transprent proxy

[newbee]

Do you know what is the smallest possible Checkpoint firewall ? It only needs two interfaces, and needs to support "Transparent Proxy".

i was thinking a UTM-1 Edge Checkpoint device will be ok-- sorry - it may a basic question but cant find anything on the web about checpoint firewalls regarding "Transparent Proxy". Iam sure most will supoort it

[MarioL]

From your requirements I bet a small NetScreen would probably be better, though that might not be an option for you.

[newbee]

Can you provide me a model number or part number for a netscreen version you would reccomend

I would prefer a checkpoint firewall- the only reason been we have some already in place. whats the lowest one i can go for which has transprent proxy and 2 interfaces

[mcnallym]

Check Point isn't a transparent proxy firewall. It is stateful inspection.

What is it that you are looking to use the firewall for, also what sort of throughput are you looking for on the box?

[newbee]

Sorry, my confusion about the Checkpoint products. Nokia firewall running Checkpoint functionality sounds like what we need. So long as it supports the "Transparent Proxy" function.

[mcnallym]

I'll rephrase my question then.

As Check point ISN'T a transparent proxy. Rather then saying it needs to support Transparent proxy what are you actually looking to use this box for.

ie

logging of where people go on the Internet
URL filtering

[newbee]

I want to use a hosted Internet filtering service, Scansafe. This works as a sort of proxy "in the cloud". Normally we'd use Group Policy or similar to point the browsers to the Scansafe service, and configure the firewall to block any requests that do directly. In this case we can't do that as the facility is to be used by visitors withot us being able to get any control over their PCs or browsers. Scansafe tell us that Checkpoint firewalls can be configured to transparently catch HTTP requests and redirect them to the Scansafe proxy. (A bit like the Websense support in Cisco).

[MarioL]

Ah... yeah, Check Point can do that, it's called "HTTP next proxy". I don't think the Safe@Office boxes have that (can't remember for sure), so I guess the next cheapest option will do, which will probably be the smallest Nokia... Or get a really cheap PC and install Splat with the smallest license :)

Note: When you say "Transparent proxy" most people will think about arp proxy on the firewall, meaning the same network present in 2 or more interfaces, usually not doing any IP routing at all, just "arping".

[mcnallym]

Scansafe actually have a document on exactly how to configure the Check Point software to do that. Any Check Point platform should do as long as it can support the number of users that you want it to protect. They should have provided that document too you, if not your Scansafe reseller should be able to get for you.

All the check point does is a http redirect and directs all http/https requests off to the Scansafe Web Filtering.

To me this isn't a Transparent Proxy. Transparent Proxy is what Scansafe are doing.

If you do go with a Nokia avoid the IP260 as painfully slow, go with an IP290 or look at the UTM450 model as you get the license with that.
Alternatively if all that need it for is this then just get a cheap PC with two NICs and install SPLAT/Check Point on that. What you need is a Check Point function so the platform won't matter.

[newbee]

Thanks for the above -- it been a big help

so if a pick say Nokia IP 290 and say Checkpoint vpn 1 powergate for x amounts of users ( eg CPPWR-VPG-25) this should do the job --

[mcnallym]

Providing you have less then 25 users on the network behind the gateway that should be fine.