Client Authentication rule

JPK300 · #1 (**permalink**) 2007-03-14

I have a question pertaining to a Client Auth rule.

Say I have a client auth rule similar to below

admins@any -> any via HTTP/HTTPS action client auth

Do any rules that have either HTTP or HTTPS in the service field have to be above the client auth rule? It appears thats the way my firewall functions but I cant find any documentation detailing this behavior. If a rule with HTTP or HTTPS in the service field is below this client auth rule it is never met. I would like to find a way around this, because this causes a number of rules to have to go above my stealth rule, which I would like to avoid if possible.

melipla · #2 (**permalink**) 2007-03-15

Quote:

Originally Posted by JPK300

Do any rules that have either HTTP or HTTPS in the service field have to be above the client auth rule?

Yes if you have the same destination this is what I have found as well, which makes sense.

Quote:

Originally Posted by JPK300

because this causes a number of rules to have to go above my stealth rule, which I would like to avoid if possible.

Can you make your rule more specific [in regards to destination]? I think that would go a long way to getting a workaround to your problem.

At the very least make a seperate client auth for your stealth rule(s) so that the real client auth rule can go below and all your other rules can stay in place.

JPK300 · #3 (**permalink**) 2007-03-15

Quote:

Can you make your rule more specific [in regards to destination]? I think that would go a long way to getting a workaround to your problem.

Is this in reference to the Client Auth Rule?

Quote:

At the very least make a seperate client auth for your stealth rule(s) so that the real client auth rule can go below and all your other rules can stay in place.

I dont understand what you are recommending here. I thought all Client Auth rules had to go above a Stealth rule.

Thanks for your assistance.

melipla · #4 (**permalink**) 2007-03-16

Yes I was referring to the client auth rule you posted.

I have client auth rules below my stealth rule(s).

JPK300 · #5 (**permalink**) 2007-03-16

I have always understood that Client Auth had to be above Stealth rules. This is what I have found in the Checkpoint documentation:

Quote:

Make sure all Client Authentication Rules are placed above the Rule that prevents
direct connections to the VPN-1 Pro Gateway (the “Stealth Rule”), so that they
have access to the VPN-1 Pro Gateway.

Do you have any other rules that allow access for client auth to be below your stealth rule?

melipla · #6 (**permalink**) 2007-03-16

In one instance I've negated http from my stealth rule, in the other I do not have it negated.

JPK300 · #7 (**permalink**) 2007-03-16

Thanks for the explanation.

abusharif · #8 (**permalink**) 2007-03-17

erm...what to you mean by cl auth rules need to be above stealth rule?

Only rules that needs to be above stealth rule is the actuall port 900 or 259 connection to the gateway. ACTUAL client auth rules don't have to be put before stealth.

JPK300 · #9 (**permalink**) 2007-03-19

I was basing the statement of where the Client Auth rule needs to be off of CheckPoints documentation. It specifically said to make sure the Client Auth was above the Stealth Rule.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode