R1---CP_Firewall----R2
R1 ip is 192.168.1.11/24 and R2 IP is 192.168.2.22/24
Firewall internal ip is 192.168.1.1/24 and external
ip is 192.168.2.1/24
I am doing ibgp with MD5 authentication between R1 and R2.
Keep in mind that the firewall just routes the traffic, no
nat whatsoever here.
In checkpoint SmartDefense, under the Fingerprint Scrambing,
I selected the checkbox for "apply fingerprint scrambing
configuration only to outgoing packets (requires proper
anti spoofing configuratoin) and spoof fingerprint for
"encrypted and plain" connections). Furthermore,
I also selected the checkbox for ISN spoofing, TTL and IP ID
under the Fingerprint SCrambling option. I selected
16 bits for minimal ISN entropy, 128 for TTL and do not
scramble traceroute packets, and under IP ID, I have random
for IP ID sequence generation mode.
On my checkpoint rule, I only allow R1 to initiate BGP
sessions with R2. R2 is NOT permitted to initiate iBGP
session with R1. In other words, one way iBGP traffics.
After all this, I went ahead and push the policy.
I would have expected the the iBGP session with MD5 authentciation
would not have established between R1 and R2 because the Checkpoint
firewall will randomize the tcp sequence number and it will screw
up the md5 authentication in iBGP. Much to my suprise, it still
works. This tells me that the checkpoint firewall does NOT
randomize the tcp sequence number at all when traversing from
one interface to another interface.
If I replace the CP firewall with Cisco pix 6.3(5), the iBGP
will fail unless I do this:
static (inside,outside) 192.168.1.11 192.168.1.11 norandomseq
Basically, what I would like to do is to break the iBGP session
between R1 and R2 via the Checkpoint firewall by randomizing the
tcp sequence number on the checkpoint. How do I go about doing it?
By the way, I opened a TAC case with Checkpoint diamond support
but I don't think the TAC engineer knows what he is doing. I
do not think he understands how bgp works in order to assist me.
Thanks in advance.
cisco4ng
---------------------------------
Now that's room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
