Hi!
For which service do you need it at all?
Secure Remote? Secure Clien? Site-to-Site-VPN?
We got all three running with NGfp3 here with following Ports accepted to the
Firewall:
-IKE
-IKE_tcp
-VPN1_IPSEC_encapsulation
-tunnel_test
-FW1_scv_keep_alive
-FW1_pslogon_NG
and
-FW1_topo
because it is a risky thing with fw-topo you can avoid it when you create a fix
topo and put it on the client without fetching at every connection...
Regards
Thomas Kunz
T-Systems International GmbH
Global Network Factory, Network & Service Operations Munich
Fon: +49 89 54754 416 ; Fax: +49 89 54754 491
E-Mail: Thomas.Kunz AT t-systems DOT com
-----Ursprüngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Im Auftrag von Simon
Ashford
Gesendet: Donnerstag, 5. Februar 2004 22:26
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: [FW-1] Disabling certain Firewall-1 "control connections"
ports.
Hello,
In a recent security audit, I was advised to disable external
access to TCP port 264 (FW1_topo) because it could be used to
extract detailed network topology information from my firewall.
So far the only way I found to do this was to disable "Accept
VPN-1 & Firewall-1 control connections" in the Global Properties
pane. But if I do this, then all my IPSEC VPNs also stop working.
I tried adding a rule to allow specific IKE and IPSEC packets
through, but this didn't appear to work. In the log it says
"encryption failure: received a cleartext packet within an
encrypted connection" at the start of any IKE negotiation.
Ths is logged against the rule I created specifically to allow
IKE.
Can anyone suggest a way to make this work?
Thanks in advance for any help.
Simon Ashford.
--
Simon J. Ashford, Email: simon.ashford AT npl.co DOT uk
IT Support Unit Tel: +44 (0)20 8943 7032
National Physical Laboratory, Fax: +44 (0)20 8943 7093
Teddington, Middlesex, UK. WWW: http://www.npl.co.uk/
-------------------------------------------------------------------
This e-mail and any attachments may contain confidential and/or
privileged material; it is for the intended addressee(s) only.
If you are not a named addressee, you must not use, retain or
disclose such information.
NPL Management Ltd cannot guarantee that the e-mail or any
attachments are free from viruses.
NPL Management Ltd. Registered in England and Wales. No: 2937881
Registered Office: Teddington, Middlesex, United Kingdom TW11 0LW.
-------------------------------------------------------------------
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
