Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [FW1] Meta IP - integration with fw-1

To: [email protected]
Subject: AW: [FW1] Meta IP - integration with fw-1
From: Scholz Wolfgang <[email protected]>
Date: Wed, 25 Apr 2001 08:21:41 +0200
Cc: [email protected]
Sender: [email protected]

hi,

meta ip works the following way. 1. ) every nt domain controller has a piece
of software from metaip installed 2.) you have to enable the auditing of
domain logon´s. when a user boots up his workstation he gets an ip-adress
from the meta-ip dhcp server, when he logs on and authenticate himself
aginst the domain controller the little piece of meta-ip software on the dc
talks to a specific service on the meta-ip dhcp server which writes an entry
in an access database on it. on the checkpoint side you are now able to
authentice users and not ip adresses because the firewall is able to talk
with the meta-ip dhcp server. in your case: 1.) no, you can´t get a list of
users from meta-ip 2.) i would define the 100 users in a deny group or
something like that plus a generic user (generic here means any user that is
successfully authenticated by nt and that is not defined in the firewall
user database) 3.) now you can write a rule in which you deny the
"deny-group" any access to the internet and in the following rule you can
allow the generic user access to the internet. i think this will do the
trick. for further or deeper information please read the document  "How to
configure the UAM and Firewall-1 for Single Sign-On" form the Checkpoint
Support Site http://www.checkpoint.com/techsupport/index.html  (Public
Configuration Docs).

hope that helps

/wolfgang


> -----Ursprüngliche Nachricht-----
> Von:	Layne Meier [SMTP:[email protected]]
> Gesendet am:	Dienstag, 24. April 2001 13:32
> An:	[email protected]
> Cc:	[email protected]
> Betreff:	Re: [FW1] Meta IP - integration with fw-1
> 
> 
> As far as I am aware, the integration of MetaIP to Firewall-1 is strictly
> for
> logging purposes.  (DNS not DHCP)  Normally, Firewall-1 logs the IP
> Addresses of
> inbound and outbound transactions.  Integrating the dynamic DNS with DHCP
> will
> allow your users' system names to be logged to the Firewall-1 logs instead
> of just
> their IP Addresses.
> 
> What you can do is use the DHCP system to make sure those users
> continually get an
> IP Address that would prevent them from getting to the Internet.  You
> would give
> them a permanent reservation in DHCP, then you would need to create a
> couple of
> rules in your ruleset that would restrict both inbound and outbound access
> to the
> firewall to the IP ranges defined by your DHCP system.  Then, also, their
> system
> names via the dynamic DNS would be written to the Firewall logs and you
> could watch
> them try to gain access to the Internet only to be rejected.  However,
> unless you
> have specific rules in place governing system management (ie; they could
> lose their
> jobs if they were to manually change their IP Address to an address that
> has
> Internet access).
> 
> Best regards,
> Layne Meier
> Network/Internet Analyst
> Atlanta Newspapers
> 
> 
> 
> Lior Arbel wrote:
> 
> > Hello All
> > I have Meta ip Newbe Question !!!
> >
> > I need help about intagretion of Meta ip with Fw-1
> > i have DHCP and i want to block some users from access
> > to the Internet.
> > i have 300 users and want to block  about 100 users
> > and i am thinking of buying meta ip , i have
> > checkpoint 4.1 sp3 unlimited.
> > do i need to configure on fw-1 all the 300 users or
> > the 100 users for the blocking or i can get the user
> > list from the Meta IP
> >
> > Best Regards
> > Lior Arbel
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> >
> >
> ==========================================================================
> ======
> >      To unsubscribe from this mailing list, please see the instructions
> at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ======
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Securemote Client for W2K
Next by Date: RE: [FW1] Dropped Packets
Previous by thread: RE: [FW1] Securemote Client for W2K
Next by thread: RE: [FW1] Dropped Packets
Index(es):
- Date
- Thread