[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Meta IP - integration with fw-1




> hi,
> 
> meta ip works the following way. 1. ) every nt domain controller has a
> piece of software from metaip installed 2.) you have to enable the
> auditing of domain logon�s. when a user boots up his workstation he gets
> an ip-adress from the meta-ip dhcp server, when he logs on and
> authenticate himself aginst the domain controller the little piece of
> meta-ip software on the dc talks to a specific service on the meta-ip dhcp
> server which writes an entry in an access database on it. on the
> checkpoint side you are now able to authentice users and not ip adresses
> because the firewall is able to talk with the meta-ip dhcp server. in your
> case: 1.) no, you can�t get a list of users from meta-ip 2.) i would
> define the 100 users in a deny group or something like that plus a generic
> user (generic here means any user that is successfully authenticated by nt
> and that is not defined in the firewall user database) 3.) now you can
> write a rule in which you deny the "deny-group" any access to the internet
> and in the following rule you can allow the generic user access to the
> internet. i think this will do the trick. for further or deeper
> information please read the document  "How to configure the UAM and
> Firewall-1 for Single Sign-On" form the Checkpoint Support Site
> http://www.checkpoint.com/techsupport/index.html  (Public Configuration
> Docs).
> 
> hope that helps
> 
> /wolfgang
> 
> 
> -----Urspr�ngliche Nachricht-----
> Von:	Layne Meier [SMTP:[email protected]]
> Gesendet am:	Dienstag, 24. April 2001 13:32
> An:	[email protected]
> Cc:	[email protected]
> Betreff:	Re: [FW1] Meta IP - integration with fw-1
> 
> 
> As far as I am aware, the integration of MetaIP to Firewall-1 is strictly
> for
> logging purposes.  (DNS not DHCP)  Normally, Firewall-1 logs the IP
> Addresses of
> inbound and outbound transactions.  Integrating the dynamic DNS with DHCP
> will
> allow your users' system names to be logged to the Firewall-1 logs instead
> of just
> their IP Addresses.
> 
> What you can do is use the DHCP system to make sure those users
> continually get an
> IP Address that would prevent them from getting to the Internet.  You
> would give
> them a permanent reservation in DHCP, then you would need to create a
> couple of
> rules in your ruleset that would restrict both inbound and outbound access
> to the
> firewall to the IP ranges defined by your DHCP system.  Then, also, their
> system
> names via the dynamic DNS would be written to the Firewall logs and you
> could watch
> them try to gain access to the Internet only to be rejected.  However,
> unless you
> have specific rules in place governing system management (ie; they could
> lose their
> jobs if they were to manually change their IP Address to an address that
> has
> Internet access).
> 
> Best regards,
> Layne Meier
> Network/Internet Analyst
> Atlanta Newspapers
> 
> 
> 
> Lior Arbel wrote:
> 
> > Hello All
> > I have Meta ip Newbe Question !!!
> >
> > I need help about intagretion of Meta ip with Fw-1
> > i have DHCP and i want to block some users from access
> > to the Internet.
> > i have 300 users and want to block  about 100 users
> > and i am thinking of buying meta ip , i have
> > checkpoint 4.1 sp3 unlimited.
> > do i need to configure on fw-1 all the 300 users or
> > the 100 users for the blocking or i can get the user
> > list from the Meta IP
> >
> > Best Regards
> > Lior Arbel
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> >
> >
> ==========================================================================
> ======
> >      To unsubscribe from this mailing list, please see the instructions
> at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ======
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================