Urgent!about configure subnet mask in Checkpoint Provider-1

[mylove142]

Hi all,
I use Crossbeam X40 + Checkpoint Provider-1. Today, I have a problem when I configure ip address + subnet mask in Checkpoint.

1. If I configure big subnet 202.78.225.128/25 in Checkpoint Provider-1, only subnet from 202.78.225.192/26 can connect to Internet, ip addresss between 202.78.225.128/25 to 202.78.225.192/26 can't connect to Internet.

2. If I configure subnet 202.78.225.128/27, it can connect to Internet

3. If I configure subnet 202.78.225.160/27, it can connect to Internet .

If you understand about ip address in Checkpoint, please answer me.

Thank you very much.

If you have any question, please ask me.

[RayPesek]

Are you configuring a network object or what? Where is this object used?

/25 isn't big. I've got a coule of /23's.

What version of P-1 and HFA level are you using?

Ray

[mylove142]

I use Crossbeam X40 + Checkpoint Provider 1 R55.

[dfwboiler]

So you're changing the interface on the crossbeam, or are you just creating a network object and making a security rule so it can access the internet?

And your first problem is you're running Crossbeam. The more my company uses Crossbeams, the more I want to go to the PIX side of the house.

Anyway, did you check flow rules, etc.
Have you run a fw monitor while trying to connect?

[sail4fun]

Quote:

Originally Posted by dfwboiler

...

And your first problem is you're running Crossbeam. The more my company uses Crossbeams, the more I want to go to the PIX side of the house.

...

? Why ? , we are using both -x and -c ,(Nokia and Solaris as well) is

Is it Crossbeam og CheckPoint that causes the pain ?

[dfwboiler]

Quote:

Originally Posted by sail4fun

? Why ? , we are using both -x and -c ,(Nokia and Solaris as well) is

Is it Crossbeam og CheckPoint that causes the pain ?

It's most definately Crossbeam causing the issue. We joke that we're Crossbeam's testing dept.
We use C and X series, along with Nokia. I haven't really had to deal with Solaris, although we still have a couple around.

For me, Nokia has been by far the easiest. C-series isn't too bad, it's just that problems keep coming up. Like losing static routes when they're pointed to vlans. Or making a change on the system parameters and it causes /etc/hosts to change the mgmt ip 127.0.0.1.

If it was up to the admins, we'd be working on Nokia. We don't make buying decisions though.

I did go to a Crossbeam class and really liked the instructor, I just think it's too new of a product right now for our environment. They can talk about performance all they want, but if it's causing issues, I don't care what kind of throughput you get.

[dfwboiler]

Quote:

Originally Posted by sail4fun

? Why ? , we are using both -x and -c ,(Nokia and Solaris as well) is

Is it Crossbeam og CheckPoint that causes the pain ?

And another thing. While this was more admin error...
Admin forgot to add dynamic_objects to a firewall and all traffic was dropped when policy was pushed.
On Nokia, traffic is fine without dynamic_objects (although it can cause issues on Nokia, it's been rare).