|
List Info
Thread: NGx Provider-1 deployment question
|
|
| NGx Provider-1 deployment question |
|
2006-03-03 16:43:58 |
In most P-1 deployments I deal with there is no NAT for the
CMA's. I
would have to say don't NAT if possible. No SIC, fetch,
push or logging
issues.
There is a problem with NGX and natting the manager in a
standard
distributed environment, haven't tested this with P-1. I
have posted
this to the group before and also opened a case with CP on
it several
months back and have still not found a good resolution for
it. When the
manager is statically natted behind a CP FW you will loose
logging from
the local FW, dumps show the logs on the local FW trying to
go to the
natted IP. Using the object.DLL gui replacement CP has
provided (so you
can select use local definitions for log servers and it stay
selected)
has not worked reliably. The work around I am currently
using is
defining an object as a log server with the internal IP of
the manager
and use it as the defined log server.
The option for FW-1 control connections under NAT was
introduced for the
opposite problem with getting logs back from remotely
managed FW's, up
through FP-3 remote FW's would send logs to the IP listed
under general
props. Several work arounds exist for this too, one was to
define a log
server with the public IP and use it on the remote FW's.
Looks like a complete 180 turn with NGX, OK maybe a 179 1/2.
-GS
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AMADEUS.US.CHECKPOINT.COM]
On Behalf Of
cisco4ng
Sent: Friday, March 03, 2006 8:24 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] NGx Provider-1 deployment question
This question is for gurus in this forum.
I need advice on Provider-1 NGx deployment.
We are looking at deploying Provider-1 NGx R60A or R61 to
manage about
500 Enforcement Modules over the Internet for 250 customers
(H/A solution). The enforcement modules will be a mixture
of Nokia
and SPLAT. We're looking at running Provider-1 NGx on
Intel hardware
(8 CPUs and 64GB of RAM but that will be determined later).
Since we will be managing customers firewall over the
Internet, does
it make sense to assign public IP addresses to provider-1 as
well as
the CMAs themselves instead of assigning private IP
addresses to the
Provider-1 and CMAs and then make them available via static
NAT.
My reason for assigning public IPs to Provider-1 and CMAs
is as
follows:
1) Starting with NG with AI R55, under the
"NAT" feature of the CMA,
one can check the box and specify the CMA is behind a
firewall and tell
it to accept firewall control connection. However, this
method only
applies if the firewall in front of the provider-1 and CMAs
is a
"checkpoint" firewall. If the firewall
protecting Provider-1 and CMAs
is a Cisco Pix or Netscreen, this method will not work. I
know this
because I got burned before with Provider-1 & CMAs
deployment that was
protected by a Cisco Pix firewall. Static NAT will not work
if the
firewall
protecting Provider-1 is anything but a checkpoint
firewall.
2) Even if Provider-1 & the CMAs are protected by the
Checkpoint
firewall,
due to the nature of SIC and used of certificated, I was
told by
checkpoint (back in 2004) that there are still limitations
to static NAT
the CMAs.
For example, you can push the policy from the CMA to the
enforcement
module; however, you can not "fetch" the policy
on the Nokia or SPLAT
enforcement modules because the CMA has private IP and it is
being NATed
by the checkpoint firewall, "fetch" from the
enforcement module will not
work. Is this still true in NGx in 2006?
3) By assignning public IPs to Provider-1 and CMAs, I can
place
a firewall from any vendors in front of provider-1 and CMAs
to protect
them. I can go with Checkpoint, Cisco Pix or Netscreen.
The
Enforcement
modules will see the CMAs with the actuall public IP
addresses, not the
NAT address. The firewall in front of Provider-1 will NOT
be doing
any address translation. Therefore, I will not have the SIC
and
certificate issues. The reason I like to go with either
Cisco Pix
or Netscreen to protect the Provider-1 & CMAs is because
the performance
on these firewalls are excellent. I also know that I am
trading
performance for stateful inspection but that is something I
can
tolerate.
4) As long as the firewall in front of Provider-1 and CMAs
has a
strong
security policy, I should not have any issues exposing to
hackers on
the Internet. The firewall in front of Provider-1 and CMAs
will be
doing
routing and inspecting NOT packet manipulation (i.e.
static NAT).
Therefore,
my SIC and certificate are solved.
Those are my reasons for assigning public IPs addresses to
Provider-1
&
CMAs. Are there any advantages of assigning private IP
addresses to
Provider-1 & CMAs and static NAT them to manage remote
Enforcement
Modules?
Your comments are very appreciated. TIA
cisco4ng
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| NGx Provider-1 deployment question |
|
2006-03-24 23:00:05 |
Have a look at nat-traverse.... it might solve your NAT
problem:
http://li
nide.sourceforge.net/nat-traverse/
Best regards,
Adam.
Gary Scott <gscottVIGILAR.COM> wrote: In most P-1
deployments I deal with there is no NAT for the CMA's. I
would have to say don't NAT if possible. No SIC, fetch,
push or logging
issues.
There is a problem with NGX and natting the manager in a
standard
distributed environment, haven't tested this with P-1. I
have posted
this to the group before and also opened a case with CP on
it several
months back and have still not found a good resolution for
it. When the
manager is statically natted behind a CP FW you will loose
logging from
the local FW, dumps show the logs on the local FW trying to
go to the
natted IP. Using the object.DLL gui replacement CP has
provided (so you
can select use local definitions for log servers and it stay
selected)
has not worked reliably. The work around I am currently
using is
defining an object as a log server with the internal IP of
the manager
and use it as the defined log server.
The option for FW-1 control connections under NAT was
introduced for the
opposite problem with getting logs back from remotely
managed FW's, up
through FP-3 remote FW's would send logs to the IP listed
under general
props. Several work arounds exist for this too, one was to
define a log
server with the public IP and use it on the remote FW's.
Looks like a complete 180 turn with NGX, OK maybe a 179 1/2.
-GS
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of
cisco4ng
Sent: Friday, March 03, 2006 8:24 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] NGx Provider-1 deployment question
This question is for gurus in this forum.
I need advice on Provider-1 NGx deployment.
We are looking at deploying Provider-1 NGx R60A or R61 to
manage about
500 Enforcement Modules over the Internet for 250 customers
(H/A solution). The enforcement modules will be a mixture
of Nokia
and SPLAT. We're looking at running Provider-1 NGx on
Intel hardware
(8 CPUs and 64GB of RAM but that will be determined later).
Since we will be managing customers firewall over the
Internet, does
it make sense to assign public IP addresses to provider-1 as
well as
the CMAs themselves instead of assigning private IP
addresses to the
Provider-1 and CMAs and then make them available via static
NAT.
My reason for assigning public IPs to Provider-1 and CMAs
is as
follows:
1) Starting with NG with AI R55, under the
"NAT" feature of the CMA,
one can check the box and specify the CMA is behind a
firewall and tell
it to accept firewall control connection. However, this
method only
applies if the firewall in front of the provider-1 and CMAs
is a
"checkpoint" firewall. If the firewall
protecting Provider-1 and CMAs
is a Cisco Pix or Netscreen, this method will not work. I
know this
because I got burned before with Provider-1 & CMAs
deployment that was
protected by a Cisco Pix firewall. Static NAT will not work
if the
firewall
protecting Provider-1 is anything but a checkpoint
firewall.
2) Even if Provider-1 & the CMAs are protected by the
Checkpoint
firewall,
due to the nature of SIC and used of certificated, I was
told by
checkpoint (back in 2004) that there are still limitations
to static NAT
the CMAs.
For example, you can push the policy from the CMA to the
enforcement
module; however, you can not "fetch" the policy
on the Nokia or SPLAT
enforcement modules because the CMA has private IP and it is
being NATed
by the checkpoint firewall, "fetch" from the
enforcement module will not
work. Is this still true in NGx in 2006?
3) By assignning public IPs to Provider-1 and CMAs, I can
place
a firewall from any vendors in front of provider-1 and CMAs
to protect
them. I can go with Checkpoint, Cisco Pix or Netscreen.
The
Enforcement
modules will see the CMAs with the actuall public IP
addresses, not the
NAT address. The firewall in front of Provider-1 will NOT
be doing
any address translation. Therefore, I will not have the SIC
and
certificate issues. The reason I like to go with either
Cisco Pix
or Netscreen to protect the Provider-1 & CMAs is because
the performance
on these firewalls are excellent. I also know that I am
trading
performance for stateful inspection but that is something I
can
tolerate.
4) As long as the firewall in front of Provider-1 and CMAs
has a
strong
security policy, I should not have any issues exposing to
hackers on
the Internet. The firewall in front of Provider-1 and CMAs
will be
doing
routing and inspecting NOT packet manipulation (i.e.
static NAT).
Therefore,
my SIC and certificate are solved.
Those are my reasons for assigning public IPs addresses to
Provider-1
&
CMAs. Are there any advantages of assigning private IP
addresses to
Provider-1 & CMAs and static NAT them to manage remote
Enforcement
Modules?
Your comments are very appreciated. TIA
cisco4ng
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from
your PC and save big.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
[1-2]
|
|