CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Question regarding 'host access' during provisioning

  1. #1
    Join Date
    2017-10-10
    Posts
    7
    Rep Power
    0

    Default Question regarding 'host access' during provisioning

    Hello

    a friend of mine told me that its good practice during provisioning to configure 'host access' not only the subnet of the server you access the firewall from, but also the Firewall SYNC subnet (so we are talking about a cluster) which helps with Central Management functionality. However, he didnt explain further regarding this. Is this true? Can someone verify and if true, clarify a little bit? Maybe this way you can access each firewall through the other member as a backup 'console' access?

  2. #2
    Join Date
    2017-10-10
    Posts
    7
    Rep Power
    0

    Default Re: Question regarding 'host access' during provisioning

    Quote Originally Posted by Melinbonian View Post
    Hello

    a friend of mine told me that its good practice during provisioning to configure 'host access' not only the subnet of the server you access the firewall from, but also the Firewall SYNC subnet (so we are talking about a cluster) which helps with Central Management functionality. However, he didnt explain further regarding this. Is this true? Can someone verify and if true, clarify a little bit? Maybe this way you can access each firewall through the other member as a backup 'console' access?
    Any ideas for this one? Im curious what kind of environment people are used to work with, when it comes to host access configuration. Do you use one jumphost subnet for example, have you heard of the above optimal configuration?

  3. #3
    Join Date
    2007-06-04
    Posts
    3,300
    Rep Power
    17

    Default Re: Question regarding 'host access' during provisioning

    Personally tend to leave the Host Access settings alone on the Unit but set the Access to be via the Firewall Policy instead. Whilst building them then am not on the correct subnet for what would be using in production anyway so would only have to go and change them anyway afterwards.

    Once hooked upto the Management with the Firewall Policy installed then still locked down as to where can access from.

    Is useful to be able to SSH from one Firewall to the other, via the Synch Interface so is worthwhile adding this in the Security Policy

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Question regarding 'host access' during provisioning

    Quote Originally Posted by mcnallym View Post
    Personally tend to leave the Host Access settings alone on the Unit but set the Access to be via the Firewall Policy instead. Whilst building them then am not on the correct subnet for what would be using in production anyway so would only have to go and change them anyway afterwards.

    Once hooked upto the Management with the Firewall Policy installed then still locked down as to where can access from.

    Is useful to be able to SSH from one Firewall to the other, via the Synch Interface so is worthwhile adding this in the Security Policy
    Second that
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Question regarding Topology under host object
    By r.macfarland in forum R77.30
    Replies: 1
    Last Post: 2016-11-07, 06:54
  2. View all ports and addresses allowing access to host?
    By AllanKjśr in forum SmartDashboard
    Replies: 3
    Last Post: 2015-10-27, 04:39
  3. [Help] VPN client cannot ping or access any host in Lan
    By raider1003 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2012-04-17, 12:39
  4. MOBILE ACCESS BLADE FOR HOST AUTHENTICATION
    By Emperor in forum Off-Topic
    Replies: 0
    Last Post: 2011-07-28, 13:04
  5. Replies: 1
    Last Post: 2009-03-05, 01:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •