FireWall-1 FAQ: Logging User Info with Client Auth
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Q:
Assume the following rulebase with the automatically_open_ca_rules(true) set in objects.C:
No. | Source | Destination | Service | Action | Track |
1 | AllUsers@Internal-Net | Any | Any | Client Auth | Long |
2 | AllUsers@Internal-Net | Any | Any | Session Auth | Long |
3 | Any | Any | Any | Drop | Long |
Client Auth properties are set to 1 minutes, unlimited number of connections.
User tries to access outside net from inside and is running a Session Auth agent on his PC. For the first connection, he will hit rule 2. The user is prompted for auth by the local Session Auth agent. User authenticates correctly and this opens up the client auth rule (rule 2):
"1" "28Sep98" "10:17:48" "daemon" "mrhat"
"log" "authorize" "Std Sign On" "kenny-28.phoneboy.com"
"" "ip" "1" "" "test" "" "" ""
"" "" "" "reason Authenticated by FireWall-1 Password"
"2" "28Sep98" "10:17:48" "daemon" "mrhat"
"log" "accept" "http" "kenny-28.phoneboy.com" "www-me2.netscape.com"
"tcp" "2" "1611" "test" "" "" "" ""
"" "" "reason Authenticated by FireWall-1 Password"
Note the user "test" is the listed in both log entries. Now, for the 1 minute that the Client Auth Rules apply, the log entries look like this:
"3" "28Sep98" "10:17:52" "E100B1" "mrhat"
"log" "accept" "http" "kenny-28.phoneboy.com" "www-me2.netscape.com"
"tcp" "1" "1611" "" "" "" ""
"" "" "" " len 64"
"4" "28Sep98" "10:17:53" "E100B1" "mrhat"
"log" "accept" "http" "kenny-28.phoneboy.com" "www-me2.netscape.com"
"tcp" "1" "1613" "" "" "" ""
"" "" "" " len 64"
"5" "28Sep98" "10:17:54" "E100B1" "mrhat"
"log" "accept" "http" "kenny-28.phoneboy.com" "www-me2.netscape.com"
"tcp" "1" "1614" "" "" "" ""
"" "" "" " len 64"
Notice these get logged under the Client Auth rule (as they should be). Also notice that the user is not logged with these log entries. Is there some way that I can get the client auth rule to log the user as well? ## A: This is supported in FireWall-1 4.1, but not in earlier versions.