[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] AW: [FW1] Meta IP - integration with fw-1
hi, meta ip works the following way. 1. ) every nt domain controller has a piece of software from metaip installed 2.) you have to enable the auditing of domain logon´s. when a user boots up his workstation he gets an ip-adress from the meta-ip dhcp server, when he logs on and authenticate himself aginst the domain controller the little piece of meta-ip software on the dc talks to a specific service on the meta-ip dhcp server which writes an entry in an access database on it. on the checkpoint side you are now able to authentice users and not ip adresses because the firewall is able to talk with the meta-ip dhcp server. in your case: 1.) no, you can´t get a list of users from meta-ip 2.) i would define the 100 users in a deny group or something like that plus a generic user (generic here means any user that is successfully authenticated by nt and that is not defined in the firewall user database) 3.) now you can write a rule in which you deny the "deny-group" any access to the internet and in the following rule you can allow the generic user access to the internet. i think this will do the trick. for further or deeper information please read the document "How to configure the UAM and Firewall-1 for Single Sign-On" form the Checkpoint Support Site http://www.checkpoint.com/techsupport/index.html (Public Configuration Docs). hope that helps /wolfgang > -----Ursprüngliche Nachricht----- > Von: Layne Meier [SMTP:[email protected]] > Gesendet am: Dienstag, 24. April 2001 13:32 > An: [email protected] > Cc: [email protected] > Betreff: Re: [FW1] Meta IP - integration with fw-1 > > > As far as I am aware, the integration of MetaIP to Firewall-1 is strictly > for > logging purposes. (DNS not DHCP) Normally, Firewall-1 logs the IP > Addresses of > inbound and outbound transactions. Integrating the dynamic DNS with DHCP > will > allow your users' system names to be logged to the Firewall-1 logs instead > of just > their IP Addresses. > > What you can do is use the DHCP system to make sure those users > continually get an > IP Address that would prevent them from getting to the Internet. You > would give > them a permanent reservation in DHCP, then you would need to create a > couple of > rules in your ruleset that would restrict both inbound and outbound access > to the > firewall to the IP ranges defined by your DHCP system. Then, also, their > system > names via the dynamic DNS would be written to the Firewall logs and you > could watch > them try to gain access to the Internet only to be rejected. However, > unless you > have specific rules in place governing system management (ie; they could > lose their > jobs if they were to manually change their IP Address to an address that > has > Internet access). > > Best regards, > Layne Meier > Network/Internet Analyst > Atlanta Newspapers > > > > Lior Arbel wrote: > > > Hello All > > I have Meta ip Newbe Question !!! > > > > I need help about intagretion of Meta ip with Fw-1 > > i have DHCP and i want to block some users from access > > to the Internet. > > i have 300 users and want to block about 100 users > > and i am thinking of buying meta ip , i have > > checkpoint 4.1 sp3 unlimited. > > do i need to configure on fw-1 all the 300 users or > > the 100 users for the blocking or i can get the user > > list from the Meta IP > > > > Best Regards > > Lior Arbel > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Auctions - buy the things you want at great prices > > http://auctions.yahoo.com/ > > > > > ========================================================================== > ====== > > To unsubscribe from this mailing list, please see the instructions > at > > http://www.checkpoint.com/services/mailing.html > > > ========================================================================== > ====== > > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|