cancel
Showing results for 
Search instead for 
Did you mean: 

Route and Network objects

Hi,

     My client has 3 networks, DMZ, Network A and a Network B behind another firewall. I created three zones for the said networks. The MFE firewall and DMZ needs to be accessed by Network A and B.

1.) Do I need to create a static route on the firewall or just simply create a rule that allow Network A and B to access the firewall and DMZ?.

2.) How do I add static routes, what should i put in

a.) Destination

b.) Gateway

3.) How do I add Host in network objects what should be in:

Host:

DNS

and do I need to create an IP address for the Host?

3 Replies
PhilM
Level 14
Report Inappropriate Content
Message 2 of 4

Re: Route and Network objects

Assumming that the hosts on DMZ and Network A are using the local MFE interface IP address as their default gateway then the only static route you should need to create on MFE is one which allows traffic to be routed back to network B via the "other" Firewall.

When creating the route the destination would be 10.0.0.0/24 and the gateway would be the external IP address of the other Firewall.

Any traffic between network A and the DMZ shouldn't require any additional routes as both are connected directly to MFE (just as long as MFE is either the configured defautl gateway or the router being used as the default gateway sends all non-local traffic to MFE).

As far as network objects are concerned, they are only really used in the access control rules. So if you want to create rules with restricted sources and/or destinations then you will need to create appropriate network object entries.

Whether you should created "Host" network objects is a different question. Host objects will obviously need access to DNS in order to forward and reverse resolve themselves to the correct IP addresses. So, success or failure is really down to how you have configured DNS and how reliable it is. Ultimately, when I was trained on this product back at version 5, I was advised to avoid using host (or domain) objects unless it was absolutely necessary to do so - use IP address object instead.

At the end of the day (as he always said) "If DNS breaks, then everything breaks!".

-Phil.

Re: Route and Network objects

Hi PhilM,

               Thank you for the reply. Additional questions.

1.) Network A and DMZ only needs an ACL to allow access to both networks?.

2.) The "other firewall" with Network B under it is also connected to the interface of MFE. Do I still need to create a static route or no?.

mtuma
Level 13
Report Inappropriate Content
Message 4 of 4

Re: Route and Network objects

Hello,

1) Yes, an ACL should be all you need here.

2) You do need a static route so that the McAfee Firewall knows how to get to Network B. The route should essentially say, to get to Network B, go to "Other Firewall"

-Matt

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community