Re: [FW-1] Firewall-1 4.1 SP6 and Websense 4.4 - User Authenticat ion

[Mark van Gelder <vgelder@FW1-NOSPAMICON.CO.ZA>]

Title: RE: [FW-1] Firewall-1 4.1 SP6 and Websense 4.4 - User Authentication

Hi

 

This is supposed to be fixed in NG. I am not sure which FP, but Checkpoint have stated that this is fixed. I am not sure if they have done this for UserAuth only, but it is worth testing

 

Mark

 

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@beethoven.us.checkpoint.com]On Behalf Of opsec@WEBSENSE.COM
Sent: Friday, October 04, 2002 8:23 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] Firewall-1 4.1 SP6 and Websense 4.4 - User Authenticat ion

Brian,

There is no way that we have found to configure the FireWall to send us the user name.  Even though the field may be present, it is not used in the UFP request sent to us.  As recommended earlier, you're only solution at this time is to configure Websense to do the authentication, or to shift to another Websense integration partner that can provide you this facility.

Thank you.

-----Original Message-----
From: Brian Wert [mailto:BRIAN.WERT@PHOENIXWM.COM]
Sent: Friday, October 04, 2002 6:25 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] Firewall-1 4.1 SP6 and Websense 4.4 - User
Authentication

All,

The environment and background
===============================================================================
I have a Client Authentication rule and a HTTP resource rule that is for
Websense in the following order

10.0.0.0            ==> Any   HTTP-Blocked sites   Reject
Authenticated_Users@10.0.0.0  ==> Any    HTTP                Client Auth

I would like to be able to specify in Websense policies for individual
users.  I configured Websense to look at the same LDAP directory that the
firewall module authenticates against.
Within the Websense documentation, it states that Websense must do Manual
Authentication if you are using an Novel LDAP directory, which I am.

I Sniffed the UFP packets going to Websense and there is a user_name field
that is passed to Websense.  It is blank in my case.
===============================================================================

My question
===============================================================================
Can I add an object with resource to my websense rule even though it is
before the authentication rule like so?

Authenicated_Users@10.0.0.0   ==> Any    HTTP-Blocked sites       Reject

I am hoping that this will cause the user_name field to be passed to
Websense, websense would use that field and enforce a policy if one is
presence for that user.
This will prevent me from having to set the manual authentication on the
Websense server.
===============================================================================

Thanks,
Brian Wert

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================