Q: How do I create a Checkpoint rule that filters based on source port, not destination port?
A:
I don't think you can. When you specify a "service" (destination port and protocol), you can also specify a source port for that service in the advanced properties of the service. But I don't know if you can specify "any" for the destination port, and then specify a source port.
Working it...
Q: I'm replacing a Cisco router with a Checkpoint firewall. How to I duplicate the "ip helper" feature for DHCP?
A:
There are two places this needs to be configured. The Nokia needs to be set up, via Voyager, to help with the DHCP process. Also the Checkpoint rules need to be added to permit the DHCP traffic.
Nokia:
Go into Voyager, click "config", and click "BOOTP Relay".
Turn "on" the relay on the interface which will be hearing the DHCP broadcast from the clients. Apply, then under "new server" put in the IP address you will be forwarding the DHCP request to. You can add multiple servers.
Checkpoint:
When a DHCP request happens, here's the mechanism. All ports are UDP:
1. the client sends a broadcast from no_ip:68 -> 255.255.255.255:67
2. the Nokia hears this, sends a unicast from the client-side_interface_ip:67 -> each DHCP server:67.
3. DHCP server pings a prospective IP address to make sure it is unused.
4. DHCP server sends the DHCP reply from DHCP_server:67 -> prospective_IP:68
Also, later on the DHCP client will periodically send a request directly to the server to renew the lease. DHCP_client:68 -> DHCP_server:67
So you need the following rules. I set up a node object for IP 255.255.255.255. and a group with the DHCP server node objects in it. We also use the network object for the network the clients are on.
1. src any; dst all-ones; srv DHCP-udp-67; accept/log. Comment "Allow host broadcasts for DHCP to reach firewall"
2. src the firewall object and the client networks; dst DHCP servers; srv DHCP-udp-67; accept/log. Comment "Allow firewall to send DHCP requests to DHCP servers to obtain lease for clients, and allow clients to renew lease directly with DHCP servers"
3. src DHCP servers ahd the firewall object; dst the network(s) on which clients are; srv DHCP-udp-68 and icmp-echo-request; accept/log. Comment "Allow DHCP servers to ping prospective IP addresses and to send DHCP replies to hosts on protected segments"
Q: How do I determine what versions of Checkpoint I am running on my management server?
Q: How do I determine what versions of Checkpoint and IPSO I am running on my enforcement point?
A:
[admin]# fw ver -k ! Checkpoint FW-1
[admin]# cpshared -v ! SVN foundation
[admin]# uname -a ! IPSO
[admin]# cat $FWDIR/conf/ver.txt ! nothing much
Go into Voyager, config, manage installed packages.
Q: Where are the policies and objects stored on the Management server?
A:
They are all stored in the conf subdirectory of the program directory. In Checkpoint parlance, this is
$FWDIR/conf/. On my Windows-based management station, the directory name is
C:\WINNT\FW1\R55\CONF\.
- objects.c - contains all the objects
- rulebases_5_0.fws - appears to contain all of the policies and their rules
