[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] WG: [FW1] Meta IP - integration with fw-1
> hi, > > meta ip works the following way. 1. ) every nt domain controller has a > piece of software from metaip installed 2.) you have to enable the > auditing of domain logon´s. when a user boots up his workstation he gets > an ip-adress from the meta-ip dhcp server, when he logs on and > authenticate himself aginst the domain controller the little piece of > meta-ip software on the dc talks to a specific service on the meta-ip dhcp > server which writes an entry in an access database on it. on the > checkpoint side you are now able to authentice users and not ip adresses > because the firewall is able to talk with the meta-ip dhcp server. in your > case: 1.) no, you can´t get a list of users from meta-ip 2.) i would > define the 100 users in a deny group or something like that plus a generic > user (generic here means any user that is successfully authenticated by nt > and that is not defined in the firewall user database) 3.) now you can > write a rule in which you deny the "deny-group" any access to the internet > and in the following rule you can allow the generic user access to the > internet. i think this will do the trick. for further or deeper > information please read the document "How to configure the UAM and > Firewall-1 for Single Sign-On" form the Checkpoint Support Site > http://www.checkpoint.com/techsupport/index.html (Public Configuration > Docs). > > hope that helps > > /wolfgang > > > -----Ursprüngliche Nachricht----- > Von: Layne Meier [SMTP:[email protected]] > Gesendet am: Dienstag, 24. April 2001 13:32 > An: [email protected] > Cc: [email protected] > Betreff: Re: [FW1] Meta IP - integration with fw-1 > > > As far as I am aware, the integration of MetaIP to Firewall-1 is strictly > for > logging purposes. (DNS not DHCP) Normally, Firewall-1 logs the IP > Addresses of > inbound and outbound transactions. Integrating the dynamic DNS with DHCP > will > allow your users' system names to be logged to the Firewall-1 logs instead > of just > their IP Addresses. > > What you can do is use the DHCP system to make sure those users > continually get an > IP Address that would prevent them from getting to the Internet. You > would give > them a permanent reservation in DHCP, then you would need to create a > couple of > rules in your ruleset that would restrict both inbound and outbound access > to the > firewall to the IP ranges defined by your DHCP system. Then, also, their > system > names via the dynamic DNS would be written to the Firewall logs and you > could watch > them try to gain access to the Internet only to be rejected. However, > unless you > have specific rules in place governing system management (ie; they could > lose their > jobs if they were to manually change their IP Address to an address that > has > Internet access). > > Best regards, > Layne Meier > Network/Internet Analyst > Atlanta Newspapers > > > > Lior Arbel wrote: > > > Hello All > > I have Meta ip Newbe Question !!! > > > > I need help about intagretion of Meta ip with Fw-1 > > i have DHCP and i want to block some users from access > > to the Internet. > > i have 300 users and want to block about 100 users > > and i am thinking of buying meta ip , i have > > checkpoint 4.1 sp3 unlimited. > > do i need to configure on fw-1 all the 300 users or > > the 100 users for the blocking or i can get the user > > list from the Meta IP > > > > Best Regards > > Lior Arbel > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Auctions - buy the things you want at great prices > > http://auctions.yahoo.com/ > > > > > ========================================================================== > ====== > > To unsubscribe from this mailing list, please see the instructions > at > > http://www.checkpoint.com/services/mailing.html > > > ========================================================================== > ====== > > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|