Supported Platforms
Related Documentation
Using Firewall Authentication as an Alternative to WMIC
This topic includes the following sections:
WMIC Limitations
The primary method for the integrated user firewall feature to get IP address-to-user mapping information is for the SRX Series device to act as a WMI client (WMIC). However, the WMIC has limitations, such as the following:
- On Windows XP or Server2003, the Windows firewall does not allow the WMIC request to pass through because of the dynamic port allocation of the Distributed Component Object Model (DCOM). Therefore, for these operating systems when Windows firewall is enabled, the PC does not respond to the WMIC probe.
- Because the event-log-reading and PC probe functions both use WMI, using a global policy to disable the WMI-to-PC probe also affects event log reading.
Because these cases might result in the failure of the PC probe, a backup method for getting IP address-to-user mappings is needed. That method is to use firewall authentication to identify users.
Firewall Authentication as a Backup Method for IP Address-to-User Mappings
If you want to use firewall authentication to identify users for the integrated user firewall feature, specify a domain name in the set security policies from-zone trust to-zone untrust policy <policy-name> then permit firewall-authentication user-firewall domain <domain-name> statement.
If a domain is configured in that statement, fwauth recognizes that the domain is for a domain authentication entry, and will send the domain name to the fwauth process along with the authentication request. After it receives the authentication response, fwauth deletes that domain authentication entry. The fwauth process sends the source IP address, username, domain, and other information to the USERID process, which verifies that it is a valid domain user entry. The subsequent traffic will hit this user firewall entry.
 | Note: The Active Directory authentication entry that comes from the fwauth process is not subject to the IP filters. |
