https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142332#M6458 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/687">@Danny</a>&nbsp;made a good point...maybe if you send us few screenshots showing how this is configured, we would get better idea to assist you.</P> Wed, 23 Feb 2022 15:58:17 GMT the_rock 2022-02-23T15:58:17Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142258#M6453 <P>Hello,</P><P>I am at the beginning of my journey with CheckPoints. Starting with 1570W. The Security Gateway is very easy to understand and learn.&nbsp;</P><P>I have a question, which I couldn't find the answer for. The gateway is being used as default gateway for 3 subnets - 192.168.1.X, 192.168.2.X and 192.168.99.X. The third subnets is for management.</P><P>I would like to limit the management accessibility in such a way that admins will be able to access the firewall just by the management IP address. Currently, any person on these 3 subnets can access the firewall over port 4434.</P><P>I tried to make a policy, which prevents access over port 4434 to the IP address other then the management IP, but this didn't work.</P><P>Can you please advise if this is achievable?&nbsp;</P> Wed, 23 Feb 2022 03:19:23 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142258#M6453 Kolobok 2022-02-23T03:19:23Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142263#M6454 <P>Can you show us your prevent configuration? What does your firewall log show?</P> Wed, 23 Feb 2022 07:36:05 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142263#M6454 Danny 2022-02-23T07:36:05Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142278#M6455 <P>If you have fixed IPs on the internal networks, you can configure Device &gt; System &gt; Admin Access to let just selected users log in&nbsp;<SPAN>from these 3 subnets...</SPAN></P> Wed, 23 Feb 2022 09:15:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142278#M6455 G_W_Albrecht 2022-02-23T09:15:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142288#M6456 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp; - can you put this to SMB ?</P> Wed, 23 Feb 2022 11:48:19 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142288#M6456 G_W_Albrecht 2022-02-23T11:48:19Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142322#M6457 <P>done</P> Wed, 23 Feb 2022 14:57:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142322#M6457 _Val_ 2022-02-23T14:57:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142332#M6458 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/687">@Danny</a>&nbsp;made a good point...maybe if you send us few screenshots showing how this is configured, we would get better idea to assist you.</P> Wed, 23 Feb 2022 15:58:17 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142332#M6458 the_rock 2022-02-23T15:58:17Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142347#M6460 <P>When you said any person can access the firewall are you referring to accounts with admin permissions?</P> <P>What you are trying is just that the firewall is reachable via 1 IP address only or to just permit access using the least privilege mode to only specific admins accounts?</P> <P>What are your expectations, please elaborate,</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Feb 2022 21:36:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142347#M6460 K_montalvo 2022-02-23T21:36:08Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142358#M6461 <P>Here is a screenshot of the internal interfaces.&nbsp;</P><P>The idea is to allow manage the firewall just by accessing the 192.168.99.1 and prevent the ability to manage it through 192.168.10.1 or 192.168.20.1.</P> Thu, 24 Feb 2022 03:19:17 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142358#M6461 Kolobok 2022-02-24T03:19:17Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142438#M6470 <P>Hello,</P> <P>I found this on the CP_R80.20.35_1500_1600_1800_Appliance_Series_AdminGuide_Locally_Managed starting on page 109; The <STRONG>Device &gt; Administrator Access</STRONG> page lets you configure the IP addresses and interface sources that<BR />administrators can use to access the Quantum Spark Appliance. You can also configure the Web and SSH<BR />ports.</P> <P>I don't know witch Embedded Gaia are you running but you can see if the above works for you,</P> <P><A href="https://sc1.checkpoint.com/documents/SMB_R80.20.35/AdminGuides/Locally_Managed/EN/Topics/Quantum-Spark-1500-1600-1800-Appliance-Series-Overview.htm" target="_blank">https://sc1.checkpoint.com/documents/SMB_R80.20.35/AdminGuides/Locally_Managed/EN/Topics/Quantum-Spark-1500-1600-1800-Appliance-Series-Overview.htm</A></P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 24 Feb 2022 18:44:54 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Limit-management-access/m-p/142438#M6470 K_montalvo 2022-02-24T18:44:54Z