Specific Rules on Specific Interfaces

[roadrunner]

Specific Rules on Specific Interfaces
The INSPECT language that is used in FireWall-1 to program the rulebase actually supports the use of specific rules on specific interfaces. The Smart Dashboard/Policy Editor applications were not designed to allow you to bind specific rules to specific interfaces of a firewall. Rules are processed in-order. Rules that do not apply are skipped. Processing a rule takes a near zero amount of time, so unless you have a few hundred rules, there's little reason to do it this way.

If it is an absolute requirement that certain rules are only active on certain interfaces, it can be done, but it is not elegant. Take the generated .pf file from a policy install in the GUI (it should be called rulebase-name.pf, located in $FWDIR/conf on the management console) and modify it so that the rules in question are only installed on the interface in question. Look in the "Inspect" chapter in your Check Point documentation. It explains some of what you will see in this file and should steer you in the proper direction as to what changes to make.

Once you have modified this file, you can then install it with the 'fw load' command.

Note that every time you change your security policy in the GUI, you will need to go into the generated .pf, manually reapply the changes, and 'fw load' the modified .pf file. It's not elegant, but that's what you have to do to make it do what you want.

-- PhoneBoy - 16 Jan 2004


FAQForm
FAQs.Class: SmartClientsFAQs
FAQs.OS:
FAQs.Version: