https://community.checkpoint.com/t5/SASE-and-Remote-Access/Mobile-access-VPN-and-Unified-policy-observations/m-p/101141#M9678 <P>VPN unified access and the rules it follows are not too easy in Check Point. Wrote down some experiences since I haven't seen any collection of this. Could you fix my perceptions to gather a better list?</P><P>&nbsp;</P><P>You have to configure in GW object</P><P>- Identity Awareness: Remote Access - to make Access Role work in rule base</P><P>- Mobile Access: Unified Access Policy - to use Access Roles instead of old policy</P><P>- Rest of the Mobile Access options as you wish</P><P>In rule base</P><P>- If you use Inline layers, you cannot have a legacy user access in the same set as Access roles.</P><P>- If you use Ordered layers, you cannot have a legacy user access in the layer.</P><P>- Remote Access Community is not used in VPN column in Unified rules, but is used to allow user to use Remote Access. It is unknown if it is possible to actually create more than one Remote Access community, at least not from GUI it seems impossible. On the other hand, it is enough to put all user groups to that community to let them authenticate, but maybe it would be nice to create a second community if you want to limit the GW that the users can use.</P><P>- You cannot mix e.g. network objects with Access Roles, even if it lets you put one in the column.</P><P>In Access role objects</P><P>- Only LDAP users/groups OR Internal User Groups in one Access Role - not both</P><P>- Only LDAP users can be added directly to Access Role - not Internal users</P><P>&nbsp;</P><P>Other things to consider?</P><P>&nbsp;</P><P>Btw, how does "Mobile Access differ" from the "VPN clients" section in GW object? What determines which one's settings are used?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Nov 2020 19:24:14 GMT SamiH 2020-11-04T19:24:14Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Mobile-access-VPN-and-Unified-policy-observations/m-p/101141#M9678 <P>VPN unified access and the rules it follows are not too easy in Check Point. Wrote down some experiences since I haven't seen any collection of this. Could you fix my perceptions to gather a better list?</P><P>&nbsp;</P><P>You have to configure in GW object</P><P>- Identity Awareness: Remote Access - to make Access Role work in rule base</P><P>- Mobile Access: Unified Access Policy - to use Access Roles instead of old policy</P><P>- Rest of the Mobile Access options as you wish</P><P>In rule base</P><P>- If you use Inline layers, you cannot have a legacy user access in the same set as Access roles.</P><P>- If you use Ordered layers, you cannot have a legacy user access in the layer.</P><P>- Remote Access Community is not used in VPN column in Unified rules, but is used to allow user to use Remote Access. It is unknown if it is possible to actually create more than one Remote Access community, at least not from GUI it seems impossible. On the other hand, it is enough to put all user groups to that community to let them authenticate, but maybe it would be nice to create a second community if you want to limit the GW that the users can use.</P><P>- You cannot mix e.g. network objects with Access Roles, even if it lets you put one in the column.</P><P>In Access role objects</P><P>- Only LDAP users/groups OR Internal User Groups in one Access Role - not both</P><P>- Only LDAP users can be added directly to Access Role - not Internal users</P><P>&nbsp;</P><P>Other things to consider?</P><P>&nbsp;</P><P>Btw, how does "Mobile Access differ" from the "VPN clients" section in GW object? What determines which one's settings are used?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Nov 2020 19:24:14 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Mobile-access-VPN-and-Unified-policy-observations/m-p/101141#M9678 SamiH 2020-11-04T19:24:14Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Mobile-access-VPN-and-Unified-policy-observations/m-p/101164#M9679 <P>I believe R80.40+ allows mixing network and Access Roles.<BR />For VPN clients, the gateway setting determines what clients are allowed to connect, the Access Role setting determines what clients are included.<BR />This allows you to have a different access policy for different types of clients.</P> <P>And, no, there is only one remote access community.<BR />You cannot create more than one.</P> Thu, 05 Nov 2020 03:30:35 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Mobile-access-VPN-and-Unified-policy-observations/m-p/101164#M9679 PhoneBoy 2020-11-05T03:30:35Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Mobile-access-VPN-and-Unified-policy-observations/m-p/112511#M9680 <P>Can I use the same rule (with native application) both with SNX client and Check Point Mobile E83.20?</P><P>&nbsp;</P> Fri, 05 Mar 2021 09:38:28 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Mobile-access-VPN-and-Unified-policy-observations/m-p/112511#M9680 lorenzopugnaghi 2021-03-05T09:38:28Z