Re: Squid proxy and cCheckPoint port forwarding.

On Tuesday 18 January 2005 09.55, Serg Belokamen diligently divulged:
> Hi All,
>
> At my work, we are looking at deploying a Squid caching proxy to act as
> transperant proxy.  To achieve this we thought to port forward all port
> 80 traffic from the firewall to the proxy and let it take care of it.
>
> The problem here is that I couldn't find any references to CheckPoint
> being able to port forward traffic...
Hi

Port forwarding in CP is configured through the "Network Address Translation" 
Rulebase. You can add a NAT rule like 
SRC: your_internal_net
DST: any
Sevice: http
Translated SRC: Original or FW's external interface (depends on topology)
Translated DST: Proxy IP
Translated Service: Original

In this setup you would need a transparent proxy, which might make sense if 
you can't configure your internal clients to use a proxy. Depending on which 
OS your FW runs on you will have to add a static route for the proxy's IP.

But personally I'd rather have my proxy inside the FW, and keep the cache as 
close to the client as possible. But, as stated above, this will mean 
configuring your internal clients' browsers to use the proxy. You could then 
just hide-nat the proxy's IP behind the FW's external interface.

In any case, you have to add a security rule in addition to the NAT rule to 
allow the traffic out.

hth /markus

pgp8WHZWuyw9D.pgp
Description: PGP signature