Help Checkpoint Firewall-1 NGX : stream redirecting

Hello,

I m a newbi in Checkpoint environnement.

Maybe can someone help me.

I use Checkpoint Firewall-1 NGX 6.0 and want to redirect HTTP streams to a proxy server wich will perform URL filtering.

Is there a way to do so? And how can I perform such a configuration?

I guess the answer is yes because it's would be a line using IP Tables.

Thank you in advance

Reply to
Anonymous
Loading thread data ...

Get hold of the original NGX CD's and check the /Docs folder on CD2 (Windows/Solaris CD). In there you'll find *all* the pdf's needed to administer your system. What you're looking for is "Security Server" in particular, a HTTP Security Server that will re-direct HTTP traffic using UFP (URL Filtering Protocol). Works fine, the only downside is a 10% - 15% CPU hit. *Most* Checkpoint Firewalls run at about 1% - 5% utilization, so it shouldn't be too much of a problem. Post back here if you need more help, it's hard being new to Checkpoint sometimes :)

Wayne McGlinn Brisbane, Oz

ps: NGX is also known as R60 (Release 60) At the moment, Checkpoint are up to HFA03 of R60. It helps to post questions as " I'm running NGX HFAxx" etc etc :)

Reply to
Wayne McGlinn

Hello,

Thanks for being so reactive.

I would like to have some more details. Is there a need to set a proxy for clients web browsers? (We would like to avoid this situation) Will this configuration even work on transparent proxy?

TIA

Reply to
Anonymous

Did you read the documents I suggested? If not, do so now. To answer your questions: If you're already using a proxy, there's no need to do anything different Yes, it will work on a transparent proxy. The HTTP Security Server works with HTTP, doesn't matter whether it's from a proxy server or from a client. You should already have a rule that only allows HTTP/HTTPS/FTP traffic to come from your current proxy, no user should go direct.

Wayne

Reply to
Wayne

It depends on what you're trying to achieve. If you want to do simple URL blocking, it can be done with the built-in HTTP security server, but the recommended limit of URLs is 50 or so because it gets too hard to manage.

Check Point has CVP (content vectoring protocol) that will divert traffic from the firewall off to a separate box for filtering and then take it back. See

formatting link
I don't know of anyone who wholeheartedly endorses this method, though.

The very best method is to use a separate caching proxy server. It has the advantages of dramatically reducing your Internet line loading (a 35% reduction at my company), dramatically reducing the number of connections the firewall has to track and far better management because that's what it was designed to do. The caching part saved us $12,000 a year for three years because we did not have to put in a second Internet line. We were running

95% - 100% of capacity before we put the proxy in and barely 60% afterwards.

Content filtering is very CPU and memory intensive to keep from having speed problems. I run Microsoft's ISA server behind Check Point. The ISA server is a dual 1.2 GHz processor box with 1.2 GB of RAM and it runs very high loading for 1,200 users. The firewall itself is a 700 MHz single processor with 1 GB of RAM and it just loafs along even though we're running almost all SmartDefense checks.

Ray

Reply to
JJ

You're correct, he won't need to do anything like changing proxy settings in the browser, provided he uses UFP to redirect outbound HTTP requests to this URL filtering server.

However, transparent proxy will *not* work if transparent

*authentication* is needed or desired (quite commonly this is the case actually). Usually these 'transparent' *authenticated* solutions authenticate against the MS AD In order to do that, the firewall would need to be on the domain (which Check Point, wisely, doesn't recommend) or to have UserAuthority agent on one of the AD controllers.
Reply to
Joshua Reed

Not quite. You can do the following:

  1. Go to Network Object definition and define the workstation for the LDAP machine
  2. Choose Manage Users > New Template. Name it LDAP_Template and define your LDAP user template
  3. Choose Manage > Servers > New LDAP Account Unit > Configure Properties, under the User Preferences tab. Mark the Use Default Template option and chose the template defined in step 2.
  4. Add the LDAP rule to the Rule Base
  5. Install the Security Policy.

No need at all to have the FW in the domain, as you said, it's not a good idea! When you configure the LDAP Account unit you enter the username and password that will be used to read/compare the authentication request against the Active Directory database using those credentials.

Wayne McGlinn Brisbane, Oz

Reply to
Wayne

Not quite. ;P That wouldn't be *transparent* now would it? The user will still have to auth against AD by entering credentials, and that's different. With a UA agent, the firewall will be able to query the AD and see that a user is already auth'ed successfully against AD and authorized (by group permission) to go out to the internet...

Reply to
Joshua Reed

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.