Solved

Problem about CheckPoint 4.1

Posted on 2006-06-21
4
325 Views
Last Modified: 2013-11-16
Recently, I need to add a router in our system. Thus the following changes are required.

Old Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.126, netmask - 255.255.255.128

Old Path: public network --> CheckPoint FW 4.1 --> local network 

New Configuration: hme0: IP - 10.12.2.10, netmask - 255.255.255.252,
                                hme1: IP - 10.12.4.253, netmask - 255.255.255.192

New Path: public network--> CheckPoint FW 4.1 --> 3Com Netbuilder II router --> our computer control system
I've updated 
/etc/hosts & /etc/netmasks files to change the IP adress.
the corresponding network objects. The file under /var/opt/CPfw1-41/database/objects.C has been updated.

However, after implementing the mentioned changes, in checking the FW log, the are many messages rejected as rule 0.
 
Action -- Reject
Service -- 6218/6200
Protocol -- TCP
Rule -- 0
S_Port --  >1024
Info -- SYNDefender Warning: SYN --> SYN-Ack --> Time out
 
As my current license key was registered last year with IP 10.12.2.10 (this IP will not be changed), I think I don't need to re-install the license key again. Am I right? Do I need to install the license key again?

Do you know the cause of the message being rejected? Is there any special setting required if the FW is being connected to a 3Com Netbuilder II router directly?
Please advise. Thanks a lot.

0
Comment
Question by:cplau
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 5

Expert Comment

by:dbardbar
ID: 16958110
The license is not the issue here.

The SYNDefender is saying that it got a SYN packet, it responded with SYN-ACK packet, but no ACK packet was receieved from the client to complete the first side of the 3-way handshake. This is basicly a SYN attack.

If you are seeing this only for these two specific ports 6218/6200, then it might be some sort of trojan, trying to scan the network. But, it isn't clear why the scanner is not responding to the SYN/ACK packet sent by the FW-1.
It might have been a routing/antispoofing issue, but then the problem would appear for all sorts of ports, not just 6218 and 6200.


Have you changed the IP of the Firewall-1 object, or is it still 10.12.2.10?
Did you make the necassry changes in the Anti-Spoofing? Did you define hme1 as "Other" and put in a group of internal networks?
Do you have any connectivinty problems, apart from the SYNDefender logs?


If the messages about SYNDefender are annoying, you can turn off the logging.

And, BTW, why are you using 4.1? The current versions offers a lot more in terms of security stability and usability.
0
 

Author Comment

by:cplau
ID: 16958235
Dear dbardbar,

Before doing the mentioned changes, I do not observe these SYNDefender messages being dropped. Apart from these SYNDefender logs, my network is having a connectivity problem.

Further, I 've already udpated the Firewall-1 Object, at the intreface pages:

I changed the setting of hme1 as follows:

Old settings:
Net Address: 10.12.4.0
Network Masks: 255.255.255.128

New settings:
Net Address: 10.12.4.253
Network Masks: 255.255.255.192

Is this setting correct? I don't know why the old setting 10.12.4.0 was being used before.
Or do I need to keep the Net Address as 10.12.4.0?

In addition, there are many TIME OUT messages dropped. Do you think it is related to the speed of the network? something like full duplex, half duplex connections.

0
 
LVL 5

Accepted Solution

by:
dbardbar earned 250 total points
ID: 16958368
Your network settings don't sound quite right.

In the interfaces page, you should write the IPs of the interfaces, as they appear in ifconfig on the machine.

In the antispoofing of each interfaces you should do the following:
Create 2 network objects - 10.12.4.192/255.255.255.192 and also the network representing your local network (the one behing the 3com router).
Create a group, and put in these two network objects inside the group.

On hme0 - Choose "Other"
On hme1 - Choose "Specific", and then choose the group object which you have created.

Also, have you correctly changed the routing on the Firewall-1 machine? The FW-1 machine needs to know to route traffic to the internal network (behind the 3com router) via the router's IP.
0
 
LVL 5

Expert Comment

by:dbardbar
ID: 17006934
Does it work correctly now?
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question