About Cesar.pevezFajardo

Cesar.pevezFajardo · ‎03-08-2012

My problem is the following: I have an old check point rule that has "echo-request" and tcp-2463, that is some port used by an unknown application. I want to configure in PAN the same rule, but to do that without adding anything in the application database, I will need to create two rules, one for TCP-2463 (service) and one for PING (application). I want to have just one rule whare I can put PING and TCP-2463 together. I was thinking to create an application where I will specify the port tcp/2463 in the advanced tab. In my rule I will put this recently created application and ping in the app filed, and use "application-default" in the service field. My question is, if I do that, should I expect to have problems with the traffic, specially the one that uses TCP-2463? I made it work for unix traceroute (udp/33434-33534), but I wonder if any other unknown application will have problems if I try. I have hundreds of rules like this, and I want to economize in rules.

Cesar.pevezFajardo · ‎03-08-2012

What about communicating two VSYS internally? I have a backend and a frontend firewalls, i'm migrate them to two vsys in the same physical box. The two firewalls are communicating using a private VLAN, but now that they are going to reside in the same box I want to connect the two VSYS internally. I have the two VSYS configured to see each other, I have two external zones, configured on each vsys, I have two vritual routers, one per each vsys. In the virtual routers I have routes that were configured to send traffic between the two devices, now they have as gateway the next virtual router. I wonder if the vsys will be able to pass traffic to each other through the external vsys. Do I need to configure interfaces of some sort? DO I need a third virtual router to move packets between the two VSYS? Is my configuration going to work?

Cesar.pevezFajardo · ‎03-07-2012

I'm converting a Check Point firewall to PAN. they have multiple rules where ping and other user-defined services are participating. Can I create an app with the port of those services so I can have all in one rule? Do you see any problem wit that?

Cesar.pevezFajardo · ‎03-06-2012

Thanks Roland The problem I have is that I don't see any reference to the version of SSH in the app description. I will like to know if there is any mechanism to diferentiate v1 from v2, so I can permit only v1.

Cesar.pevezFajardo · ‎03-06-2012

Hi I have a request to filter in the firewall ssh v1. Is there any way to identify and filter ssh v1? can the firewall identify ssh v2 some way?

Cesar.pevezFajardo · ‎01-20-2012

Hi I'm converting a security policy from a Check Point device to a PAN device using the PAN converter. By default the converter sets source and destination zones as "Any". Can I use the rule like that? Is there any problem that such configuration might cause in the future or after replacing the devices? Do I need to specify zones in the rules? Please send me your comments. Thanks.

Member Since	‎03-04-2011 08:37 AM
Date Last Visited	‎01-11-2021 12:04 PM
Posts	6

Online Status	Offline
Date Last Visited	‎01-11-2021 12:04 PM

About Cesar.pevezFajardo

Re: create an application to replace a service

Re: Inter-VSYS communication using two vr's, 4.1

create an application to replace a service

Re: filter ssh v1

filter ssh v1

Re: create an application to replace a service

Re: Inter-VSYS communication using two vr's, 4.1

create an application to replace a service

Re: filter ssh v1

filter ssh v1

Using "Any" as zone for a converted policy

Network Security

Cloud Security

Security Operations

About Cesar.pevezFajardo