Gateway allways in Encryption Domain?

Email lists > CheckPoint Firewall-1 discussion

Thread: Gateway allways in Encryption Domain?

Search this list only Search all lists
Gateway allways in Encryption Domain?
	2006-11-29 16:05:09
Hi We're talking about VPN-1 edges with the latest firmware and a NGX R61_HFA01 Gateway/Management. I have the following Situation: A central Gateway and some Edges (with dynamic Adresses) living in a Star Community. The Traffic from beheind the edges (their encryption Domains) goes perfectly through the VPN, while the traffic originating directly from the edges does not. In SmartDashboard, I have Network Objects for the edge's encryption Domains. These Network Objects are used for manually defining the edge encryption Domains. A workarround is to replace these network Objects by group Objects, containing the network Objects AND the edge Object. This seems ugly to me, but it works. Is there a better way? Is there a switch like "the gateway is allways in the encryption Domain, or something like that? -- http://schmidt.bs-server .com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

Gateway allways in Encryption Domain?
	2006-11-30 03:12:55
Hi Markus, Out of curiosity, why is it important? It's also odd because in a simplified VPN policy, which is required for managed Edge boxes, the external interface of regular FW-1 boxes are automatically included in the encryption domain. Is it possible that the Edge external interfaces are but the traffic you're using is getting accepted on an implied rule (which are always before the VPN rules)? It doesn't sound like it because of the group thing you're doing, though. Ray >From: Markus Schmidt <Markus.SchmidtINTERFACE-SYSTEMS.DE> >Reply-To: Mailing list for discussion of Firewall-1 ><FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> >To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM >Subject: [FW-1] Gateway allways in Encryption Domain? >Date: Wed, 29 Nov 2006 17:05:09 +0100 > >Hi > >We're talking about VPN-1 edges with the latest firmware and a NGX >R61_HFA01 Gateway/Management. > >I have the following Situation: A central Gateway and some Edges (with >dynamic Adresses) living in a Star Community. The Traffic from beheind the >edges (their encryption Domains) goes perfectly through the VPN, while the >traffic originating directly from the edges does not. > >In SmartDashboard, I have Network Objects for the edge's encryption >Domains. These Network Objects are used for manually defining the edge >encryption Domains. >A workarround is to replace these network Objects by group Objects, >containing the network Objects AND the edge Object. This seems ugly to me, >but it works. > >Is there a better way? Is there a switch like "the gateway is allways in >the encryption Domain, or something like that? >-- >http://schmidt.bs-server .com > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to LISTSERVamadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http: //www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ownerts.checkpoint.com >================================================= ____________________________________________________________ _____ Talk now to your Hotmail contacts with Windows Live Messenger. http://c lk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=ht tp://get.live.com/messenger/overview ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

Gateway allways in Encryption Domain?
	2006-11-30 08:04:17
Well, i need this because the Edges are sending their logs to my Gateway, and these messages are dropped, 'cause they 're not encrypted. When I'm using that "group workarround", the messages are encrypted, and therefore are accepted... -- http://schmidt.bs-server .com Ray schrieb: > Hi Markus, > > Out of curiosity, why is it important? It's also odd because in a > simplified VPN policy, which is required for managed Edge boxes, the > external interface of regular FW-1 boxes are automatically included in > the encryption domain. > > Is it possible that the Edge external interfaces are but the traffic > you're using is getting accepted on an implied rule (which are always > before the VPN rules)? It doesn't sound like it because of the group > thing you're doing, though. > > Ray > > >> From: Markus Schmidt <Markus.SchmidtINTERFACE-SYSTEMS.DE> >> Reply-To: Mailing list for discussion of Firewall-1 >> <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> >> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM >> Subject: [FW-1] Gateway allways in Encryption Domain? >> Date: Wed, 29 Nov 2006 17:05:09 +0100 >> >> Hi >> >> We're talking about VPN-1 edges with the latest firmware and a NGX >> R61_HFA01 Gateway/Management. >> >> I have the following Situation: A central Gateway and some Edges (with >> dynamic Adresses) living in a Star Community. The Traffic from beheind >> the edges (their encryption Domains) goes perfectly through the VPN, >> while the traffic originating directly from the edges does not. >> >> In SmartDashboard, I have Network Objects for the edge's encryption >> Domains. These Network Objects are used for manually defining the edge >> encryption Domains. >> A workarround is to replace these network Objects by group Objects, >> containing the network Objects AND the edge Object. This seems ugly to >> me, but it works. >> >> Is there a better way? Is there a switch like "the gateway is allways >> in the encryption Domain, or something like that? >> -- >> http://schmidt.bs-server .com >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to LISTSERVamadeus.us.checkpoint.com >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http: //www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> fw-1-ownerts.checkpoint.com >> ================================================= > > ____________________________________________________________ _____ > Talk now to your Hotmail contacts with Windows Live Messenger. > http://c lk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=ht tp://get.live.com/messenger/overview > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to LISTSERVamadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http: //www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ownerts.checkpoint.com > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists

ARCHIVES