My client has 3 networks, DMZ, Network A and a Network B behind another firewall. I created three zones for the said networks. The MFE firewall and DMZ needs to be accessed by Network A and B.
1.) Do I need to create a static route on the firewall or just simply create a rule that allow Network A and B to access the firewall and DMZ?.
2.) How do I add static routes, what should i put in
3.) How do I add Host in network objects what should be in:
and do I need to create an IP address for the Host?
Assumming that the hosts on DMZ and Network A are using the local MFE interface IP address as their default gateway then the only static route you should need to create on MFE is one which allows traffic to be routed back to network B via the "other" Firewall.
When creating the route the destination would be 10.0.0.0/24 and the gateway would be the external IP address of the other Firewall.
Any traffic between network A and the DMZ shouldn't require any additional routes as both are connected directly to MFE (just as long as MFE is either the configured defautl gateway or the router being used as the default gateway sends all non-local traffic to MFE).
As far as network objects are concerned, they are only really used in the access control rules. So if you want to create rules with restricted sources and/or destinations then you will need to create appropriate network object entries.
Whether you should created "Host" network objects is a different question. Host objects will obviously need access to DNS in order to forward and reverse resolve themselves to the correct IP addresses. So, success or failure is really down to how you have configured DNS and how reliable it is. Ultimately, when I was trained on this product back at version 5, I was advised to avoid using host (or domain) objects unless it was absolutely necessary to do so - use IP address object instead.
At the end of the day (as he always said) "If DNS breaks, then everything breaks!".
Thank you for the reply. Additional questions.
1.) Network A and DMZ only needs an ACL to allow access to both networks?.
2.) The "other firewall" with Network B under it is also connected to the interface of MFE. Do I still need to create a static route or no?.
1) Yes, an ACL should be all you need here.
2) You do need a static route so that the McAfee Firewall knows how to get to Network B. The route should essentially say, to get to Network B, go to "Other Firewall"