topic Re: Policy to control users connecting through VPN in SASE and Remote Access

Policy to control users connecting through VPN

Visham — Wed, 19 Apr 2023 05:03:47 GMT

Hello,

My Environment:

Check Point Security Gateway 6600
Gaia R81.20 (Build 627)
IPSec VPN Blade Enabled

I am trying to create a policy to restrict users connecting through VPN to get access to specific Networks and Server:

1. User 1 must access only LAN 2
2. User 2 must only access a specific server in LAN 1
3. User 3 must access LAN 1 and LAN 2

Configuration:

In the "RemoteAccess" VPN Community:

Participating Gateways:
MyGateway - VPN Domain (LAN 1 & LAN 2) in a network group X

Participating User Groups
(User 1, User 2 and User 3) in a user group A

In the Policy:

Source: Access Role containing Group with only User 1
Destination: LAN 2
VPN: RemoteAccess

Source: Access Role containing Group with only User 2
Destination: ServerName
VPN: RemoteAccess

Source: Access Role containing Group with only User 3
Destination: network group X
VPN: RemoteAccess

After creating new policies with the above conditions, the 3 users can access both LAN 1 and LAN 2. It is not working as per policy created.

I believe as all 3 policies are using "RemoteAccess" Community as VPN, it is overriding the policies?

Thanks for any help.

Visham

Re: Policy to control users connecting through VPN

PhoneBoy — Thu, 20 Apr 2023 23:10:27 GMT

Rules with "Any" in the VPN column will also match rules for VPN (either Site-to-Site or Remote Access).
Which means an entirely different rule could have allowed this traffic.
Review the full log card to see what precise rule number matched the relevant traffic.
A screenshot of these logs (with sensitive data redacted) would be helpful.

Re: Policy to control users connecting through VPN

Visham — Fri, 21 Apr 2023 08:38:27 GMT

You are totally right!! Thanks for clearing this out.

An entirely different rule allowed this traffic!

The issue I am getting for my scenario:

1. User 1 must access only LAN 2

2. User 2 must only access a specific server in LAN 1

3. User 3 must access LAN 1 and LAN 2

is that when I add the user in the "source", the policy does not work. From the logs the IP of the VPN client is being blocked. When I add "CP_default_Office_Mode_addresses_pool" in the "source", I can control the access in the policy table for my scenario above.

I wanted to control access based on User, but does not seems to work or I am doing something wrong.

Re: Policy to control users connecting through VPN

G_W_Albrecht — Fri, 21 Apr 2023 09:22:03 GMT

You should use Identity Awareness and Access Roles (sk86441).

Re: Policy to control users connecting through VPN

Visham — Fri, 21 Apr 2023 09:45:03 GMT

Thanks for the hint. Issue is addressed 😁

Re: Policy to control users connecting through VPN

TRajkumar — Fri, 21 Feb 2025 10:14:14 GMT

The above issue for me, i'm using the Azure AD (IDP) to create a access roles. Could you give me the detailed solution to solve.

Identity awareness will help me in my case or i have to do any thing specifically.