Jump to content


Photo

DC agent - IP filter

DC Agent logon authentication

2 replies to this topic

#1 Roland Ramsebner

Roland Ramsebner
  • Members
  • 18 posts

Posted 13 November 2015 - 12:00 PM

Hello Barracuda NG Team

 

At the moment with DC agent it is only possible to filter out logon events from unwanted IPs or IP subnets.

Attached File  DCAgent_IPFilter.jpg   27.43KB   0 downloads

 

In certain situations the reverse approach to send only logon events for one (or more) IP subnets would be more suitable. Great would be if this could even be combined with the requesting device/NG firewall.

 

For example:

- all DCs are located at the headquarter

- many NG firewalls with local Internet breakout in small sales offices (no local DC)

- user authentication for internet access and user based firewalling is required

 

In this setup it makes no sense to send all logon information from all locations to every NG firewall - better would be to send only the site specific logon events to the corresponding device.

The logon information of location A clients/IP subnet should only be sent to location A NG firewall.

The logon information of location B clients/IP subnet should only be sent to location B NG firewall, and so on ...

 

Please implement such a feature.

 

Thanks and Regards, Roland



#2 Tim Warr

Tim Warr
  • Members
  • 49 posts

Posted 21 January 2016 - 03:59 AM

Hi Roland,

 

Many thanks for the feature ideas for DC Agent and the information about the context.

 

If we have understood correctly, you are suggesting two things:

  1. a whitelisting IP filter instead of a blacklisting filter
  2. and the ability to associate certain groups of logons with certain F-Series appliances

We have these on our 'ideas list' and will be interested to see if anyone other partners and customers would be interested in these features. 

 

Thanks,

Tim



#3 Roland Ramsebner

Roland Ramsebner
  • Members
  • 18 posts

Posted 25 January 2016 - 11:46 AM

Hi Tim

 

Yes, correct. It would be more scalable and efficient to send only the required logon events from one or more IP subnets (for example LAN) to the corresponding NG firewall instead of sending all DC logon events from all locations to all NG firewalls.

The global blacklisting approach for filtering out unwanted users and IP subnets is OK, but an additional per device IP subnet whitelist will make the solution more flexible and powerful.

 

For example global blacklist the user "administrator" and the IP subnet "192.168.0.0/16" and per NG firewall send only one ore more required IP subnets to the corresponding NG firewall via whitelisting approach.

Headquarter firewall will receive all logon events (except user "administrator" and IP subnet "192.168.0.0/16") because there is no entry or 0.0.0.0/0 in Headquarter per device whitelist

Location A firewall will receive logon events (except user "administrator") only for their local subnet 10.10.1.0/24 restricted via location A per device whitelist

Location B firewall will receive logon events (except user "administrator") only for their local subnets 10.10.2.0/24 and 10.20.0.0/16 restricted via location B per device whitelist

and so on ...

 

I think that way it could be added as an addon DC agent feature without impact to existing installations.

 

Thanks and Regards, Roland





Reply to this topic