Re: FW1 on NT and setting the external interface

["Paul A. Henry" <controls () mediaone net>]

Alex;

    Checkpoint does not support more than one external interface.... period.

    Checkpoint scans the network on all internal interfaces for IP
addresses, if it finds more addresses behind the Firewall than provided for
in the license you get error messages indicating you have exceeded the
license limits. Their thought being that the Firewall is protecting all of
those IP addresses so they should be counted against the license.

    I have used others that license based on connections from behind the
Firewall that pass through to the external interface. Hence you can have a
huge network behind the Firewall but get by with a relatively small license.
BTW no traffic from external to internal is counted against the license,
only the traffic originating from behind the Firewall.

Paul

----- Original Message -----
From: Joe Ippolito <joe () joesnet com>
To: Alex Ho <alex () infinitum com>
Cc: Firewall-Wizards@Nfr. Net <firewall-wizards () nfr net>; Thomas Crowe
<thomas.crowe () bellsouth net>
Sent: Friday, August 20, 1999 2:41 AM
Subject: RE: FW1 on NT and setting the external interface


> > ----------
> > From: Joe Ippolito[SMTP:JOE () JOESNET COM]
> > Sent: Friday, August 20, 1999 2:41:53 AM
> > To: Alex Ho
> > Cc: Firewall-Wizards@Nfr. Net; Thomas Crowe
> > Subject: RE: FW1 on NT and setting the external interface
> > Auto forwarded by a Rule
> You will have to take the mutiple external interface issue up with Check
> Point.  I don't believe it will consider more than one as external.  As
for
> the concurrent sessions - I don't believe this is true.  I have seen it
log
> anything going by an internal interface even if it did not go through the
> firewall.  I believe it puts the interfaces in promiscuous mode and
> remembers any address it can pick up - broadcasts give them away every
time.
> The only way I have seen to circumvent their license checker is to isolate
> it with another firewall, proxy or router with access lists.  But, what's
> the point in having it then?  I guess Check Point does not trust anybody,
> not even their customers.  But then if they were like MS, they probably
> would not have any competition.
>
> -----Original Message-----
> From: owner-firewall-wizards () lists nfr net
> [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Alex Ho
> Sent: Wednesday, August 18, 1999 6:54 AM
> To: Thomas Crowe
> Cc: Firewall-Wizards@Nfr. Net
> Subject: Re: FW1 on NT and setting the external interface
>
>
> Hi
>
> On Tue, 17 Aug 1999, Thomas Crowe wrote:
> > interface set. However when I create and edit the external.if in
> $FWDIR/conf
> > I still get the same problem.  I have tried all of the following formats
> for
> > naming the interface:  The NT name (Cpqnet01), the FW bound name
> > (FW-Cpqnet01), the name assigned to it in the gateway properties
> (External),
> > I believe I even tried the IP address. All to no avail.  Another part of
>
> On the Windows NT command prompt, type "ipconfig"
> It will say Ethernet Adapter XXX, where XXX is the interface name.
>
>
> > this is that I ma protecting my internal LAN from multiple external
> > wans/lans so how do I also assign multiple external interfaces in the
> > external.if
>
> FW-1 license is based on the number of concurrent assesses, so it doesnt
> matter if your internal number of accesses is less than the license
> allowed.
>
>
> Regards
> Alex
>
> INFINITUM Singapore Pte Ltd
> > alex () infinitum com            > http://www.infinitum.com
> > singapore > voice 65-3236360  > fax  65-3236390