CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 72 attendees signed up from 20 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Miscellaneous
Reload this Page DNS Doctoring
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-09-27
vadi_ag vadi_ag is offline
Junior Member
  
Join Date: 2006-04-07
Posts: 27
Rep Power: 0
vadi_ag has an average reputation (10+)
Default DNS Doctoring
Hi All ,
In PIX we have an option of alias for DNS doctoring do we have any similar options in checkpoint ??


Regards
Vadiraj
__________________
Regards
Vadiraj
Reply With Quote
  #2 (permalink)  
Old 2007-09-27
Robby Cauwerts Robby Cauwerts is offline
Senior Member
  
Join Date: 2006-10-05
Location: Belgium
Posts: 108
Rep Power: 2
Robby Cauwerts has an average reputation (10+)
Default Re: DNS Doctoring
As far as I know: NO
I would be better if you explain in detail what you're trying to achieve.
(eg: you might use dns doctoring on Cisco vs the build in dns functionality on CP when you use ISP redundancy)
Last edited by Robby Cauwerts; 2007-09-27 at 09:54.
Reply With Quote
  #3 (permalink)  
Old 2007-09-27
vadi_ag vadi_ag is offline
Junior Member
  
Join Date: 2006-04-07
Posts: 27
Rep Power: 0
vadi_ag has an average reputation (10+)
Default Re: DNS Doctoring
I was tryig to understand the concept of DNS doctoring on CP
if u have any doc pls let me know

thnx
__________________
Regards
Vadiraj
Reply With Quote
  #4 (permalink)  
Old 2007-09-28
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 993
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: DNS Doctoring
Check Point doesn't have a concept of DNS Doctoring as a Cisco PIX does as Check Point doesn't need to have the functionality.

Unlike the PIX there is nothing in Check Point to stop the internal network talking to the DMZ on the public nat address of the dmz server so there is no need to have DNS Doctoring in Check Point.

Unlike the PIX where the rules are written interface to interface, the Check Point merely uses src and dest IP address, and then uses the Anti-Spoofing config to determine if the src should be able to arrive on the interface.

ie

Internal Machine resolves www.mydomain.com as the public IP. traffic goes the gateway and matches the

src=any dst=webserver srv=htttp action accept

rule as the src matches the any and the webserver matches the public ip so check point sees as a valid traffic and allows through.

DNS proxy in ISP Redundancy is different to DNS Doctoring.
Reply With Quote
  #5 (permalink)  
Old 2007-10-17
cciesec2006 cciesec2006 is offline
Senior Member
  
Join Date: 2006-09-26
Posts: 691
Rep Power: 2
cciesec2006 has an average reputation (10+)
Default Re: DNS Doctoring
As someone who have been working with Cisco Pix/ASA for the past
eight years, I can tell you that Pix/ASA is a piece of sh_t. Checkpoint
is much superior when it comes to setting up rule, NAT, etc.

For example, with Checkpoint, you have host A = 10.1.1.1/24 and
host B= 10.1.1.2/24 and they are static NATted by Checkpoint to
4.1.1.1 and 4.1.1.2, repsectively. Host A CAN talk to host B via 4.1.1.1
and 4.1.1.2 IP address. There is NO way that Cisco Pix can do this,
two hosts on the same network communicating with each other via
static NATted ip address.

The stupid Pix/ASA limitations come from the security level. It is a pain
in the ass and causes lot headaches for everyone.

You do not need DNS doctoring (alias or whatever cisco calls it now) in
Checkpoint.

my 2c.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 01:47.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0