https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201323#M37852 <P>Good morning!&nbsp; I need some advice and guidance.&nbsp; I've been tasked with restricting access to a network object to a small group of department users for auditing purposes.&nbsp; The access rule should permit access to this object only to members of this department.</P><P>We are a small shop of 25 users.&nbsp; The department that should be allowed access has 5 members.</P><P>We are in a hybrid environment - both in-office and WFH.</P><P>Restricting users while they are working in the office would be easy - I could just assign them static IPs and allow only those IPs access.</P><P>While WFH - our remote users receive an IP from the Check Point security gateway IP pool network that I have defined.&nbsp; This IP pool is on a separate network than the internal users but is allowed access via access rules.</P><P>Currently we are not utilizing the Identity Awareness blade.&nbsp;&nbsp;</P><P>I'm guessing that this may be the best solution?&nbsp;&nbsp;</P><P>Can someone point me in the right direction?&nbsp; We have a disaster recovery site that I can use for testing purposes.&nbsp;</P><P>&nbsp;</P><P>Thanks guys and gals.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 21 Dec 2023 17:41:41 GMT Joe_Kanaszka 2023-12-21T17:41:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201323#M37852 <P>Good morning!&nbsp; I need some advice and guidance.&nbsp; I've been tasked with restricting access to a network object to a small group of department users for auditing purposes.&nbsp; The access rule should permit access to this object only to members of this department.</P><P>We are a small shop of 25 users.&nbsp; The department that should be allowed access has 5 members.</P><P>We are in a hybrid environment - both in-office and WFH.</P><P>Restricting users while they are working in the office would be easy - I could just assign them static IPs and allow only those IPs access.</P><P>While WFH - our remote users receive an IP from the Check Point security gateway IP pool network that I have defined.&nbsp; This IP pool is on a separate network than the internal users but is allowed access via access rules.</P><P>Currently we are not utilizing the Identity Awareness blade.&nbsp;&nbsp;</P><P>I'm guessing that this may be the best solution?&nbsp;&nbsp;</P><P>Can someone point me in the right direction?&nbsp; We have a disaster recovery site that I can use for testing purposes.&nbsp;</P><P>&nbsp;</P><P>Thanks guys and gals.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 21 Dec 2023 17:41:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201323#M37852 Joe_Kanaszka 2023-12-21T17:41:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201324#M37853 <P>As they say Joe, you hit the nail on the head with IA blade argument and here is why. If you think about it logically, thats really the best feature of IA, it ALWAYS follows the user, regardless what IP they are assigned. Without it, its almost impossible to track those things. So, if identity awareness is not an option, then sounds to me that you have to rely on what IP they get, but then again, if they are assigned OM address from the pool, then most likely, it would always be different when they connect.</P> <P>Best,</P> <P>Andy</P> Thu, 21 Dec 2023 18:14:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201324#M37853 the_rock 2023-12-21T18:14:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201339#M37858 <P>Identity Awareness or IP per user for Office mode e.g. ( $FWDIR/conf/ipassignment.conf ) might by sufficient given the small scale here.</P> Thu, 21 Dec 2023 21:12:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201339#M37858 Chris_Atkinson 2023-12-21T21:12:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201341#M37860 <P>Thanks Chris!&nbsp; Gotta think about this.&nbsp; I'd rather not over-engineer a solution to solve a small issue, but if IA is easy to setup it may be worth it.</P> Thu, 21 Dec 2023 21:42:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201341#M37860 Joe_Kanaszka 2023-12-21T21:42:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201343#M37862 <P>Thanks Rock!&nbsp; Given the small environment, how hard would it be to configure static IPs for the renmote users via the&nbsp;<SPAN>$FWDIR/conf/ipassignment.conf?</SPAN></P> Thu, 21 Dec 2023 21:41:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201343#M37862 Joe_Kanaszka 2023-12-21T21:41:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201344#M37863 <P>Man, thats my new nickname, Rock, among many I already have haha. Anyway, I dont think its hard, but again, going back to what I said, to me, it makes more sense to utilize IA blade, so it goes by user name, no matter what their IP address is.</P> <P>Best,</P> <P>Andy (Rock)</P> Thu, 21 Dec 2023 21:55:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201344#M37863 the_rock 2023-12-21T21:55:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201345#M37864 <P>HA!&nbsp; Makes sense to me as well.&nbsp; Thanks Andy (Rock)!&nbsp; &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 21 Dec 2023 21:57:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201345#M37864 Joe_Kanaszka 2023-12-21T21:57:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201346#M37865 <P>You can also call me Mr Portokalo lol. Thats cause I do Greek accent well haha and it comes from my favorite movie "My big fat Greek wedding". Thats actually one of our Canadian women in it, Nia Vardalos.</P> <P>Best,</P> <P>Andy</P> Thu, 21 Dec 2023 22:05:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201346#M37865 the_rock 2023-12-21T22:05:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201347#M37866 <P>Thanks again Andy!</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 21 Dec 2023 22:07:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201347#M37866 Joe_Kanaszka 2023-12-21T22:07:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201348#M37867 <P>Happy to help mate!</P> <P>Best,</P> <P>Andy aka Rock aka Mr Portokalo</P> Thu, 21 Dec 2023 22:09:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201348#M37867 the_rock 2023-12-21T22:09:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201402#M37893 <P>My Big Fat Greek Wedding was a great movie!</P> Fri, 22 Dec 2023 20:02:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201402#M37893 sbastani 2023-12-22T20:02:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201403#M37894 <P>Yes sir! <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Specially the speech Gus Portokalos gave when Toula got maried <span class="lia-unicode-emoji" title=":rolling_on_the_floor_laughing:">🤣</span><span class="lia-unicode-emoji" title=":rolling_on_the_floor_laughing:">🤣</span><span class="lia-unicode-emoji" title=":rolling_on_the_floor_laughing:">🤣</span></P> <P>Best,</P> <P>Andy</P> Fri, 22 Dec 2023 20:05:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Need-to-create-an-access-control-policy-to-restrict-access-to-a/m-p/201403#M37894 the_rock 2023-12-22T20:05:12Z