Re: checkpoint authentication on external interface

[pkc_mls <pkc_mls () yahoo fr>]

Francois Yang a écrit :
> I hope the list can help me out or point me in the correct direction.
>
> In Checkpoint R65 splat when you turn ON Manual authentication, it
> turns ON port 259 and 900 on both internal and external interfaces.
> I was wondering if there's a way to turn it OFF on one interface and
> still keep it on the other.
> An example would be if you have an edge firewall and you don't want it
> to be visible from the outside but still need it for other functions.
> I tried to create a rule that would block anything from the outside to
> the firewall on those ports and that did nothing.
> Looking in tracker also showed nothing.
> I can connect to the login page but I can't see any logs.
> looking through the implied rules also showed nothing.
> So does anyone have any suggestions that would not kill my support contract? :)
>
>   
Hi Frank,
Even if the daemon is listening on the port, you still have to go 
through the rulebase to be able to connect.
You should verify if the ports are allowed either in implied or explicit 
rules. (try to enable the logs on the implied rules
for a short time to get some logs about the auth).

I recommend to use explicit rules and allow only from explicit sources.

I agree it's better if the daemon accepts connections only on internal 
IPs, but for this you have to ask checkpoint how to do.
> thanks
>
> Frank
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>   


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards