Sorry, I am familiar with the Edge devices, but not the IP40.
Ray
From: "Brockhoven, Werner" <werner.brockhoven AT HP DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] IP40 (embedded NG) - SmartCenter integration
Date: Mon, 27 Jun 2005 08:05:47 +0200
Ray,
To me this looks like it is the case. For example changes in de VPN
community from aes-256 to 3des are being applied to the IP40. Logging
on the IP40 reports whenever a new policy is installed.
Is there any certain way to verify if the created security policy is
active on the IP40? If I check the diagnosis output, I can see an
overview of the NAT rules, but not of the Security policy.
Thanks,
Werner
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
Sent: Saturday, June 25, 2005 00:24
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] IP40 (embedded NG) - SmartCenter integration
For an IP40 to download a policy from the SmartCenter server, you must
have that one implied rule that is titled something like "accept
outgoing packets from the gateway" set to "before last".
Ray
>From: "Brockhoven, Werner" <werner.brockhoven AT HP DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: [FW-1] IP40 (embedded NG) - SmartCenter integration
>Date: Fri, 24 Jun 2005 17:32:32 +0200
>
>Hi,
>
>Anybody ever deployed one of these and have integrated them into a
>regular SmartCenter?
>
>I have the following strange issue.
>
>When deploying the policy from SmartCenter to the edge device (IP40),
>it seems like some rules are working and some or not. When checking
>the diagnosis page on the IP40 and the Sofaware Management Server on
>the SmartCenter (gui which runs on port 9283), I see the CRC for the
>policy matches. Changes to the vpn community of which the edge is part
>are correctly applied.
>
>In fact I'm seeing the following behaviour. Traffic which comes from
>the DMZ or LAN interface and needs to go into the VPN which is
>established over the WAN interface is not being enforced by the
>SmartCenter policy defined. All traffic which is destined for the VPN
>seems to be permitted by default. Only by creating rules in the local
>IP40 gui, it's possible to limit certain traffic.
>
>Another thing I notice, which may or may not be related, is that in the
>SmartView Status, for the edge object, the Policy field is empty.
>
>I've been through most of the documentation regarding vpn-1 edge and
>smartcenter integration, but I could not find any clear information on
>how exactly an VPN-1 Edge or embedded NG device integrates into
>SmartCenter. What works, what doesn't work. I've read about
>limitations about using resources and groups with exclusions etc, but
>this is not the case here.
>
>I'm running HFA-15 on the SmartCenter and the IP40 is loaded with
>IP40v200-FCS01a79.bin firmware.
>
>Any insights are greatly appreciated.
>
>Regards,
>
>Werner
>
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
