Solved

checkpoint

Posted on 2007-03-29
8
843 Views
Last Modified: 2013-11-16
hi

we are running checkpoint firewall and ISA. i want to allow my laptop to access the internet directly through the firewall and not use ISA. i have added my pc to a group on the firewall that has unlimited access and initialised the database but its still not working . any ideas why??
0
Comment
Question by:mikeleahy
  • 3
  • 3
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818098
You are just using ISA as a proxy server or as an internal firewall feeding into Checkpoint?
Have you taken removed the ie proxy settings from your laptop?
What version of ISA are you running?
Is the isa firewall client installed on your machines?
0
 

Author Comment

by:mikeleahy
ID: 18818426
isa firewall is not on the pcs
i have removed the proxy server settings from laptop
isa 2000
using isa as a proxy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818467
Can you verify that the checkpoint box is allowing http/https from the new group you setup? Best practice would have placed a rule on the Checkpoint to only accept proxy (web-based) traffic from the ISA server IP.
I assume that the default gateway of the laptop etc points to the checkpoint internal ip address?

What do the checkpoint fw1 logs show?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:mikeleahy
ID: 18819283
yes ip gateway is the firewall internal ip

by default all http traffic from the lan is denied

group then called excluded with my laptop in it, allowing access to everything.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18819500
So when you look at the checkpoint log. Do you actually see the denied traffic appear? Which rule is denying? same rule that denies everyone else?
0
 

Expert Comment

by:donpaterson
ID: 18842224
1. You need to create an object for your laptop in the Check Point Smart Dashboard. This will include the IP address of the laptop and a name for the object.
2. Importantly - you need to set up NAT (Hide NAT will do (Automatic NAT rule)) on the laptop object that you just created.
3. You need to add a rule on the Check Point firewall to allow the services required (http) out from your laptop. This rule will include your laptop object as the source and the destiantion as any and the service as http (and maybe DNS if you use an external DNS).
3. Install the policy on the Check Point firewall in question.
4. Make sure you laptop is using the firwall as a default gateway or that your laptop has routes added to use the firewall for the traffic required.
Does this firewall have Internet access (unrestricted) so that it can access public IP addresses i.e. it's routing and access is correctly configured?
0
 

Author Comment

by:mikeleahy
ID: 18900800
hi

i have step 1 3 and 4 done . i didnt do a nat rule for the object. would this be causinig the problem . i presume that its all setup properly as an external company did it some time back
0
 

Accepted Solution

by:
donpaterson earned 50 total points
ID: 18903876
Hi Mike,
The NAT (or lack of NAT) could well cause the problem. You should be able to see the NAT settings by double clicking on the laptop object in the Check Point SmartDashboard and looking at the NAT settings. Otherwise you would need NAT set up for the entire subnet (object) on which your laptop is residing. You can do that in Check Point, NAT a whole subnet and Hide NAT the subnet behind the firewalls external IP address. Is the firewall' external IP address a public (Internet) IP adress? There are a few things that could stop your desired access. Try the SmartView Tracker to see what is blocking you access (Assuming your IP traffic requests are reaching the Check Point Firewall). The SmartView Tracker will show you which rule is blocking the traffic. You might have to turn on logging on your last rule (the cleanup rule) and maybe also the logging on implied rules (in Global Properties).
Good luck.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius Debug Error 16 102
Sonicwall TZ 205- Dropping Incoming E-mail as IP Spoof 13 229
Tools to detect weak WiFi routers prior connecting to it 14 137
BGP Code 12 54
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question