[FW1] Implicit Client authentication on fw1 4.0

[Klaubert Herr da Silveira <klaubert@bcb.gov.br>]

I see the phoneboy FAQ about implicit authentication for 3.0 fw1, but
this seem diferent for 4.0 fw1.

I try to change the objects.c file, but after compiling the rule the
value of "automatically_open_ca_rules" back to false.

For me, the 4.0 seem diferent from 3.0, not needing the
automatically_open_ca_rules(true) directive.

In all case I do this:

Source           Dest.  Service               Action
Track  Install
group@localnet   any    http,ftp,proxy_http   client_authentication
log    gateways
localnet         any    http,ftp,proxy_http   drop
log    gateway

The service proxy_http, is a user defined service for proxy access in
port tcp 3128, for this work I need to mark 'protocol type' as URI, Also
I __need__ to put the proxy address in 'HTTP Next Proxy' on properties
menu, security servers tab, in order to this work.

In client authentication properties In need mark:
Required Sign On: Standard
Sign On Method: partially automatic

On Limits tab:
Authorization Timeout: 0h 30m
refreshebla timeout: enable

Number of sessions allowed: infinite

Well this work ok for a big number of times, but in some cases I see a
error from fw1, like:

FW-1 at xxx: FW-1 form has expired.

Or a other error that have a fwreauthentication on URL.

A other problem is that, for I access the http proxy (outside firerall),
seting the browser, I MUST place the http Next Proxy on properties, if I
leave this blank I receive this message: FW-1 at xxx: Access denied.


Thanks in advance,
Klaubert Herr





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================