Solved

checkpoint

Posted on 2007-03-29
8
840 Views
Last Modified: 2013-11-16
hi

we are running checkpoint firewall and ISA. i want to allow my laptop to access the internet directly through the firewall and not use ISA. i have added my pc to a group on the firewall that has unlimited access and initialised the database but its still not working . any ideas why??
0
Comment
Question by:mikeleahy
  • 3
  • 3
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818098
You are just using ISA as a proxy server or as an internal firewall feeding into Checkpoint?
Have you taken removed the ie proxy settings from your laptop?
What version of ISA are you running?
Is the isa firewall client installed on your machines?
0
 

Author Comment

by:mikeleahy
ID: 18818426
isa firewall is not on the pcs
i have removed the proxy server settings from laptop
isa 2000
using isa as a proxy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818467
Can you verify that the checkpoint box is allowing http/https from the new group you setup? Best practice would have placed a rule on the Checkpoint to only accept proxy (web-based) traffic from the ISA server IP.
I assume that the default gateway of the laptop etc points to the checkpoint internal ip address?

What do the checkpoint fw1 logs show?
0
 

Author Comment

by:mikeleahy
ID: 18819283
yes ip gateway is the firewall internal ip

by default all http traffic from the lan is denied

group then called excluded with my laptop in it, allowing access to everything.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18819500
So when you look at the checkpoint log. Do you actually see the denied traffic appear? Which rule is denying? same rule that denies everyone else?
0
 

Expert Comment

by:donpaterson
ID: 18842224
1. You need to create an object for your laptop in the Check Point Smart Dashboard. This will include the IP address of the laptop and a name for the object.
2. Importantly - you need to set up NAT (Hide NAT will do (Automatic NAT rule)) on the laptop object that you just created.
3. You need to add a rule on the Check Point firewall to allow the services required (http) out from your laptop. This rule will include your laptop object as the source and the destiantion as any and the service as http (and maybe DNS if you use an external DNS).
3. Install the policy on the Check Point firewall in question.
4. Make sure you laptop is using the firwall as a default gateway or that your laptop has routes added to use the firewall for the traffic required.
Does this firewall have Internet access (unrestricted) so that it can access public IP addresses i.e. it's routing and access is correctly configured?
0
 

Author Comment

by:mikeleahy
ID: 18900800
hi

i have step 1 3 and 4 done . i didnt do a nat rule for the object. would this be causinig the problem . i presume that its all setup properly as an external company did it some time back
0
 

Accepted Solution

by:
donpaterson earned 50 total points
ID: 18903876
Hi Mike,
The NAT (or lack of NAT) could well cause the problem. You should be able to see the NAT settings by double clicking on the laptop object in the Check Point SmartDashboard and looking at the NAT settings. Otherwise you would need NAT set up for the entire subnet (object) on which your laptop is residing. You can do that in Check Point, NAT a whole subnet and Hide NAT the subnet behind the firewalls external IP address. Is the firewall' external IP address a public (Internet) IP adress? There are a few things that could stop your desired access. Try the SmartView Tracker to see what is blocking you access (Assuming your IP traffic requests are reaching the Check Point Firewall). The SmartView Tracker will show you which rule is blocking the traffic. You might have to turn on logging on your last rule (the cleanup rule) and maybe also the logging on implied rules (in Global Properties).
Good luck.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 103
Routing VLANs 5 69
Cisco iWAN 8 70
Sonicwall routing between VPNs 5 45
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now