Use Checkpoint Firewall-1 NG With External Proxy... Possible ?

[Gomero]

Hi... I don't have experience with CP FW-1... I work in a Symantec partner here in Brazil but we need to integrate a CP FW-1 NG with our http/ftp anti-virus software - Symantec Web Security. Our customer used to have CP 4.1 with WebSecurity 2.5 and they were using CVP to integrate both softwares, it was working fine. Now that they are on the NG version, Symantec does not support CVP anyomore.

What I need to know is if I can configure CP FW-1 NG to use an external proxy for Internet connection, then I would be using the WebSecurity as a proxy filtering for http and ftp viruses.

Thanks...

Philipe Brandao
MCSA Security
Symantec SCTA
CompTIA Security+

 

[JoeBloggssss]

Hi,

Are you sure that Web Security CVP will not integrate with VPN-1/Firewall-1 NG?

 

[Gomero]

FW-1 NG still support CVP, but WebSecurity 3.0 does not support CVP anymore. And the latest version that supports CVP is SWS 2.5 but only tested with FW-1 4.1. In Symantec Enterprise Firewall, all I need to do is use an external proxy inside de configuration of my http proxy. That's exactly what I need to do with FW-1.

When I use SWS 2.5 with FW-1 NG the SWS server consume all the memory until the server crashes.

 

[Piloria]

I would get away from CVP if i could. CP support it but it will cause your firewall to hang more than any other reason.

to get this to work you will need to ensure that all internal hosts use the proxy and only allow access via http to the proxy at the firewall blocking all other access to http.
All requests out to the internet will have to route through the proxy. the firewall itself does not need to know it is an AV server jsut that all http (+ other internet access) has to go via the proxy

 

[Gomero]

Piloria,

We use that approach in some other customers, but this one is a different case.

Like I said... all client machines does not use proxy setting on their browsers, the customer have about 2500+ clients and the network is based on Novell. So it would be a lot easier if the FW-1 NG could use an external proxy for http/ftp traffic.

 

[watchguardmonkey]

Ok Gomero, here you go
1. create an object on the FW that covers all the clients, ie Green Lans.
2. create a rule, probably just after your management, VPN, FW rules, which allows http from green Lans to Web proxy only with client auth.(create users database)
3. create rule below with drop http to any.

a bit of work setting it up, but sounds as if you don't have many options.

happy hunting.

 

[Piloria]

Unfortionaltly that is the same idea i was going for but Gomero says its not practicle to set the proxy settings to use the proxy server.
With CVP the firewall can intercept all http traffic regardless of destination.
i am not sure how you would forward all traffic to the proxy without changing the destination address.
Im not being much help here except stating how you used to do it.

 

[watchguardmonkey]

Piloria,

not quite the same as you don't need to set any acl on the clients web browser as long as they have the FW as their DG.

LANhttp->FW->proxy server accept on client auth.
LANhttp->FW->any drop.

client browser proxy settings clear.

don't see why it wont work, have done this before in the past.

 

[Gomero]

Problems I have, FW-1 is not default GW on workstations, there is no client auth on FW-1... was planing to put the proxy before the firewall and redirect web traffic from the router to it (don't know if their router will accept these settings)

Philipe Brandao
IT Security Consultant
Symantec SCTA - MCSA Security - CompTIA Security+