CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Miscellaneous
Reload this Page Authorizing Users by IP Range
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-12
BarryStiefel BarryStiefel is offline
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 534
Rep Power: 10
BarryStiefel has disabled reputation
Default Authorizing Users by IP Range
Authorizing Users by IP Range



Question



I have a client that does not wish to enable user authentication. Their administrator believes that the extra login prompt would confuse his users. The client is a law firm, who wants to give full internet access to the attorneys and IT staff. The remaining secretary and support staff would only have email capabilities. The client's recommendation for access rights follow:

The entire firm fits within a single class C subnet. For attorneys and IT staff, hard coded IP addresses would be given to the workstations. For the remaining support staff, IP addresses would be assigned via DHCP.

Since the hard coded IP addresses would be in the lower range of this address range (a.b.c.10 - 30), and the DHCP addresses in the high range (a.b.c.100 - 250), would it be possible to define a rule in FW1 that expresses the low range gets full access, while the high range just gets SMTP?

I have been able to create two network objects in FireWall-1 by address range. However, I cannot get these objects to appear when I create a new rule. Is it possible to include an address range in the rules?

I know this sounds a bit unorthodox. However, the client is quite adamant about how their users get access. User authentication would work well in this situation, but is not an option. Provided there are no methods of using IP ranges to limit access, this option may have to be changed.

Answer



Address Range objects can not be used in the Security Policy. They can only be used in NAT rules. However, you can still do what you would like to do without having to resort to user authentication. You need to create several objects (a combination of networks and hosts) that capture that range and add them to a group. In your case, you could create the following network objects to cover the "low" range you specified:
  • a.b.c.10 with a 255.255.255.252 subnet mask (covers hosts 10 and 11)
  • a.b.c.12 with a 255.255.255.252 subnet mask (covers hosts 12 thru 15)
  • a.b.c.16 with a 255.255.255.248 subnet mask (covers hosts 16 thru 23)
  • a.b.c.24 with a 255.255.255.252 subnet mask (covers hosts 24 thru 27)
  • a.b.c.28 with a 255.255.255.254 subnet mask (covers hosts 28 and 29)
  • a.b.c.30 as a "host" object (to cover 30)

You could do something similar with the 100-250 range, but I will leave that as an exercise for the reader.

-- PhoneBoy - 10 Jan 2004

FAQForm FAQs.Class: MiscellaneousFAQs FAQs.OS: FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 13:12.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0