Solved

Problem about CheckPoint 4.1

Posted on 2006-06-21
4
315 Views
Last Modified: 2013-11-16
Recently, I need to add a router in our system. Thus the following changes are required.

Old Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.126, netmask - 255.255.255.128

Old Path: public network --> CheckPoint FW 4.1 --> local network 

New Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.253, netmask - 255.255.255.192

New Path: public network--> CheckPoint FW 4.1 --> 3Com Netbuilder II router --> our computer control system
I've updated 
/etc/hosts & /etc/netmasks files to change the IP adress.
the corresponding network objects. The file under /var/opt/CPfw1-41/database/objects.C has been updated.

However, after implementing the mentioned changes, in checking the FW log, the are many messages rejected as rule 0.
 
Action -- Reject
Service -- 6218/6200
Protocol -- TCP
Rule -- 0
S_Port --  >1024
Info -- SYNDefender Warning: SYN --> SYN-Ack --> Time out
 
As my current license key was registered last year with IP 10.12.2.10 (this IP will not be changed), I think I don't need to re-install the license key again. Am I right? Do I need to install the license key again?

Do you know the cause of the message being rejected? Is there any special setting required if the FW is being connected to a 3Com Netbuilder II router directly?
Please advise. Thanks a lot.

0
Comment
Question by:cplau
  • 3
4 Comments
 
LVL 5

Expert Comment

by:dbardbar
ID: 16958110
The license is not the issue here.

The SYNDefender is saying that it got a SYN packet, it responded with SYN-ACK packet, but no ACK packet was receieved from the client to complete the first side of the 3-way handshake. This is basicly a SYN attack.

If you are seeing this only for these two specific ports 6218/6200, then it might be some sort of trojan, trying to scan the network. But, it isn't clear why the scanner is not responding to the SYN/ACK packet sent by the FW-1.
It might have been a routing/antispoofing issue, but then the problem would appear for all sorts of ports, not just 6218 and 6200.


Have you changed the IP of the Firewall-1 object, or is it still 10.12.2.10?
Did you make the necassry changes in the Anti-Spoofing? Did you define hme1 as "Other" and put in a group of internal networks?
Do you have any connectivinty problems, apart from the SYNDefender logs?


If the messages about SYNDefender are annoying, you can turn off the logging.

And, BTW, why are you using 4.1? The current versions offers a lot more in terms of security stability and usability.
0
 

Author Comment

by:cplau
ID: 16958235
Dear dbardbar,

Before doing the mentioned changes, I do not observe these SYNDefender messages being dropped. Apart from these SYNDefender logs, my network is having a connectivity problem.

Further, I 've already udpated the Firewall-1 Object, at the intreface pages:

I changed the setting of hme1 as follows:

Old settings:
Net Address: 10.12.4.0
Network Masks: 255.255.255.128

New settings:
Net Address: 10.12.4.253
Network Masks: 255.255.255.192

Is this setting correct? I don't know why the old setting 10.12.4.0 was being used before.
Or do I need to keep the Net Address as 10.12.4.0?

In addition, there are many TIME OUT messages dropped. Do you think it is related to the speed of the network? something like full duplex, half duplex connections.

0
 
LVL 5

Accepted Solution

by:
dbardbar earned 250 total points
ID: 16958368
Your network settings don't sound quite right.

In the interfaces page, you should write the IPs of the interfaces, as they appear in ifconfig on the machine.

In the antispoofing of each interfaces you should do the following:
Create 2 network objects - 10.12.4.192/255.255.255.192 and also the network representing your local network (the one behing the 3com router).
Create a group, and put in these two network objects inside the group.

On hme0 - Choose "Other"
On hme1 - Choose "Specific", and then choose the group object which you have created.

Also, have you correctly changed the routing on the Firewall-1 machine? The FW-1 machine needs to know to route traffic to the internal network (behind the 3com router) via the router's IP.
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17006934
Does it work correctly now?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now