CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Topology Issues
Reload this Page anti-spoof problem
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-06-12
davek23 davek23 is offline
Junior Member
  
Join Date: 2006-06-09
Posts: 2
Rep Power: 0
davek23 has an average reputation (10+)
Default anti-spoof problem
Hi,

I have a situation where the management console address has been removed from the topology list of allowed networks on one of our NG firewalls. This happened when the network object was edited for a problem on a different firewall. Now, when I try to install the policy, the install is rejected with the anti-spoof error.

Is there a way to fix this? I have full access to the Nokia Voyager and command line.

Thanks,

Dave
Reply With Quote
  #2 (permalink)  
Old 2006-06-12
abusharif abusharif is offline
Senior Member
  
Join Date: 2006-04-27
Location: Twillight zone
Posts: 454
Rep Power: 3
abusharif has an average reputation (10+)
Default Re: anti-spoof problem
management modules doesnt happen to be windows/solaris so you can connect from it instead and make change? Maybe go for fw unloadlocal, edit internal interface anti-spoofing configuration, disable anti-spoof checking, add net, install policy, connect again and enable anti-spoof.
Reply With Quote
  #3 (permalink)  
Old 2006-06-16
davek23 davek23 is offline
Junior Member
  
Join Date: 2006-06-09
Posts: 2
Rep Power: 0
davek23 has an average reputation (10+)
Default Re: anti-spoof problem
Hi,

Thanks for the reply. Just to clarify a bit - this is a Nokia IP firewall running NG. The problem I have is that it is based in Hong Kong, and I am in London. As I understand it fw unloadlocal will also disable routing on the Nokia. Is this correct? I believe I need to:-

1. disable external interface
2. enable routing (how? - "ipsofwd on admin" ?)
3. fw unloadlocal
4. push the policy from the management console with the topology corrected

What I am most worried about is losing connectivity to the Nokia, or getting to a point where I cannot load a policy.

BTW, the firewall has now also stopped logging!

any advice would be greatly appreciated
Reply With Quote
  #4 (permalink)  
Old 2006-06-16
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 897
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: anti-spoof problem
You really don't want to do that. When you push a policy, even if the SmartCenter is behind the firewall, the connection is to the EXTERNAL interface, through the firewall if need be. If you disable the external interface, you're probably hosed.

"fw unloadlocal" is not totally benign because it leaves the enforcement module unable to protect itself. On a Nokia, that's not necessarily bad. On a Windows enforcement module, it's not so good. :-)

Stopped logging? Can you SSH to it and make sure it's not out of disk space? When it can't contact the SmartCenter, it will begin to log locally.

I presume your SmartCenter is behind this firewall?

Ray
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 20:55.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0