Greetings all,
I have a SR community using digital certs (IKE) to authenticate, and the
generic* user so I don't have to create individual user accounts on the
fw. However, I now need to create a second client encrypt rule to limit
certain SR users to a subset of resources. I've attempted this by only
creating those users that I want to encrypt on a different rule. All the
regular users still match against the generic user.
However, all users, including the ones created on the fw, are triggering
on the rule that has the generic user. Here's the config:
Users:
Generic* member of AllUsers group
x-limited member of Limited group
Rules on the firewall:
Rule src dst protocol action
4 Limited@any serverA http client encrypt
5 AllUsers@any any any client encrypt
when x-limited authenticates and attempts to connect to a resource in
the encryption domain, the rule that is triggered is rule 5, not rule 4.
This even when genric* only is the only member of AllUsers.
Should this work? If not, any pointers?
Regards,
--- Gavin
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
