Global Properties settings are typically added into the "Implied Rules"
which are processed before your security policy.
You may want to add a "DROP ANY" for your Firewall objects after your VPN rule.
*** NOTE ***
Make sure that this drop rule does not proceed any control connections or
management access policies that may prevent you from managing your Firewall.
On Thu, 5 Feb 2004, Simon Ashford wrote:
> Hello,
>
> In a recent security audit, I was advised to disable external
> access to TCP port 264 (FW1_topo) because it could be used to
> extract detailed network topology information from my firewall.
>
> So far the only way I found to do this was to disable "Accept
> VPN-1 & Firewall-1 control connections" in the Global Properties
> pane. But if I do this, then all my IPSEC VPNs also stop working.
>
> I tried adding a rule to allow specific IKE and IPSEC packets
> through, but this didn't appear to work. In the log it says
> "encryption failure: received a cleartext packet within an
> encrypted connection" at the start of any IKE negotiation.
> Ths is logged against the rule I created specifically to allow
> IKE.
>
> Can anyone suggest a way to make this work?
>
>
> Thanks in advance for any help.
>
>
> Simon Ashford.
>
>
> --
> Simon J. Ashford, Email: simon.ashford AT npl.co DOT uk
> IT Support Unit Tel: +44 (0)20 8943 7032
> National Physical Laboratory, Fax: +44 (0)20 8943 7093
> Teddington, Middlesex, UK. WWW: http://www.npl.co.uk/
>
> -------------------------------------------------------------------
> This e-mail and any attachments may contain confidential and/or
> privileged material; it is for the intended addressee(s) only.
> If you are not a named addressee, you must not use, retain or
> disclose such information.
>
> NPL Management Ltd cannot guarantee that the e-mail or any
> attachments are free from viruses.
>
> NPL Management Ltd. Registered in England and Wales. No: 2937881
> Registered Office: Teddington, Middlesex, United Kingdom TW11 0LW.
> -------------------------------------------------------------------
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
