Configuring a 'CheckPoint Firewall-1' for use with PCsync - Search Again SUMMARY I'm concerned about using PCsync on my corporate network, and want to understand PCsync's Security features. Also, I'm also looking for information about how I can configure my CheckPoint Firewall-1 to allow PCsync to make secure connections. Can you help me? CAUSE See Technical Document 303, Using PCsync in a Secure Environment for more information. SOLUTION Currently there is no proxy or stateful inspection mechanism for PCsync. Access is allowed by opening TCP ports 80, 8080, 8443 and 8444 to specific hosts or the network at the discretion of the security administrator.
For sites using NAT with private address space or NAT with port multiplexing, you will be unable to allow incoming PCsync connections. Sites using NAT and mapping their internal IP addresses to valid public addresses can, if they choose, set up static mappings for particular PCsync hosts to be reached from the outside. See Technical Document 305, How to Surf up to a computer behind a Router or Firewall for more information
For demonstration purposes, we will be referencing the private network 192.168.100.0/24 as our internal trusted network with all filtering relative to the public Internet. Implementation is similar for any external network.
For this example, we show how to permit PCsync to the host 192.168.100.45; permitting PCsync to connect to multiple hosts or an entire network is a trivial modification. This does not imply that hosts with private addresses can actually be reached from outside the trusted network, but is a safe example to use.
CheckPoint Firewall-1 is accessed primarily through a GUI interface. To create a rule through the GUI interface you will need to define a Network Object corresponding to the host or network you wish to allow PCsync access to, then define an access rule. Also, create the PCsync service as a TCP/IP service on Ports 80, 8080, 8443 and 8444. Consult your Firewall-1 documentation for additional information.
To add an access rule:
- Log in to the Firewall-1 GUI.
- From the Edit menu, select Add Rule. Choose the desired insertion point.
- Leave the Source as Any.
- Set the destination to 192.168.100.45 (you may need to create an object for the endpoint).
- Set the Service to PCsync.
- Change the Action to Accept.
- Set any additional options as desired.
Related Articles |  | |
|