should I put in the IP column?
2. For local LAN interface, our
workstations are in the range of 192.168.0.11 to 192.168.0.40. How can I
put a range of IP as there is only one space available? Other IPs, i.e.,
network printer IPs, are not needed to be included here since they do not
need to pass thru the firewall.
Thanks,
Ray
From:
Bill
Sent: Wednesday, 25 September, 2002
03:27 a
Open up the network object in the policy manager. Click on the topology
tab. "Get" all your interfaces and verify that they are correct. Then drill
down into each interface and choose from the options. I believe they are (not
necessarily in the same order or words):
--network defined by your interface configuration
--a network object or group which would define all allowable
networks
--external interface
The anti-spoofing is used to tell the firewall what source ip addresses are
valide for traffic INBOUND on the port/interface in question. Be very careful
and make sure that you are accounting for all necessary networks. I would
recommend that you log this information as well so you can "see" when
something is not being allowed through and determine the cause -- right or
otherwise.
----- Original Message -----
From: Ray
Li
To: [email protected]
Sent: Tuesday, September 24, 2002
12:38 PM
Subject: [FW-1] Anti-spoofing
warning
I notice that my Nokia firewall shows a warning that "The 2 interface is
not protected by the anti-spoofing feature. Your network may be at risk. In
the future, it is recommended that you define anti-spoofing protection before
installing the Security Policy." during bootup. I am using CheckPoint VPN Pro
NG. To fix this problem, can someone help me configure the anti-spoofing on
the CheckPoint NG version.
Thanks,
Ray
|