Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Gateway allways in Encryption Domain?

from Ray [Permanent Link]
Subject: Re: [FW-1] Gateway allways in Encryption Domain?
From: Ray <sixsigma44 AT HOTMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 29 Nov 2006 22:12:55 -0500 
Hi Markus,
Out of curiosity, why is it important? It's also odd because in a simplified VPN policy, which is required for managed Edge boxes, the external interface of regular FW-1 boxes are automatically included in the encryption domain.
Is it possible that the Edge external interfaces are but the traffic you're using is getting accepted on an implied rule (which are always before the VPN rules)? It doesn't sound like it because of the group thing you're doing, though. 

Ray



From: Markus Schmidt <Markus.Schmidt AT INTERFACE-SYSTEMS DOT DE>
Reply-To: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> 
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Gateway allways in Encryption Domain?
Date: Wed, 29 Nov 2006 17:05:09 +0100

Hi
We're talking about VPN-1 edges with the latest firmware and a NGX R61_HFA01 Gateway/Management.
I have the following Situation: A central Gateway and some Edges (with dynamic Adresses) living in a Star Community. The Traffic from beheind the edges (their encryption Domains) goes perfectly through the VPN, while the traffic originating directly from the edges does not.
In SmartDashboard, I have Network Objects for the edge's encryption Domains. These Network Objects are used for manually defining the edge encryption Domains. A workarround is to replace these network Objects by group Objects, containing the network Objects AND the edge Object. This seems ugly to me, but it works.
Is there a better way? Is there a switch like "the gateway is allways in the encryption Domain, or something like that? 
--
http://schmidt.bs-server.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


_________________________________________________________________
Talk now to your Hotmail contacts with Windows Live Messenger. http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://get.live.com/messenger/overview 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Office Mode and Vmware machines with local IP addresses, David Glosser
Next by Date:  [FW-1] Wrong info reported in SV Monitor, Sergio Alvarez
Previous by Thread:  [FW-1] Gateway allways in Encryption Domain?, Markus Schmidt
Next by Thread:  Re: [FW-1] Gateway allways in Encryption Domain?, Markus Schmidt
Indexes:  [Date] [Thread] [Top] [All Lists]