[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] Meta IP - integration with fw-1
> hi,
>
> meta ip works the following way. 1. ) every nt domain controller has a
> piece of software from metaip installed 2.) you have to enable the
> auditing of domain logon�s. when a user boots up his workstation he gets
> an ip-adress from the meta-ip dhcp server, when he logs on and
> authenticate himself aginst the domain controller the little piece of
> meta-ip software on the dc talks to a specific service on the meta-ip dhcp
> server which writes an entry in an access database on it. on the
> checkpoint side you are now able to authentice users and not ip adresses
> because the firewall is able to talk with the meta-ip dhcp server. in your
> case: 1.) no, you can�t get a list of users from meta-ip 2.) i would
> define the 100 users in a deny group or something like that plus a generic
> user (generic here means any user that is successfully authenticated by nt
> and that is not defined in the firewall user database) 3.) now you can
> write a rule in which you deny the "deny-group" any access to the internet
> and in the following rule you can allow the generic user access to the
> internet. i think this will do the trick. for further or deeper
> information please read the document "How to configure the UAM and
> Firewall-1 for Single Sign-On" form the Checkpoint Support Site
> http://www.checkpoint.com/techsupport/index.html (Public Configuration
> Docs).
>
> hope that helps
>
> /wolfgang
>
>
> -----Urspr�ngliche Nachricht-----
> Von: Layne Meier [SMTP:[email protected]]
> Gesendet am: Dienstag, 24. April 2001 13:32
> An: [email protected]
> Cc: [email protected]
> Betreff: Re: [FW1] Meta IP - integration with fw-1
>
>
> As far as I am aware, the integration of MetaIP to Firewall-1 is strictly
> for
> logging purposes. (DNS not DHCP) Normally, Firewall-1 logs the IP
> Addresses of
> inbound and outbound transactions. Integrating the dynamic DNS with DHCP
> will
> allow your users' system names to be logged to the Firewall-1 logs instead
> of just
> their IP Addresses.
>
> What you can do is use the DHCP system to make sure those users
> continually get an
> IP Address that would prevent them from getting to the Internet. You
> would give
> them a permanent reservation in DHCP, then you would need to create a
> couple of
> rules in your ruleset that would restrict both inbound and outbound access
> to the
> firewall to the IP ranges defined by your DHCP system. Then, also, their
> system
> names via the dynamic DNS would be written to the Firewall logs and you
> could watch
> them try to gain access to the Internet only to be rejected. However,
> unless you
> have specific rules in place governing system management (ie; they could
> lose their
> jobs if they were to manually change their IP Address to an address that
> has
> Internet access).
>
> Best regards,
> Layne Meier
> Network/Internet Analyst
> Atlanta Newspapers
>
>
>
> Lior Arbel wrote:
>
> > Hello All
> > I have Meta ip Newbe Question !!!
> >
> > I need help about intagretion of Meta ip with Fw-1
> > i have DHCP and i want to block some users from access
> > to the Internet.
> > i have 300 users and want to block about 100 users
> > and i am thinking of buying meta ip , i have
> > checkpoint 4.1 sp3 unlimited.
> > do i need to configure on fw-1 all the 300 users or
> > the 100 users for the blocking or i can get the user
> > list from the Meta IP
> >
> > Best Regards
> > Lior Arbel
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> >
> >
> ==========================================================================
> ======
> > To unsubscribe from this mailing list, please see the instructions
> at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ======
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================