Solved

Problem about CheckPoint 4.1

Posted on 2006-06-21
4
321 Views
Last Modified: 2013-11-16
Recently, I need to add a router in our system. Thus the following changes are required.

Old Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.126, netmask - 255.255.255.128

Old Path: public network --> CheckPoint FW 4.1 --> local network 

New Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.253, netmask - 255.255.255.192

New Path: public network--> CheckPoint FW 4.1 --> 3Com Netbuilder II router --> our computer control system
I've updated 
/etc/hosts & /etc/netmasks files to change the IP adress.
the corresponding network objects. The file under /var/opt/CPfw1-41/database/objects.C has been updated.

However, after implementing the mentioned changes, in checking the FW log, the are many messages rejected as rule 0.
 
Action -- Reject
Service -- 6218/6200
Protocol -- TCP
Rule -- 0
S_Port --  >1024
Info -- SYNDefender Warning: SYN --> SYN-Ack --> Time out
 
As my current license key was registered last year with IP 10.12.2.10 (this IP will not be changed), I think I don't need to re-install the license key again. Am I right? Do I need to install the license key again?

Do you know the cause of the message being rejected? Is there any special setting required if the FW is being connected to a 3Com Netbuilder II router directly?
Please advise. Thanks a lot.

0
Comment
Question by:cplau
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 5

Expert Comment

by:dbardbar
ID: 16958110
The license is not the issue here.

The SYNDefender is saying that it got a SYN packet, it responded with SYN-ACK packet, but no ACK packet was receieved from the client to complete the first side of the 3-way handshake. This is basicly a SYN attack.

If you are seeing this only for these two specific ports 6218/6200, then it might be some sort of trojan, trying to scan the network. But, it isn't clear why the scanner is not responding to the SYN/ACK packet sent by the FW-1.
It might have been a routing/antispoofing issue, but then the problem would appear for all sorts of ports, not just 6218 and 6200.


Have you changed the IP of the Firewall-1 object, or is it still 10.12.2.10?
Did you make the necassry changes in the Anti-Spoofing? Did you define hme1 as "Other" and put in a group of internal networks?
Do you have any connectivinty problems, apart from the SYNDefender logs?


If the messages about SYNDefender are annoying, you can turn off the logging.

And, BTW, why are you using 4.1? The current versions offers a lot more in terms of security stability and usability.
0
 

Author Comment

by:cplau
ID: 16958235
Dear dbardbar,

Before doing the mentioned changes, I do not observe these SYNDefender messages being dropped. Apart from these SYNDefender logs, my network is having a connectivity problem.

Further, I 've already udpated the Firewall-1 Object, at the intreface pages:

I changed the setting of hme1 as follows:

Old settings:
Net Address: 10.12.4.0
Network Masks: 255.255.255.128

New settings:
Net Address: 10.12.4.253
Network Masks: 255.255.255.192

Is this setting correct? I don't know why the old setting 10.12.4.0 was being used before.
Or do I need to keep the Net Address as 10.12.4.0?

In addition, there are many TIME OUT messages dropped. Do you think it is related to the speed of the network? something like full duplex, half duplex connections.

0
 
LVL 5

Accepted Solution

by:
dbardbar earned 250 total points
ID: 16958368
Your network settings don't sound quite right.

In the interfaces page, you should write the IPs of the interfaces, as they appear in ifconfig on the machine.

In the antispoofing of each interfaces you should do the following:
Create 2 network objects - 10.12.4.192/255.255.255.192 and also the network representing your local network (the one behing the 3com router).
Create a group, and put in these two network objects inside the group.

On hme0 - Choose "Other"
On hme1 - Choose "Specific", and then choose the group object which you have created.

Also, have you correctly changed the routing on the Firewall-1 machine? The FW-1 machine needs to know to route traffic to the internal network (behind the 3com router) via the router's IP.
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17006934
Does it work correctly now?
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question