Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 724 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why are these client-less identities not being assigned properly?

Alexandre Lemaire

Good morning Sophos.

My goal was to block specific machines during specific time periods.  Since this isn't an available feature, I found a workaround that seems to do the trick -- partially at least.

  1. I created DHCP reservations using MAC address (to give these MAC addresses specific IPs)
  2. I created clientless users using these reserved IP addresses
  3. Lastly, I created a firewall rule (first rule) to DROP packets from these clientless users at certain times

 

Here's what I am experiencing:

  • The DHCP reservations are all working - all IP addresses are as expected
  • Only 2 of the 4 devices are being recognized as clientless users in the firewall logs.  As a result, 2 of the 4 users are able to bypass the firewall rule (despite the fact, that the IP addresses are as expected!)

 

Do you have any idea, why despite having the accurate IP addresses, these two rogue users are not being tagged as clientless?

 

Thank you.

Alex



This thread was automatically locked due to age.
Parents
  • 0

     Hi,

    What you are saying is that the clienteles ID and your assignment are not matching. Which rule is allowing the blocked traffic out?

    Also please post a screenshot of your block rule.

    Doy uo have your clientless users in groups, if so you can set the access times from within groups. Do you check users in the firewall rules?

    Ian

  • 0 in reply to rfcat_vk

    Imagine this (fictitious) configuration in the DHCP tab:

    • MAC address 1, DHCP reservation for 1.1.1.1
    • MAC address 2, DHCP reservation for 2.2.2.2

    In the Authentication area, I have created these two Clientless Users

    • Clientless user A, IP address 1.1.1.1
    • Clientless user B, IP address 2.2.2.2

    Two computers connect to the network:

    • Computer A, with MAC address 1
    • Computer B, with MAC address 2

    Both computers get the expected IP Addresses, the DHCP reservations are working well.

    Next, in the Firewall area, are these simplified rules (ordered, from top to bottom):

    1. DROP everything, any source/dest, that match Clientless users A and B
    2. Let everything through

    The firewall logs identify that:

    • Computer B is not being matched to clientless user B, and he can proceed onto Rule #2 - despite having the proper IP Address
    • Computer A, is being properly matched to clientless user A, and is being blocked as expected, stopped at rule #1

    I can post screenshots later, but I have double-checked everything.

Reply
  • 0 in reply to rfcat_vk

    Imagine this (fictitious) configuration in the DHCP tab:

    • MAC address 1, DHCP reservation for 1.1.1.1
    • MAC address 2, DHCP reservation for 2.2.2.2

    In the Authentication area, I have created these two Clientless Users

    • Clientless user A, IP address 1.1.1.1
    • Clientless user B, IP address 2.2.2.2

    Two computers connect to the network:

    • Computer A, with MAC address 1
    • Computer B, with MAC address 2

    Both computers get the expected IP Addresses, the DHCP reservations are working well.

    Next, in the Firewall area, are these simplified rules (ordered, from top to bottom):

    1. DROP everything, any source/dest, that match Clientless users A and B
    2. Let everything through

    The firewall logs identify that:

    • Computer B is not being matched to clientless user B, and he can proceed onto Rule #2 - despite having the proper IP Address
    • Computer A, is being properly matched to clientless user A, and is being blocked as expected, stopped at rule #1

    I can post screenshots later, but I have double-checked everything.

Children
  • 0 in reply to Alexandre Lemaire

    Actually Authentication will replace the need of using Source IP.

    Firewall Matching will hit on Source IP, Destination IP and Service (First Match).

    Authentication (no matter what authentication), will replace the Source IP with a actually User Name. 

     

    So basically XG will see a traffic, let say, IP 1.1.1.1 going to 8.8.8.8 Port 53. (DNS Traffic). 

    It will look for a Matching Firewall rule (first match). 

    In Case of Authentication, you can actually configure a firewall rule and replace 1.1.1.1 to User A. XG will match internally this IP to this User. 

     

    But this will be the same mechanism like a normal firewall rule. 

    I guess you missed the First Match like i mentioned early. 

    Actually XG will stop at the first match rule and this rule will hit for this traffic (stateful).