Solved

checkpoint

Posted on 2007-03-29
8
837 Views
Last Modified: 2013-11-16
hi

we are running checkpoint firewall and ISA. i want to allow my laptop to access the internet directly through the firewall and not use ISA. i have added my pc to a group on the firewall that has unlimited access and initialised the database but its still not working . any ideas why??
0
Comment
Question by:mikeleahy
  • 3
  • 3
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818098
You are just using ISA as a proxy server or as an internal firewall feeding into Checkpoint?
Have you taken removed the ie proxy settings from your laptop?
What version of ISA are you running?
Is the isa firewall client installed on your machines?
0
 

Author Comment

by:mikeleahy
ID: 18818426
isa firewall is not on the pcs
i have removed the proxy server settings from laptop
isa 2000
using isa as a proxy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18818467
Can you verify that the checkpoint box is allowing http/https from the new group you setup? Best practice would have placed a rule on the Checkpoint to only accept proxy (web-based) traffic from the ISA server IP.
I assume that the default gateway of the laptop etc points to the checkpoint internal ip address?

What do the checkpoint fw1 logs show?
0
 

Author Comment

by:mikeleahy
ID: 18819283
yes ip gateway is the firewall internal ip

by default all http traffic from the lan is denied

group then called excluded with my laptop in it, allowing access to everything.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18819500
So when you look at the checkpoint log. Do you actually see the denied traffic appear? Which rule is denying? same rule that denies everyone else?
0
 

Expert Comment

by:donpaterson
ID: 18842224
1. You need to create an object for your laptop in the Check Point Smart Dashboard. This will include the IP address of the laptop and a name for the object.
2. Importantly - you need to set up NAT (Hide NAT will do (Automatic NAT rule)) on the laptop object that you just created.
3. You need to add a rule on the Check Point firewall to allow the services required (http) out from your laptop. This rule will include your laptop object as the source and the destiantion as any and the service as http (and maybe DNS if you use an external DNS).
3. Install the policy on the Check Point firewall in question.
4. Make sure you laptop is using the firwall as a default gateway or that your laptop has routes added to use the firewall for the traffic required.
Does this firewall have Internet access (unrestricted) so that it can access public IP addresses i.e. it's routing and access is correctly configured?
0
 

Author Comment

by:mikeleahy
ID: 18900800
hi

i have step 1 3 and 4 done . i didnt do a nat rule for the object. would this be causinig the problem . i presume that its all setup properly as an external company did it some time back
0
 

Accepted Solution

by:
donpaterson earned 50 total points
ID: 18903876
Hi Mike,
The NAT (or lack of NAT) could well cause the problem. You should be able to see the NAT settings by double clicking on the laptop object in the Check Point SmartDashboard and looking at the NAT settings. Otherwise you would need NAT set up for the entire subnet (object) on which your laptop is residing. You can do that in Check Point, NAT a whole subnet and Hide NAT the subnet behind the firewalls external IP address. Is the firewall' external IP address a public (Internet) IP adress? There are a few things that could stop your desired access. Try the SmartView Tracker to see what is blocking you access (Assuming your IP traffic requests are reaching the Check Point Firewall). The SmartView Tracker will show you which rule is blocking the traffic. You might have to turn on logging on your last rule (the cleanup rule) and maybe also the logging on implied rules (in Global Properties).
Good luck.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now