topic How to restrict a remote access user to only allowed to access to one subnet in Spark Firewall (SMB) https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152234#M7054 <P>Hi folks,</P><P>How to restrict a remote access user to only allowed to access to one subnet on spark 1600? Let say I have created a user call "UserA" and grant the remote access permission for that user. From Access Policy &gt; Firewall Access Blade policy is Standard. No user awareness enabled. From Access Policy &gt; Firewall Policy &gt; Incoming, Internal and VPN traffic, I have a rule to allow UserA (source) to access to 192.168.10.0 (destination) for any service.&nbsp;</P><P>But once UserA remotes access to the office, UserA can access any internal subnet but is not restricted to only access 192.168.10.0. Is there anything I have set the CheckPoint device wrongly?&nbsp;</P><P>Thanks</P><P>Ken</P> Mon, 04 Jul 2022 06:08:53 GMT ken2 2022-07-04T06:08:53Z How to restrict a remote access user to only allowed to access to one subnet https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152234#M7054 <P>Hi folks,</P><P>How to restrict a remote access user to only allowed to access to one subnet on spark 1600? Let say I have created a user call "UserA" and grant the remote access permission for that user. From Access Policy &gt; Firewall Access Blade policy is Standard. No user awareness enabled. From Access Policy &gt; Firewall Policy &gt; Incoming, Internal and VPN traffic, I have a rule to allow UserA (source) to access to 192.168.10.0 (destination) for any service.&nbsp;</P><P>But once UserA remotes access to the office, UserA can access any internal subnet but is not restricted to only access 192.168.10.0. Is there anything I have set the CheckPoint device wrongly?&nbsp;</P><P>Thanks</P><P>Ken</P> Mon, 04 Jul 2022 06:08:53 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152234#M7054 ken2 2022-07-04T06:08:53Z Re: How to restrict a remote access user to only allowed to access to one subnet https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152238#M7055 <P>Please add screenshots here</P> Mon, 04 Jul 2022 07:50:04 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152238#M7055 _Val_ 2022-07-04T07:50:04Z Re: How to restrict a remote access user to only allowed to access to one subnet https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152241#M7056 <P>When enabling RA VPN, you check "allow traffic from Remote Access users" and a buildt-in rule is enabled. Disable it and your rule will work.</P> Mon, 04 Jul 2022 08:02:29 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152241#M7056 G_W_Albrecht 2022-07-04T08:02:29Z Re: How to restrict a remote access user to only allowed to access to one subnet https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152250#M7057 <P>Here are the screenshots...&nbsp;</P><P>UserA has remote access granted</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="userA_setting.png" style="width: 550px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17093i98609385E677897D/image-size/large?v=v2&amp;px=999" role="button" title="userA_setting.png" alt="userA_setting.png" /></span></P><P>From the Incoming, Internal and VPN traffic, I have created Onlyto Network object group in which only contain the 192.168.10.0 subnet.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="userA.png" style="width: 724px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17094i27AEDB630DA661FF/image-size/large?v=v2&amp;px=999" role="button" title="userA.png" alt="userA.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bladesetting.PNG" style="width: 741px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17095iD1B6E8EF35CFEB11/image-size/large?v=v2&amp;px=999" role="button" title="bladesetting.PNG" alt="bladesetting.PNG" /></span></P><P>There is another auto Generated rules referring to VPN Remote Access in which I do not have a clue of what it is.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="autogeneratedRule.PNG" style="width: 695px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17096i9D1C0779B4AC951F/image-size/large?v=v2&amp;px=999" role="button" title="autogeneratedRule.PNG" alt="autogeneratedRule.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="userAwareness.PNG" style="width: 709px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17097iFB06E4719CF0E775/image-size/large?v=v2&amp;px=999" role="button" title="userAwareness.PNG" alt="userAwareness.PNG" /></span></P><P>Thanks _Val_</P> Mon, 04 Jul 2022 08:26:21 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152250#M7057 ken2 2022-07-04T08:26:21Z Re: How to restrict a remote access user to only allowed to access to one subnet https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152252#M7058 <P>&nbsp;</P><P>Hi, thanks for you reply, too. Do you mean to uncheck the Allow traffic from Remote Access users checkbox in order to get the rule valid? If I uncheck the box, can UserA still be able to do remote access from the outside world?&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="raSetting.PNG" style="width: 704px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17098i301D17F3C4B01258/image-size/large?v=v2&amp;px=999" role="button" title="raSetting.PNG" alt="raSetting.PNG" /></span></P> Mon, 04 Jul 2022 08:29:46 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152252#M7058 ken2 2022-07-04T08:29:46Z Re: How to restrict a remote access user to only allowed to access to one subnet https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152253#M7059 <P>If there is a manual rule granting access to UserA he will - the other 14 users have no access then without new rules...</P> Mon, 04 Jul 2022 08:33:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/How-to-restrict-a-remote-access-user-to-only-allowed-to-access/m-p/152253#M7059 G_W_Albrecht 2022-07-04T08:33:51Z