CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Topology Issues
How do I define Anti-Spoofing for an Enforcement Module with one interface? How do I define Anti-Spoofing for an Enforcement Module with one interface?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-12
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 582
Rep Power: 10
BarryStiefel has disabled reputation
Default How do I define Anti-Spoofing for an Enforcement Module with one interface?
How do I define Anti-Spoofing for an Enforcement Module with one interface?



We have here a sun solaris server installed with a firewall NG module. This server is a proxy and the module is installed on it to give it more protection. Since this machine has only one interface i suppose that i have to choose the External option.

The mgmt station has a complete different ip address but my fear is that if i configure the anti-spoofing with the external option, will i still be able to contact the machine? I would be in bad shape when the machine would refuse any connection after configuring the anti-spoofing. Is there any fall back procedure if this doesn't work?



Answer In regard to fixing a policy configuration mistake, the answer is simple: unload the policy and repush one that works. Repeat as necessary.



To do this, use the command "fw unloadlocal." Then, reconfigure the policy and push it. Voila!

You shouldn't even have this under the above circumstances because: "In general, you can communicate to a firewall module via any one of its interfaces provided the connection would be allowed by the global properties or rulebase as well as the topology settings. Since antispoofing is basically "anything" in the case of a single interface, it should work."

To get back to the real question at hand, how to configure Anti-Spoofing on a module with one interface...this setup is actually pathological. Phoneboy explains in below: "Antispoofing on a single-interfaced platform seems kind of silly because except in the case where there isn't a default route, any IP address coming into that interface could potentially be valid." So, you really don't need to have Anti-Spoofing set.

However, the original author of the question was interested in getting rid of the bothersome warnings at every policy push. To do this, convert the host from a gateway to a node. In the FW-1 GUI, highlight the enforcement point object of the proxy, right-click and select "Convert to Host" option.



-- RobertGraham - 02 Feb 2004

FAQForm FAQs.Class: RemoteManagementFAQs, TroubleshootingFAQs FAQs.OS: FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 06:27.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0