Foir Source, use "Add User Access" and specify the user group on FW-1 that
contains the IDs of the SecureClient users. The user goup name will then
show up in the Source column.
In R55, the "VPN" cell of the rule should be "RemoteAccess"
Ray
From: Jason Cameron <jasonc AT FIN-X DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] SecureCLient
Date: Thu, 22 Apr 2004 07:10:12 +0200
I have a nokia ip 330 clust with NG AI. My clients are connecting via
secureclient to create the vpn yo connect to the network.
I have two rules which concern me
1 . any >fwcluster>echorequest>accept>log This is to allow secureclient
keepalives ---- Since I don't know there ip's ( dialup or leased) -- Is
this
echoreply
a security risk ?.
2.
any>fwcluster>fw1_topo,fw1_key,ike<ike_tcp_fw1_pslogon_ng,tunneltest,fw1_scvkeepalive>accept>log.
The clients either dial via isp or connect through there leased lines. My
problem is with the " any " as the source. Are there any security risks
and how to I overcome Secureclient problem of needing keepalive to allow
the firewall to know the connection is still open !
Has anybody got a working example of there rules ?
tks
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE
download! http://toolbar.msn.com/go/onm00200413ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
