sergold
asked on
Adding a NIC to current Checkpoint Firewall-1?
Hello,
Looking for the correct way to add another NIC to my current Checkpoint Firewall-1 v4.1 SP4 NT4.0 SP5 system. I have reviewed http://www.phoneboy.com looking for a solution or help and cannot find one so I'm asking here. I want to add a DMZ to my current firewall configuration, each time I add the new NIC and configure the rules and ensure that the the firewall object has all the interfaces, the firewall ceases to seem to work (i.e. forwarding of packets). What is the correct way to install the new NIC and get it to function? Should I backup the config files, install the NIC, then reinstall the firewall and finally copy back over the config information? Or is there an easier way? Anyone else tried to do this before?
TIA,
Darren
Looking for the correct way to add another NIC to my current Checkpoint Firewall-1 v4.1 SP4 NT4.0 SP5 system. I have reviewed http://www.phoneboy.com looking for a solution or help and cannot find one so I'm asking here. I want to add a DMZ to my current firewall configuration, each time I add the new NIC and configure the rules and ensure that the the firewall object has all the interfaces, the firewall ceases to seem to work (i.e. forwarding of packets). What is the correct way to install the new NIC and get it to function? Should I backup the config files, install the NIC, then reinstall the firewall and finally copy back over the config information? Or is there an easier way? Anyone else tried to do this before?
TIA,
Darren
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
This is not directly related to your question, but I feel compelled to comment on this: you mention NT 4.0 SP5 as being the OS on which your FW-1 operates. ***You are not fully patched **** I would suggest you upgrade at the earliest to SP6A and also apply the Security Rollup Package (SRP) which fixes a lot of vulnerabilities.
Check
http://www.microsoft.com/ntserver/sp6asrp.asp
http://support.microsoft.com/support/kb/articles/q299/4/44.asp
for more details. Be sure to try this rollout on a pre-production firewall before you apply on the production firewall.
Regards,
Arvind Shyamsundar
Brainbench MVP for Internet Security
This is not directly related to your question, but I feel compelled to comment on this: you mention NT 4.0 SP5 as being the OS on which your FW-1 operates. ***You are not fully patched **** I would suggest you upgrade at the earliest to SP6A and also apply the Security Rollup Package (SRP) which fixes a lot of vulnerabilities.
Check
http://www.microsoft.com/ntserver/sp6asrp.asp
http://support.microsoft.com/support/kb/articles/q299/4/44.asp
for more details. Be sure to try this rollout on a pre-production firewall before you apply on the production firewall.
Regards,
Arvind Shyamsundar
Brainbench MVP for Internet Security
ASKER
Mishou and Arvind,
Thanks both for your help. Great advice from both of you and I appreciate the help. Everything both said is correct and worked great. I still had the problem though with the DMZ not working. I figured out the solution was to add a couple rules in Address Translation from some help from the help list at phoneboy.com. Because I was using NAT and hiding behind 0.0.0.0, in other words the firewall's IP address, I need to have Address Translation keep the orginal SRC and DEST. Thanks for all the help and getting me on the right track of where to start. I entensively used your pinging idea Mishou with an open rulebase to help figure this all out. And also thanks Arvind for the note on patching, it was planned just hadn't happened yet.
-Sergold
Thanks both for your help. Great advice from both of you and I appreciate the help. Everything both said is correct and worked great. I still had the problem though with the DMZ not working. I figured out the solution was to add a couple rules in Address Translation from some help from the help list at phoneboy.com. Because I was using NAT and hiding behind 0.0.0.0, in other words the firewall's IP address, I need to have Address Translation keep the orginal SRC and DEST. Thanks for all the help and getting me on the right track of where to start. I entensively used your pinging idea Mishou with an open rulebase to help figure this all out. And also thanks Arvind for the note on patching, it was planned just hadn't happened yet.
-Sergold
ASKER
Thank you for your quick reply. I am going to try what you suggest first thing Monday morning. I cannot do it now as the firewall is in use. I will attempt to work on it before hours. We do use NAT. The Internal NIC is on our illegal IP network, the External NIC is on the Public legal IP network, and I plan to put the DMZ NIC on the 192.168.0.0 network. I think the key will be to use a generic policy, I should have thought of this, but instead I just tried using the one I already had with the new rules added. I will test ping everything then start the firewall and try an open basic policy. I will let you know how it goes.
Will follow-up here monday
Sergold