violation reason: USER_IDENTITY issue

Jim,

are you using AD accounts?

Thanks

yes, im using AD accounts.

Jim,

by default the timeout for unauthenticated traffic is 120 seconds. You can reduce the timeout period using a console command:

Jim,

by default the timeout for unauthenticated traffic is 120 seconds. You can reduce the timeout period using a console command:

Hello Luk,

Thanks a lot for your help. How can i disable drop for unauthenticated traffic? i don't want to drop any packet even if it's from unauthenticated user.

Best,

Hi Jim,

I am a bit confused why do you need to allow unauthenticated traffic after deploying STAS with AD! Is there a specific requirement that we are unknown about. Suggestion by Luk is specific when strict authentication is not enabled with STAS and the unauthenticated traffic should be allowed after specific seconds as configured through the command line. You cannot completely disable this drop time or else there will be no use for the authentication mechanism.

Thanks

Hi sachingurung,

I can tell you that over a RED tunnel, STAS does not work perfectly. I had to disable it to allow our RED clients. Support could not figure it out so we gave up on using it until it improves. I too wish if the firewall cannot identify the user that it passes the traffic anyway. I had 2 firewall rules to allow this to happen. One that was user based and one that was not. Even a 40 second delay is a long time for users to sit with no internet until the firewall decides to let it pass.

Mike

Now im getting INVALID_TRAFFIC violation message. What is this mean?

Hello,

I'm using STAS just for reporting purposes. So i have no rules that are matched to authenticated users. Is it okay to lower drop-period to 0?

Thank you.

Hello Ondrej Prchal1 

You cannot currently set the drop-period to 0. V17.2 is supposed to bring this feature per AlanT but we will see.

Mike