URIs force FireWall-1 to Proxy

[roadrunner]

URIs force FireWall-1 to Proxy
Any URI filtering, virus scanning or authentication causes the connection to be folded into the HTTP Security Server. This means the HTTP Security Server opens the connection on behalf of the user. There is a diagram in the 4.0 documentation discussing how transparent telnet connections are authenticated. It that has the following note: "(The client) sees this connection as originating from (the firewall)." The 3.0 documentation has no such note, but has the same diagram. It would make sense they would do it the same way for all the other protocols as they do for telnet. In practice, it does.

The NG release does not "proxy" connections that go through the Security Servers any longer, i.e. the source address should be the client's IP address, unless NAT is applied. To change the behaviour back to the pre-NG behaviour, you can make a modification with dbedit on the management console as follows (fw-module is the name of your firewall object). Only execute the "modify" command for the security server you wish to change the behaviour for.

dbedit> modify network-objects fw-module firewall_settings:http_transparent_server_connecti on false
dbedit> update properties network-objects
You can also do this for telnet, rlogin, and ftp (e.g. telnet_transparent_server_connection, rlogin_transparent_server_connection, and ftp_transparent_server_connection).
Refer to EditingObjectsDotC for additional information.

-- PhoneBoy - 01 Jan 2004


FAQForm
FAQs.Class: ContentSecurityFAQs
OperatingSystem?:
FAQs.Version: