Problems Configuring New Firewall 1

[chunky28]

Hello

We have recently purchased Check Points (NG) VPN-1/FireWall-1 and I am responsible for installing and configuring it.

I have followed the setup instarctions but I am still unable to get it working. There is one thing I am not sure of......where does the Router fit in.

This is my setup...:

I have a small LAN (approx 15 boxes) which up until now has been connected to the internet using an ISDN Router (Netgear RT338).

This has been working fine.

I now have a new box (XP Professional) with 2 interface cards (Both D-Link DFE-530TX). I have installed the CheckPoint Software on this machine.

The network cable from the External Interface is plugged into the router which then plugs into the ISDN telephone point. The other Internal interface is connected to our switch, which all the other PC's in the network are connected to.

The Router, every PC and both interface cards in the Firewall machine have a fixed IP address and all are on the same subnet.

The problem is, the Firewalls external interface card (connected to the router) is shown to be unplugged when connected to the router.

Could someone please advise what I am doing wrong!!?

 

[Piloria]

just leave as policy targets. but you have to install them onto the firewall via the menu
policy - install

THe firewalls internal interface doesnt need a default gateway (its external interface has one and it only needs one)

The machine with the brouser should have the firewall set as the default gateway (in its Network settings)

If you are using XP can the firewall connect via its brouser?

 

[chunky28]

OK thanks, done the following:

Select Policy > Install

and installed it on the firewall.

Mode selected:

Install on each selected module independently.

the result showed installation failed:

The Module Firewall cannot have a Netowrk Address Translation rule installed on 'All', the module cannot translate its own address.

Within NAT settings for the firewall, I have the following selected:

###################################
Add Automatic Address Translation rules: Ticked

Translation Method: Hide

Hide behind Gateway

Install on Gateway: All
####################################

- I've removed the Gateway from the internal interface network settings.

- The browser machine now has 192.168.1.1 (i.e the internal interface IP address) as the default gateway.

- Yes I can browse the web from the firewall machine (xp installed).

Still can't connect with the browser machine and there is nothing in the firewall log.

Cheers

 

[chunky28]

Believe there could be something wrong with the following settings:

ODBC (Network Object)
192.168.2.0/255.255.255.0
|
Internal: |
192.168.1.1 _ _ _ _ |
/255.255.0.0 | |
FIREWALL - - - - - - 192.168.0.0/255.255.0.0
External: |
193.195.222.232 |
/255.255.255.240 |
| Webbrowser
| 192.168.2.1/255.255.0.0
193.195.222.224
/255.255.255.240
|
|
Internet


Should the subnets for the network and my browser node be the same?

Many thanks!

 

[Piloria]

change the subnet on the odbc to 255.255.0.0

Switch off NAT inside the firewall object (you dont need this)

on the Network object 192.168.0.0 check the NAT box and set to hide behind the firewall gateway (or if you have a spare 193.x.x.?? ip address use one of these)

you are wanting to nat the internal network and not the firewall itself

 

[chunky28]

If I attempt to change the subnet on odbc I get:

IP address is invalid:

Based on the Net Mask you have defined, VPN-1 & Firewall-1 suggests the IP address: "192.168.0.0"

Do you want to accept the suggested IP address?

If I select yes I get the message:

There is another network [Net_192.168.0.0] with the same IP address and Netmask Are you sure you want to continue?

Not sure what to do?

Followed the other steps you suggested

Many thanks!

 

[Piloria]

delete the odbc object and create a new one -
manage - network object - node - host

the object you have is for a network and not a node on the network.
if you have an object for the brouser machine (dont need but usefull) then create it the same way as the new odbc object

 

[chunky28]

OK done as you said.

The object ODBC was created following instructions in the CheckPoint manual.....it said create a network object....

Anyway, having done as you suggested I am afraid I still can't connect.

The object for the browser machine (webbrowser) was set up in this way previoulsy.

I also tried Rules install > Firewall again but I get errors:

Rule 1 conflicts with Rule 3 for services Any
Rule 1 conflicts with Rule 2 for services Any

Rule 2 and 3 are the two you suggested, rule 1 is the rule I had in place previously.

Here are the rules:

No. 1 Source: Any
Destination: Any
VPN: Any Traffic
Service: Any
Action: Accept
Track: Log
Install on: Gateways

No. 2 Source: Any
Destination: Firewall
VPN: Any Traffic
Service: Any
Action: drop
Track: Log
Install on: Policy Targets

No. 3 Source: Any
Destination: Any
VPN: Any Traffic
Service: Any
Action: drop
Track: Log
Install on: Gateways

Thanks

 

[Piloria]

ok the problem is in your rules.

until you can install a rulebase your firewall will block everything and not log it (as you have at the moment)

delete rule 1
create a new rule between 2 and 3

Source: internal network object
Destination: any
VPN: Any Traffic
Service: Any
Action: Accept
Track: Log
Install on: Policy Targets

this will allow your internal network to see out. (and nothing can get in)
we can restrict this to required traffic later once we have it working

 

[chunky28]

Bingo!!

I can now access the web using the browser machine!

Any further assistance to get this configured will be gratefully received. I WILL mark your posts as helpfull/expert!!!!

Cheers

 

[Piloria]

you should now be able to see in the logs what traffic is passing via your firewall.

you will possibly also see alot of internal network trafic. later when you get a little more of a feel for waht is going on you can clear this out. but for now i would stick with what you have.

if you want any internal machines to have a fixed external static ip address. (as you are needing for them to be accessed from out side the firewall) then yuo do this by creating a network node (as above) and using static nat for that object.

in the rules for this new object restrict access to its absolute minimum.
(always put your new rules between the stealth and catch all rules)

if you had a mail server internaly but it uses NAT to give a valid IP address you would have a rule

Source: Any
Destination: mailserver object
VPN: Any Traffic
Service: smtp
Action: accept
Track: Log
Install on: Policy Targets

if you have an external server needing to comunincate with an internal server you would need a rule

Source: External orical server object
Destination: internal server object
VPN: Any Traffic
Service: (Required services only)
Action: accept
Track: Log
Install on: Policy Targets


The best method to find what services you need the firewall to pass is to try it prior to writing the rule and see what trafic is blocked by the firewall (look at the logs)

 

[chunky28]

Fantastic, I wil attempt to set up the rest of the network tomorrow...so I may have the odd question then (hope you don't mind).

I have noticed that the web access form the browser machine is quite slow......is this normal or will it be a case of tweaking the rules?

Thanks

Charlie

 

[Piloria]

Web access shouldnt slow (noticeably)
check your logs and see if there is a flood of entries (it should be quite at the moment as very little is happening)
if there is then let me know what they are.

 

[chunky28]

Everything seems to be running ok.....i.e. web access is fine and I have successfully moved 6 pc's to the internal network.

I have also tried moving two oracle machines (that can have their IP address changed) to the internal network. However I have a few problems with this. Not sure if it is an oracle problem or my network configuration.

One of the pc's has our website on it (built with oracle portal) and the other pc has the oracle database on it (webgpages are stored on this).

So I moved both over and gave them the following settings:

Server:
192.168.2.3/255.255.0.0
Gateway = 192.168.1.1

Database:
192.168.2.2/255.255.0.0
Gateway = 192.168.1.1

Under NAT I set both to hide behind their exisitng public IP addresses i.e. 192.xxx.xxx.230 and 192.xxx.xxx.227
(each were installed on *All)

Under topology Get > Interfaces.....this fails on all machines except for the first pc I joined to the network (webbrowser). Do you have any idea what this could be?

Anyway when I moved the two oracle PC's to the internal network I created the following rule to allow anyone outside the network to access our website:

Source: Webserver
Destination: Any
VPN: Any Traffic
Service: HTTP
Action: Accept
Track: Log

Can you see anything wrong with this?

From my understanding the router currently routes http requests to 192.xxx.xxx.230, I have set up the webserver machine (192.168.2.3/255.255.0.0) to hide behind this IP address. So it should be possible to access the site from outside the network...right?

(I've changed the IP address for the virtual hosts in my http (apache server) config file)

I understand it could well be an oracle configuration problem, but in terms of my network configuration does it look ok?

Many thanks.

 

[Piloria]

i never use get topology except for the firewall (it isnt needed you just need the ip address)

if you want someone to see your internal machine (i.e. the web server) use Static NAT not Hide NAT

The rule you have is the wrong way round change to

Source: Any
Destination: webserver
VPN: Any Traffic
Service: HTTP
Action: Accept
Track: Log

as the source is where the connection is originating from

 

[chunky28]

Thanks again.

One other thing.

I had a network printer setup on one of the Oracle machines which now sits on my external network.

For some reason I can still use this from one of the machines on my internal network but i can't from others.

Could this have something to do with my network configuration or firewall settings?

Cheers!!!

 

[Piloria]

maybe.
try using the printer from a machine that works and look at the firewall logs.
then try from one that doesnt and look at the logs.
you will then see if it is the firewall blocking or if it is a network configuration problem

 

[chunky28]

thanks. unfortunately I don't have access to the pc where it fails, so I'll have to look at it again on Monday.

The pc where I am able to use the network printer, used to belong to the same domain the printer server is installed on (the printer server is installed on the dc)...while the pc on which printing fails has never been part of the domain it has always belonged to a workgroup. Maybe this is why?!

Anyway thanks for the advice AGAIN!