Frequently Asked Questions


The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also  gain access to thousands of  other  FAQs at ITFAQnet.com.

1.  

Can I install the policy server on two firewalls for redundancy?

you can configure the policy server for high availability, but it is more complicated than simply installing the policy server on two separate firewalls. consult the check point ng ai documentation for details.

2.  

What licensing issues should I take into account when installing a policy server?

in addition to your existing firewall-1 licenses, the policy server requires a separate license on each firewall module on which it is installed. you also need to ensure that you have sufficient user licenses for the number of remote users that will be connecting. the user licenses are installed on the management module.

3.  

I want my salespeople to be able to log on and browse my NT/domain from the field. I also want them to be able to be notified that their NT passwords will be expiring at the same time.

see the secure domain logon section in chapter 10 .

4.  

I have a really large network with a lot of VPN traffic to and from multiple VPN domains, and notice frequent connection interruptions.

check to make sure that key exchange for subnets is enabled under the firewall workstation object under the advanced ike properties tab. check the size of the connection table. check gateway memory usage and processor load ( fw tab t connections s and fw ctl pstat ).

5.  

I have a number of employees who connect from the site of another company. The other company s firewall does not let IPSec traffic through. Is there any way I can let them make a VPN connection?

yes, visitor mode (also called tcp tunneling) was designed specifically for this purpose. it takes the ipsec traffic, wraps it with hypertext transfer protocol (http), then secure sockets layer (ssl) encrypts the entire thing and sends it over port 443. it will even function through proxy servers. it works amazingly well but at a cost; all of the additional overhead of http and ssl in addition to ipsec means that the bandwidth through the tunnel will be lower and latency may be higher. in case you are wondering, check point s firewall can be configured to block visitor mode (tcp tunneling) connections.

6.  

I have a single firewall but I want to create a number of ways for users to connect in Connect mode. (i.e., one with IKE over TCP and Force UDP Encapsulation enabled, another with Visitor mode, and a third with Route All Traffic enabled) When I download the topology, I am only allowed to select these options on a per-site basis. How can I provide this functionality to my users?

look at manage  remote access  connection profiles in smartdashboard. you can create multiple profiles for a single site. these connection profiles will be downloaded with the topology the next time the client updates itself. note that once you do this, the downloaded connection profiles are the only ones the user will be able to use and all the connection profiles will be read-only. this read-only attribute removes the ability for the end user to mess it up and eases helpdesk burden tremendously.

7.  

I want to use Visitor mode, but SecurePlatform is using port 443, how can I turn off the Web interface on Secure Platform to allow Visitor mode to function on port 443?

from the command line, execute webui disable to disable the web interface completely or webui enable -new port to run web server on- to move it to another port. currently, there is no way to bind the web server to specific ip addresses on the firewall.

Answers

1.  

You can configure the policy server for high availability, but it is more complicated than simply installing the policy server on two separate firewalls. Consult the Check Point NG AI documentation for details.

2.  

In addition to your existing FireWall-1 licenses, the policy server requires a separate license on each firewall module on which it is installed. You also need to ensure that you have sufficient user licenses for the number of remote users that will be connecting. The user licenses are installed on the Management Module.

3.  

See the Secure Domain Logon section in Chapter 10.

4.  

Check to make sure that Key exchange for subnets is enabled under the firewall workstation object under the Advanced IKE Properties tab. Check the size of the connection table. Check gateway memory usage and processor load ( fw tab “t connections “s and fw ctl pstat ).

5.  

Yes, Visitor mode (also called TCP Tunneling) was designed specifically for this purpose. It takes the IPSec traffic, wraps it with Hypertext Transfer Protocol (http), then Secure Sockets Layer (SSL) encrypts the entire thing and sends it over port 443. It will even function through proxy servers. It works amazingly well but at a cost; all of the additional overhead of HTTP and SSL in addition to IPSec means that the bandwidth through the tunnel will be lower and latency may be higher. In case you are wondering, Check Point s firewall can be configured to block Visitor Mode (TCP Tunneling) connections.

6.  

Look at Manage Remote Access Connection Profiles in SmartDashboard. You can create multiple profiles for a single site. These connection profiles will be downloaded with the topology the next time the client updates itself. Note that once you do this, the downloaded connection profiles are the only ones the user will be able to use and all the connection profiles will be read-only. This read-only attribute removes the ability for the end user to mess it up and eases helpdesk burden tremendously.

7.  

From the command line, execute webui disable to disable the Web interface completely or webui enable <new port to run web server on> to move it to another port. Currently, there is no way to bind the Web server to specific IP addresses on the firewall.




Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net