Rules and config remained as-is. I switched the Client Auth config from Manual to Partially Automatic. It was an oversight on my part. That worked immediately. In Manual mode, they'd HTTP to port 900, then the FW would allow only one connection and fail on all other attempts. Partially Automatic was the way to go.
:) Neil Delacruz On 1/25/07, hboogz <[EMAIL PROTECTED]> wrote:
what do you think happened for it to work ? On 1/25/07, fwguru <[EMAIL PROTECTED]> wrote: > > never mind. I got it to work. > > thanks > > > On 1/25/07, fwguru <[EMAIL PROTECTED]> wrote: > > > > Fellow Gurus - > > > > Has anybody ever implemented a Websense UFP rule with Client Auth? I am > > wondering if the following setup will work: > > > > Group_of_Nets | ANY | http-Websense_UFP | Reject | Log | Note: Websense > > Block rule with URI Resource > > Group_of_Users | ANY | http | Client Auth | Log | Note: HTTP Allow rule > > with Client Auth > > > > Note: Websense is pulling its users from AD. The Client Auth is > > authenticating against a Radius server. By itself, the Client Auth rule > > works and has been working. The Websense is a new turnup. Without the > > Client Auth rule, Websense UFP works as expected. With the Client Auth > rule > > enabled as above, all http traffic is rejected by the fw daemon on > cleanup > > rule. In theory, this should work, or I may be missing something here. > > > > Background: > > NG FP3 on Solaris > > Websense on W2K3 > > Managed by P-1 R55. > > Customer's local firewall sits between the Websense box and the CMA. We > > had to NAT the Websense box only to pull the dictionary from the > CMA. The > > OPSEC object was then changed to point back to the un-Natted Websense > > object. > > > > I appreciate your time, > > > > Neil Delacruz > > > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- HBooGz:\> ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
