https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194520#M36202 <P>Hello mates,</P><P>&nbsp;</P><P>I'm looking for a way to create a "trusted clients" list to populate on full Gaia. Kinda like the "Administrator access"&nbsp; in SMB devices. I have FWs on cca 100 diffrent locations. Some od those locations don't have IT staff capable of other tasks than switching cable from one device to new one. So if SIC is successful than great but if not... Need a way to have acces to remote GWs regardless if policy is installed.</P><P>Br</P><P>&nbsp;</P> Mon, 09 Oct 2023 13:14:14 GMT cir007 2023-10-09T13:14:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194520#M36202 <P>Hello mates,</P><P>&nbsp;</P><P>I'm looking for a way to create a "trusted clients" list to populate on full Gaia. Kinda like the "Administrator access"&nbsp; in SMB devices. I have FWs on cca 100 diffrent locations. Some od those locations don't have IT staff capable of other tasks than switching cable from one device to new one. So if SIC is successful than great but if not... Need a way to have acces to remote GWs regardless if policy is installed.</P><P>Br</P><P>&nbsp;</P> Mon, 09 Oct 2023 13:14:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194520#M36202 cir007 2023-10-09T13:14:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194522#M36203 <P>There is a way to allow WebUI/SSH connectivity to the GW from trusted IPs.</P> <P>Go to Gaia WebUI, switch to Advanced view, then go to System Management / Host Access</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-10-09 at 13.19.00.png" style="width: 672px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22713i7F1ACFAC9D6DAC6C/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-10-09 at 13.19.00.png" alt="Screenshot 2023-10-09 at 13.19.00.png" /></span></P> <P>Add clients that should be allowed to connect to the GW.&nbsp;</P> Mon, 09 Oct 2023 11:22:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194522#M36203 _Val_ 2023-10-09T11:22:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194524#M36205 <P>Hey Val,</P><P>thank you for prompt replay. Tried this before postig my question, sadly it doesn't work. Meaning security policy is processed, before this list. As we can see from the picture, default is "Any"</P><P>&nbsp;</P><P>Br</P> Mon, 09 Oct 2023 11:26:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194524#M36205 cir007 2023-10-09T11:26:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194528#M36206 <P>Partially correct.</P> <P>These rules define limited access through the"Management" interface only, regardless of the policy, if you do not disable the implied rules.</P> <P>Check if you want to redefine internet facing IF as MANAGEMENT. Lab trials are highly recommended.&nbsp;</P> Mon, 09 Oct 2023 11:59:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194528#M36206 _Val_ 2023-10-09T11:59:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194530#M36207 <P>What&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;gave you is only thing Ima ware of as well. Otherwise, policy from the management would come into an effect.</P> <P>Andy</P> Mon, 09 Oct 2023 12:09:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194530#M36207 the_rock 2023-10-09T12:09:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194540#M36212 <P>Hm, OK after some testing in lab I came to the following conclusion and questions:</P><P>&nbsp;</P><P>- CP admin guides must provide more specific intention of the managment interface and its usage</P><P>-meaning GW uses allowed hosts table only when initial policy is loaded, after you install security policy, packet flow to GW is process via policy rules (that was my understaning of the usage of the specific table )</P><P>&nbsp;</P><P><EM>Regardnign impled rules</EM>- is there an implied rule to process the "allowed hosts" table first? If so could you point me in the right direction.</P><P>&nbsp;</P><P><EM>Check if you want to redefine internet facing IF as MANAGEMENT -&nbsp; </EM>to my understanding this sould be the case on all WAN only accesible GWs.&nbsp;OR is there any security limitations? After policy is installed and GW object is defined as destination in security policy, GW is accesible via all interfaces.</P><P>&nbsp;</P><P>So I guess this solve my problem when connecting a new GW, after that if policy is in order access should work.</P><P>Br</P> Mon, 09 Oct 2023 13:49:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Managment-interface-administrator-access-to-GW/m-p/194540#M36212 cir007 2023-10-09T13:49:15Z