TREND Interscan CVP & Nokia/Checkpoint NG FW 1

[ansellrk]

I would like to run TREND Interscan CVP alongside a cluster of Nokia Firewalls running Checkpoint NG FW (Feature Pack 3). Has anyone else done this? Does it work well? Is there anything I should be aware of when going for it? We have recently upgraded from a Raptor Firewall to the Nokia cluster and our existing version of Interscan TREND requires a dual proxy config to work, which we don't want to do so CVP is really the answer... Any suggestions / advice would be welcome - Thanks.

 

[Piloria]

This is the config we use. But we have limited it to SMTP scanning (be carefull when setting this up there are 2 size limits of files one in the CVP settings on the resource and one in the firewall object both default to 1k)


For HTTP we found some sites were not working properly (yahoo, excite...)


For FTP you have the pain of it requiring the full download before it can do a scan so it uses "trickle" it passes some data through unscanned (about 1k in 500) to stop the session timing out we found this to not always work and sessions timing out anyway. It is also very anoying as you have no idea on how long a download will take since you are only receiving a small amount of data then when the whole file has been scaned it sends the rest through. so it sits at 1% for ages then zooms to 100% (this is an anoyance factor and not a problem)

 

[ansellrk]

When you say that you have limited it to SNMP scanning does that mean that you have disabled FTP and HTTP scanning?!

 

[Piloria]

it disabled in the FW1 rules so we allow ftp and http but dont use the CVP resource
(We have other AV layers inside the firewall)

 

[Piloria]

If you do implement them i found that if you dont restrict the file types (even if the restricting list is large) performance nose dives.