<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Identity Awareness – Using Access Roles as Source in Internet Access Rules in General Topics</title>
    <link>https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-Using-Access-Roles-as-Source-in-Internet/m-p/279530#M46570</link>
    <description>&lt;P&gt;You can use the Access Role directly in the rule, there's no need to also use the network object. If it's not matching then your gateway probably doesn't have the identities collected. Users will have to do the browser based authentication before the access role will work. If you're expecting a redirect to occur make sure you have that set in the Action part of the rule they will match, and you'll probably need HTTPS Inspection inspecting the connection else we can't redirect it.&lt;/P&gt;</description>
    <pubDate>Mon, 13 Jul 2026 02:02:54 GMT</pubDate>
    <dc:creator>emmap</dc:creator>
    <dc:date>2026-07-13T02:02:54Z</dc:date>
    <item>
      <title>Identity Awareness – Using Access Roles as Source in Internet Access Rules</title>
      <link>https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-Using-Access-Roles-as-Source-in-Internet/m-p/279528#M46569</link>
      <description>&lt;P&gt;Dear Mates,&lt;/P&gt;&lt;P&gt;I am currently working on an Identity Awareness Blade lab.&lt;/P&gt;&lt;P&gt;I have successfully integrated Microsoft Active Directory (Browser-Based Authentication) with a Check Point standalone deployment.&lt;/P&gt;&lt;P&gt;However, I have a few questions:&lt;/P&gt;&lt;P&gt;Is it possible to create access rules based on users (Access Roles) as the Source for allowing Internet access and specific services, instead of allowing access for the entire network?&lt;BR /&gt;I have enabled Hide NAT for the entire network using the Network Object.&lt;BR /&gt;Do I need to create an access rule with the Network Object as the source first, or can I use only the Access Role as the source in the rule?&lt;BR /&gt;My expectation was that using the Access Role alone would be sufficient, but it does not seem to work.&lt;BR /&gt;During my testing, I noticed that when I specify the Network Object as the source, that rule is matched and takes priority. However, when I use only the Access Role, the traffic does not match the rule.&lt;BR /&gt;I am using a Unified Policy Package with the Application Control and URL Filtering blades enabled.&lt;/P&gt;&lt;P&gt;Could you please suggest the best practice for configuring Identity Awareness policies in this scenario?&lt;/P&gt;&lt;P&gt;Specifically:&lt;/P&gt;&lt;P&gt;Should Access Roles be used alone as the source, or should they be combined with network objects?&lt;BR /&gt;Are there any prerequisites or common configuration issues that could prevent Access Role-based rules from matching?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Saranya&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jul 2026 01:48:38 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-Using-Access-Roles-as-Source-in-Internet/m-p/279528#M46569</guid>
      <dc:creator>Saranya_0305</dc:creator>
      <dc:date>2026-07-13T01:48:38Z</dc:date>
    </item>
    <item>
      <title>Re: Identity Awareness – Using Access Roles as Source in Internet Access Rules</title>
      <link>https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-Using-Access-Roles-as-Source-in-Internet/m-p/279530#M46570</link>
      <description>&lt;P&gt;You can use the Access Role directly in the rule, there's no need to also use the network object. If it's not matching then your gateway probably doesn't have the identities collected. Users will have to do the browser based authentication before the access role will work. If you're expecting a redirect to occur make sure you have that set in the Action part of the rule they will match, and you'll probably need HTTPS Inspection inspecting the connection else we can't redirect it.&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jul 2026 02:02:54 GMT</pubDate>
      <guid>https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-Using-Access-Roles-as-Source-in-Internet/m-p/279530#M46570</guid>
      <dc:creator>emmap</dc:creator>
      <dc:date>2026-07-13T02:02:54Z</dc:date>
    </item>
  </channel>
</rss>

