Policy Rule

[iantaylor2100]

Hi only allow certain memebers of staff access to the Internet.
We do this by using the client auth rule and adding users to a group.
I need to split the group so some have http access and some others can have ftp access.

I have tried to do this but all that happens is the 2nd rule is ignored.

I'm not sure if this can be done or if it is just about placing it correctly.

Our first rule is access to the firewall the 2nd is the user rule and the 3rd is a drop anything else to the firewall stealth rule.

Hope someone can help as this is a pain.

Thanks in advance
Ian Taylor

 

[Piloria]

Authentication rules are always a pain. unlike other rules they often take the path of least resistnce regardless of order.
as long as the groups are clearly defined

user a in group 1
user b in group 1
user c in group 1 & 2
user d in group 2

and rules

group 1 - any - ftp - user auth - accept
group 2 - any - http - user auth - accept

within the user auth i would also set it to any server

it should work but no guarentee (i had alot of problems setting up session authentication)

as a point of principal i would always put rules after the stealth rule (except management rule)

 

[iantaylor2100]

Thanks again for the quick reply.

We currently use Client Auth maybe thats whats wrong.

I tried putting the rule below the stealth rule but I couldn't access anything, but again maybe the due to teh client auth rule.

Do you know what the difference is as my books don't really explain it very well.

Thanks
Ian

 

[Piloria]

sorry my mistake miss read the auth technique
it shouldnt make that much difference.
when the rule is below the stealth rule what is the failed log entry?