topic Split Policy for Internal Users and Contractors - VPN in SASE and Remote Access

Split Policy for Internal Users and Contractors - VPN

tropicanaslim — Mon, 05 Feb 2024 13:29:26 GMT

Hello Checkpoint Checkmates,

I got some queries from customer regarding how CP best practice for splitting policy for internal users and contractors.

Any possibility with single office mode IP to split the segment for internal users[AD integration] and contractors[local database]? So i can create 2 VPN policies based on the segment IP.

What is the best practice from CP for split policy from AD Users and Local Database? I think this is possible, but i lack of knowledge about this.

Suggestion or input are welcome 🙂 Thankyou

Re: Split Policy for Internal Users and Contractors - VPN

Lesley — Mon, 05 Feb 2024 18:09:12 GMT

Instead making rules based on IP I would make then the rules based on AD group and or local group. Blade Identity Awareness would help then.

I assume you do not have Endpoint? Then you could do stuff with desktop security.

Re: Split Policy for Internal Users and Contractors - VPN

the_rock — Mon, 05 Feb 2024 18:13:44 GMT

@Lesley hit the nail on the head, as they say. Put it this way, identity awareness blade is "golden" in such cases, because it will ALWAYS follow the user, regardless where they log in. If you dont have that enabled, good luck "chasing" the user.

Best,

Andy

Re: Split Policy for Internal Users and Contractors - VPN

tropicanaslim — Tue, 06 Feb 2024 02:50:16 GMT

Yes, we have Endpoint solution use harmony endpoint. Any suggestion to combine VPN and endpoint agent based on these request?

Re: Split Policy for Internal Users and Contractors - VPN

tropicanaslim — Tue, 06 Feb 2024 02:51:00 GMT

thanks @the_rock let me check for this feature and possibility in the customer env.

Re: Split Policy for Internal Users and Contractors - VPN

the_rock — Tue, 06 Feb 2024 03:02:39 GMT

I really think it would help you.

Andy