Solved

checkpoint

Posted on 2007-03-29
8
844 Views
Last Modified: 2013-11-16
hi

we are running checkpoint firewall and ISA. i want to allow my laptop to access the internet directly through the firewall and not use ISA. i have added my pc to a group on the firewall that has unlimited access and initialised the database but its still not working . any ideas why??
0
Comment
Question by:mikeleahy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818098
You are just using ISA as a proxy server or as an internal firewall feeding into Checkpoint?
Have you taken removed the ie proxy settings from your laptop?
What version of ISA are you running?
Is the isa firewall client installed on your machines?
0
 

Author Comment

by:mikeleahy
ID: 18818426
isa firewall is not on the pcs
i have removed the proxy server settings from laptop
isa 2000
using isa as a proxy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818467
Can you verify that the checkpoint box is allowing http/https from the new group you setup? Best practice would have placed a rule on the Checkpoint to only accept proxy (web-based) traffic from the ISA server IP.
I assume that the default gateway of the laptop etc points to the checkpoint internal ip address?

What do the checkpoint fw1 logs show?
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:mikeleahy
ID: 18819283
yes ip gateway is the firewall internal ip

by default all http traffic from the lan is denied

group then called excluded with my laptop in it, allowing access to everything.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18819500
So when you look at the checkpoint log. Do you actually see the denied traffic appear? Which rule is denying? same rule that denies everyone else?
0
 

Expert Comment

by:donpaterson
ID: 18842224
1. You need to create an object for your laptop in the Check Point Smart Dashboard. This will include the IP address of the laptop and a name for the object.
2. Importantly - you need to set up NAT (Hide NAT will do (Automatic NAT rule)) on the laptop object that you just created.
3. You need to add a rule on the Check Point firewall to allow the services required (http) out from your laptop. This rule will include your laptop object as the source and the destiantion as any and the service as http (and maybe DNS if you use an external DNS).
3. Install the policy on the Check Point firewall in question.
4. Make sure you laptop is using the firwall as a default gateway or that your laptop has routes added to use the firewall for the traffic required.
Does this firewall have Internet access (unrestricted) so that it can access public IP addresses i.e. it's routing and access is correctly configured?
0
 

Author Comment

by:mikeleahy
ID: 18900800
hi

i have step 1 3 and 4 done . i didnt do a nat rule for the object. would this be causinig the problem . i presume that its all setup properly as an external company did it some time back
0
 

Accepted Solution

by:
donpaterson earned 50 total points
ID: 18903876
Hi Mike,
The NAT (or lack of NAT) could well cause the problem. You should be able to see the NAT settings by double clicking on the laptop object in the Check Point SmartDashboard and looking at the NAT settings. Otherwise you would need NAT set up for the entire subnet (object) on which your laptop is residing. You can do that in Check Point, NAT a whole subnet and Hide NAT the subnet behind the firewalls external IP address. Is the firewall' external IP address a public (Internet) IP adress? There are a few things that could stop your desired access. Try the SmartView Tracker to see what is blocking you access (Assuming your IP traffic requests are reaching the Check Point Firewall). The SmartView Tracker will show you which rule is blocking the traffic. You might have to turn on logging on your last rule (the cleanup rule) and maybe also the logging on implied rules (in Global Properties).
Good luck.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question