[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

checkpoint

Posted on 2007-03-29
8
Medium Priority
?
847 Views
Last Modified: 2013-11-16
hi

we are running checkpoint firewall and ISA. i want to allow my laptop to access the internet directly through the firewall and not use ISA. i have added my pc to a group on the firewall that has unlimited access and initialised the database but its still not working . any ideas why??
0
Comment
Question by:mikeleahy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818098
You are just using ISA as a proxy server or as an internal firewall feeding into Checkpoint?
Have you taken removed the ie proxy settings from your laptop?
What version of ISA are you running?
Is the isa firewall client installed on your machines?
0
 

Author Comment

by:mikeleahy
ID: 18818426
isa firewall is not on the pcs
i have removed the proxy server settings from laptop
isa 2000
using isa as a proxy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818467
Can you verify that the checkpoint box is allowing http/https from the new group you setup? Best practice would have placed a rule on the Checkpoint to only accept proxy (web-based) traffic from the ISA server IP.
I assume that the default gateway of the laptop etc points to the checkpoint internal ip address?

What do the checkpoint fw1 logs show?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:mikeleahy
ID: 18819283
yes ip gateway is the firewall internal ip

by default all http traffic from the lan is denied

group then called excluded with my laptop in it, allowing access to everything.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18819500
So when you look at the checkpoint log. Do you actually see the denied traffic appear? Which rule is denying? same rule that denies everyone else?
0
 

Expert Comment

by:donpaterson
ID: 18842224
1. You need to create an object for your laptop in the Check Point Smart Dashboard. This will include the IP address of the laptop and a name for the object.
2. Importantly - you need to set up NAT (Hide NAT will do (Automatic NAT rule)) on the laptop object that you just created.
3. You need to add a rule on the Check Point firewall to allow the services required (http) out from your laptop. This rule will include your laptop object as the source and the destiantion as any and the service as http (and maybe DNS if you use an external DNS).
3. Install the policy on the Check Point firewall in question.
4. Make sure you laptop is using the firwall as a default gateway or that your laptop has routes added to use the firewall for the traffic required.
Does this firewall have Internet access (unrestricted) so that it can access public IP addresses i.e. it's routing and access is correctly configured?
0
 

Author Comment

by:mikeleahy
ID: 18900800
hi

i have step 1 3 and 4 done . i didnt do a nat rule for the object. would this be causinig the problem . i presume that its all setup properly as an external company did it some time back
0
 

Accepted Solution

by:
donpaterson earned 150 total points
ID: 18903876
Hi Mike,
The NAT (or lack of NAT) could well cause the problem. You should be able to see the NAT settings by double clicking on the laptop object in the Check Point SmartDashboard and looking at the NAT settings. Otherwise you would need NAT set up for the entire subnet (object) on which your laptop is residing. You can do that in Check Point, NAT a whole subnet and Hide NAT the subnet behind the firewalls external IP address. Is the firewall' external IP address a public (Internet) IP adress? There are a few things that could stop your desired access. Try the SmartView Tracker to see what is blocking you access (Assuming your IP traffic requests are reaching the Check Point Firewall). The SmartView Tracker will show you which rule is blocking the traffic. You might have to turn on logging on your last rule (the cleanup rule) and maybe also the logging on implied rules (in Global Properties).
Good luck.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question