Checkpoint FW-1 Telnet Authentication - PA Alternative?

Reply
Highlighted
L3 Networker

Checkpoint FW-1 Telnet Authentication - PA Alternative?

Hi

We will be installing 2x PA4050s into our datacentres to replace our current Checkpoint Alteon Switched Firewalls. We use Checkpoints "telnet authentication" on TCP port 259 to allow super users access through the firewalls based on their IP address at the point of authentication. Is there anything similiar that we can do in PA-land to replicate/re-provide this access. On the PA training course - the tutor didn't seem to have an answer - but that was a year ago and obviously the code has been added to - but I can't see anything in release notes that would do the job.

Most of the users are NOT tied into the companys AD - plus the customer has decided NOT to integrate (at least this 1st virtual instance) into any of their ADs.(subsequent virtual firewalls created may plug into AD though!!). These users aren't always coming from devices that would support a web based authentication either.

We do have Cisco ACS for managment authenticion here - so it's possible we could off box the authentication database if needed - but the users still need to be able to get their super user access from potentially anywhere (ie. any source IP) on the network so it's not something we can hard code down to particular IPs.

Any help - greatly appreciated.

Thanks

Highlighted
L1 Bithead

Setup a Capture Portal with Authenticates against Cisco ACS for those users.

Then create a rule which allows those users (once Authenticated) to access the systems via telnet.

The only requirement is that the users must go somewhere via Internet Browser to validate themselves.

or

use the SSL VPN function and encrypt that telnet traffic :smileywink:

Highlighted
L3 Networker

Many thanks blacksan - but we're specifically looking for method that doesn't require web authentication. There are many instances where the people who support the server side kit in the datacentres won't for whatever reason be coming from a devices that has a web client. That's were Checkpoint CLI based telnet authentication has been invaluable. Judging by the lack of replies - I assume that replacement of this sort of access isn't going to be likely!! Still open to suggestions though!

Highlighted
L4 Transporter

Hi There,

If you cannot use a browser to authenticate the user, you may be able to make use of the XML API into the User-ID Agent.

Thanks

James

Highlighted
L3 Networker

Would this require installing the user agent on a AD device? If so many of the clients will not have AD accounts. Unless you are describing something different?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!