Solved

Problem about CheckPoint 4.1

Posted on 2006-06-21
4
320 Views
Last Modified: 2013-11-16
Recently, I need to add a router in our system. Thus the following changes are required.

Old Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.126, netmask - 255.255.255.128

Old Path: public network --> CheckPoint FW 4.1 --> local network 

New Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.253, netmask - 255.255.255.192

New Path: public network--> CheckPoint FW 4.1 --> 3Com Netbuilder II router --> our computer control system
I've updated 
/etc/hosts & /etc/netmasks files to change the IP adress.
the corresponding network objects. The file under /var/opt/CPfw1-41/database/objects.C has been updated.

However, after implementing the mentioned changes, in checking the FW log, the are many messages rejected as rule 0.
 
Action -- Reject
Service -- 6218/6200
Protocol -- TCP
Rule -- 0
S_Port --  >1024
Info -- SYNDefender Warning: SYN --> SYN-Ack --> Time out
 
As my current license key was registered last year with IP 10.12.2.10 (this IP will not be changed), I think I don't need to re-install the license key again. Am I right? Do I need to install the license key again?

Do you know the cause of the message being rejected? Is there any special setting required if the FW is being connected to a 3Com Netbuilder II router directly?
Please advise. Thanks a lot.

0
Comment
Question by:cplau
  • 3
4 Comments
 
LVL 5

Expert Comment

by:dbardbar
ID: 16958110
The license is not the issue here.

The SYNDefender is saying that it got a SYN packet, it responded with SYN-ACK packet, but no ACK packet was receieved from the client to complete the first side of the 3-way handshake. This is basicly a SYN attack.

If you are seeing this only for these two specific ports 6218/6200, then it might be some sort of trojan, trying to scan the network. But, it isn't clear why the scanner is not responding to the SYN/ACK packet sent by the FW-1.
It might have been a routing/antispoofing issue, but then the problem would appear for all sorts of ports, not just 6218 and 6200.


Have you changed the IP of the Firewall-1 object, or is it still 10.12.2.10?
Did you make the necassry changes in the Anti-Spoofing? Did you define hme1 as "Other" and put in a group of internal networks?
Do you have any connectivinty problems, apart from the SYNDefender logs?


If the messages about SYNDefender are annoying, you can turn off the logging.

And, BTW, why are you using 4.1? The current versions offers a lot more in terms of security stability and usability.
0
 

Author Comment

by:cplau
ID: 16958235
Dear dbardbar,

Before doing the mentioned changes, I do not observe these SYNDefender messages being dropped. Apart from these SYNDefender logs, my network is having a connectivity problem.

Further, I 've already udpated the Firewall-1 Object, at the intreface pages:

I changed the setting of hme1 as follows:

Old settings:
Net Address: 10.12.4.0
Network Masks: 255.255.255.128

New settings:
Net Address: 10.12.4.253
Network Masks: 255.255.255.192

Is this setting correct? I don't know why the old setting 10.12.4.0 was being used before.
Or do I need to keep the Net Address as 10.12.4.0?

In addition, there are many TIME OUT messages dropped. Do you think it is related to the speed of the network? something like full duplex, half duplex connections.

0
 
LVL 5

Accepted Solution

by:
dbardbar earned 250 total points
ID: 16958368
Your network settings don't sound quite right.

In the interfaces page, you should write the IPs of the interfaces, as they appear in ifconfig on the machine.

In the antispoofing of each interfaces you should do the following:
Create 2 network objects - 10.12.4.192/255.255.255.192 and also the network representing your local network (the one behing the 3com router).
Create a group, and put in these two network objects inside the group.

On hme0 - Choose "Other"
On hme1 - Choose "Specific", and then choose the group object which you have created.

Also, have you correctly changed the routing on the Firewall-1 machine? The FW-1 machine needs to know to route traffic to the internal network (behind the 3com router) via the router's IP.
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17006934
Does it work correctly now?
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WEBSITE Capture via Linux Router 2 100
Any good reasons a Windows 7 PC in domain should have firewall disabled? 15 99
iptables ubuntu BLOCK all 2 85
suspending the anti virus 6 140
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question