Thanks for your input. I want to place the stealth rule as high as possible in the rule base because it wouldn't make much sense putting it on the bottom. And since explicit authentication rules (client auth) must be put after general access rules, I don't see how this should work putting it before the stealth rule. Isn't there some sort of Checkpoint service that I can allow/permit in a rule before the stealth rule?
Sascha > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of fwguru > Sent: Tuesday, April 19, 2005 4:42 AM > To: [email protected] > Subject: Re: [FW-1] Does a stealth rule disable Client Authentication? > > Presuming that your intention is to NOT allow authenticated VPN > clients direct access to the firewall, on Simplified Mode Policies > explicit VPN rules CAN be below the Stealth Rule. The actual VPN > control connections to the firewall are implied. VPN-client > access-control is a layer of security unrelated to VPN technology > (such as key exchanges). > > Non-transparent authentication rules (the ones with Client-Auth as the > Action) must be above the Stealth Rule. In fact, the only instance > that users *should* knowingly and explicitly connect to the firewall > directly is when Client-Auth is configured. That's it. I cannot think > of other reasons why to allow your general population to willfully and > explicitly connect to the firewall. > > Consider this: If you have a VPN rule above the Stealth Rule > that says: > > [EMAIL PROTECTED] | Internal_Net | via RA_Community | ANY Service | Accept > > .....wouldn't that leave the FW's internal interface open to all ports > from authenticated VPN users? If so, that would break all kinds of > best-practices rules. > > > -fwguru > > > > On 4/18/05, Jean-Paul Baillon <[EMAIL PROTECTED]> wrote: > > The client authentication rules as with all VPN rules > should be placed > > above the stealth rule as its purpose is to stop rogue > connections being > > made to the firewall > > > > With VPN and Client auth you need to make a connection to > the firewall > > in order to proceed > > > > > > JP > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] On > Behalf Of Sascha > > Picchiantano > > Sent: Monday, 18 April 2005 9:59 PM > > To: [email protected] > > Subject: [FW-1] Does a stealth rule disable Client Authentication? > > > > Hi, > > > > we are running NG and use SecurID to authenticate users. This works > > good. However, I implemented a stealth rule (deny traffic > to firewall) > > and since then Users can't authenticate anymore. I was under the > > impression that authentication stuff is handled by implied > rules but it > > looks as if not. Any idea? What do I have to open up so users can > > authenticate? > > > > Oh btw: When users access the Internet with a browser their browser > > title bar shows > > > [ip_address_of_firewall]\fwauthredirect_[long_number_probably_cookie] > > and hangs there. This might be related...? > > > > Any suggestions please? :) > > > > Cheers > > Sascha > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > subscription options, > > email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
