New Checkpoint

[vallan]

I have in my environment

LAN - 1.1.1.0/24
DMZ - 2.2.2.0/24
Internet - 3.3.3.0/24

On the card on my fw, I have configured

E01 – 1.1.1.32
E02 – 2.2.2.32
E03 – 3.3.3.32

The cards are connected to the switch in different vlans.

I also have servers in the DMZ

MailServer 2.2.2.10/24. The actual address is 1.1.1.34/24 on the LAN.
ProxyServer 2.2.2.20/24

Questions

1. How do I get my users to get to the servers in the DMZ zone?
2. Do I NAT the 2.2.2.2 in the DMZ to the 1.1.1.34 on the LAN for the Mail Server
3. In my rule base, what services do I select to allow my users to use the proxy? Do I need to put the proxy in the DMZ?

Thanks for your help

 

[Piloria]

1. Setup a network object - type network for the LAN

create network objects - type Node for each of the servers in the DMZ

Create rules
Mail
Source - LanNetwork
Destination - Mailserver
Service - SMTP or POP3 or whatever you use
Action - Accept
Track - Log
+
Source - mailserver
Destination - any
Service - SMTP
Action - Accept
Track - Log
(allows mail server to send - assuming you use smtp)
+
Source - any
Destination - Mailserver
Service - SMTP
Action - Accept
Track - Log
(Allows mail server to receive - assuming using smtp)

Proxy
Source - LanNetwork
Destination - Proxy
Service - HTTP, HTTPS, FTP, ....... what you want to allow
Action - Accept
Track - Log
+
Source - proxy
Destination - Any
Service - HTTP, HTTPS, FTP, .......what you want to allow
Action - Accept
Track - Log


2. on the PC's set default gateway to firewall (Or cfeate a static route to 2.2.2.0 network on each pc)

3. if you have the brousers set to use proxy for all services then only have the services you want to allow.
Best to start with a resticted list and add services when they are needed rather than add a load at the start some of which will never be used.


(this will allow all machines in the lan to use the rules below. if you want to restrict to only the PC's you will need to find a network subnet that only inclueds the pc's or setup a group object and create nodes for all the PC's and place them in the group)

 

[vallan]

Thank you so very much. I am grateful.

Since I do not want to set the default gateway to the firewall on the PC, but will do so on the proxy and firewall.

So if i do the following

ProxyServer 2.2.2.20 gateway 2.2.2.32 and second card 1.1.1.30, Do they need a second card with the 1.1.1.30 addresses.
MailServer 2.2.2.10 gateway 2.2.2.32 and second card 1.1.1.34 Do they need a second card with the 1.1.1.30 addresses.

And on the router/switch where the PCs are, put a default gateway of the FW
0.0.0.0 0.0.0.0 1.1.1.32 so that request it does not know about are sent to the FW.

Also on this same router, do I create a static route to devices in the DMZ :-

2.2.2.0/24 via 2.2.2.32 so that when PCs request for the Mailserver they get sent to the FW.

Will all this be correct?

Thanks

 

[Piloria]

not quite following
ProxyServer 2.2.2.20 gateway 2.2.2.32 and second card 1.1.1.30, Do they need a second card with the 1.1.1.30 addresses.
MailServer 2.2.2.10 gateway 2.2.2.32 and second card 1.1.1.34 Do they need a second card with the 1.1.1.30 addresses.

The mail server and proxy will only need one card with the DMZ address's


for the router if it has the firewall as the default gateway then you dont need to add any static routes
and yes the pc's will get sent to the mailserver via the firewall

 

[vallan]

Ok Thanks

SO all I need on the router is a static route to the DMZ network. Is this correct?

Thanks

 

[Piloria]

If you have the firewall as the routers default gateway then no
but if you have another default gateway that you need to point the router at then yes.