cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
0
Helpful
3
Replies

question about downloadable ACLs

slug420
Level 1
Level 1

When using downloadable ACLs it is my understanding that you specify a source address of "any" to represent the IP of the host authenticating to the FW. Is this true?

Assuming this is true, what would happen if you specified a host address in the downloadable ACL as opposed to using "any"? Would it then enforce that ACL? So I could maybe authenticate to the firewall as "BackupAdmin" and have it download an ACL which allows Server A to connect to the backup server? Even if I was authenticating from say, my workstation?

3 Replies 3

Ivan Martinon
Level 7
Level 7

When using downloadable ACLs it is my understanding that you specify a source address of "any" to represent the IP of the host authenticating to the FW.  Is this true?

- True, unless you bound the DACL to the user and that user always use a static ip address.

Assuming this is true, what would happen if you specified a host address in the downloadable ACL as opposed to using "any"?  Would it then enforce that ACL?

- The DACL will always be enforced whether you use any or host ip address, however if the ip address used as source does not match the DACL then it will always deny traffic.

Don't Follow the one below:

So I could maybe authenticate to the firewall as "BackupAdmin" and have it download an ACL which allows Server A to connect to the backup server?  Even if I was authenticating from say, my workstation?

What do you mean with that?

I am thinking (based on your response) that what I want to do is not possible.....

The fundamental functionality of a DACL is a user has limited access, they hit the firewall, authenticate, and a new set of rules is applied which allows new access.

The intention of this (and possibly the only way it works) is for my workstation to have no access, my workstation to authenticate, and my workstation to have additional access.  What I was inquiring about is the ability for a DACL to impact an unrelated system.

so for example, my workstation has full access to everythng, but Server A cannot talk to Server B.  Could I hit the firewall from my workstation, authenticate, and download an ACL that allows server A to then communicate with server B?

I don't think that works that way since the DACL is downloaded per session, it has an identifier that applies only for the user that authenticates.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: