firewall-1 faqs

1.How the network Diagram should be for intallation of firewall with ip addressing.

-------------------203.200.50.1------firewall..-------------------------------192.168.1.0-----------




All the networks connected should be on different subnet, internal and DMZ and external networks should be in diffrrent network, and from firewall all the networks should be reachable.

firewall can have only one card for the external network with only one ip address because while installation CP asks for the external card ip address - where the space is for only one ip address.

if there are two or more links from diffrent isps are used how the configuration looks like.



----------s0- e0
|router |---------firewall--e3-------------
-----------s1 e1


s0 - isps first leased line
s1- isps seconf leased line
e0- routers ethernet port
e1-firewalls external card
e3-firewalls internal card

ip addressing:

so- network address : 200.50.1.0
s1-network address :202.50.1.0

e0- routers ethernet card : 200.50.1.1 and 202.50.1.1

e1 firewalls external card : 200.50.1.1 and default gateway as 200.50.1.1 and 202.50.1.1

e3 firewalls internal card :192.168.1.1 (network :192.168.1.0)

you should nat the ip address of internal network to s1 and s0.

2.Write Logs to a Serial Device

Q:

How can I write the FireWall-1 logs to a serial device?

A:

The log files themselves are binary, so that's probably not what you want.

What you could do is take the logs as they come in via the 'fw log' command and write the output to a serial
port. It's about as close as you're going to get to real time. Run the following on your management console:

fw log -tfn > /dev/tty1 &

(Replace /dev/tty1 with whatever device your serial port maps to)

The flags above for fw log are: -t (tail), -f (forever), -n (no name resolution)


3.Configuring Webtrends to use OPSEC LEA

Q:

I am trying to use Webtrends to generate some pretty reports for management. Webtrends says it has
support for Lea logs but I can't seem to get them to work. I know Check Point supports lea on TCP 18184,
so I made a rule to allow traffic on that port. Webtrends says there was an error communicating to the
Firewall.

A:

1. Make sure you're running Web Trends Firewall Suite latest version

2. Follow the Web Trends documentation for setting up your log server to listen on this port
(fwopsec.conf).

3. Make sure you create a rule allowing OPSEC traffic.

4. When you create the "Activity Profile", make sure you specifiy "CheckPoint FireWall-1 using OPSEC
LEA" as the "Log File Format".

5. When you specify the IP address of your firewall, make sure it correlates to the OPSEC rule you
created.

Limitations of Single Gateway Products

Q:

limitations of the FireWall-1/n (Light, Medium, Single Gateway) products

A:

The FireWall-1/n products have the following restrictions:

Only one external interface is permitted
Can not control remote firewall modules
Firewall and Management console must be on the same system
Can only have a limited number of nodes behind firewall
Can not control routers

Failed to Load Security Policy on gateway: Connection
Refused

Q:

When I try to load a new rule from 'control' to 'gateway', I get the following error message:

Failed to Load Security Policy on gateway: Connection Refused

A:

The first thing you should check is to make sure you have the correct IP address defined in the workstation object that
represents your gateway. If this is incorrect, you will get this error message. If the IP address is correct, then it is likely the fwd
process has died. On Unix, check for the occurance of an 'fwd' process with ps. On NT, look for the presence of an 'fw.exe'
process with a process ID that matches the one listed in %FWDIR%\tmp\fwd.pid. To restart fwd, you can either:

Bounce the firewall (fwstop ; fwstart)
On Unix, run: fwd
On NT, run: fw fwd (But you're better off bouncing the firewall)

If fwd is running and you are having this problem. you have a security policy loaded on your firewall that prohibits your
management console from accessing the firewall on port 256. Try:

fw fetch management-console

---

WebSpawner Page Machine