- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
Hi all,
We currently have an environment integrated with Microsoft Entra ID and Check Point, using Identity Awareness with Access Roles.
At the moment, our policy is structured as follows:
We use an inline layer rule.
In the parent rule, we define the VPN C2S network (IP pool) as the source.
In the child rules, we define multiple Access Roles as the source.
Each Access Role maps to Entra ID groups using the naming convention EXT_ID_<group_name>, as described in the admin guide.
However, although this setup is currently allowing traffic, it is effectively working due to the cleanup rule in the inline layer being set to Accept, which we understand is not a correct or secure design.
However, we are evaluating a policy redesign. The idea is to move toward a cleaner rule structure where each Access Role would have its own rule.
That said, a question came up internally:
👉 Is it possible to create a group of Access Roles (similar to a Network Group), so that multiple Access Roles can be combined into a single object and used in one rule?
Has anyone implemented something similar, or is there a recommended workaround or best practice for this scenario?
Thanks in advance for your insights!
I don't know that we can group access roles, but traditionally we can put multiple AD groups into one Access role. That wouldn't work with your Entra setup though due to how the naming scheme works to use them.
What I would suggest though is to get in touch with your local sales office to see if Infinity Identity will work for you, as it more properly integrates with Entra ID and does away with the clunky 'ext_id_' groups. There would be some things to work out with how it integrates with your remote access solution but it would give you the option to be adding multiple Entra groups into your Access Roles.
I was reviewing this video, and my idea is to add multiple User Groups to the same Access Role.
You should be able to do that. If you wish to group multiple access roles, thats possible too.
My main concern is that the User Group objects with the naming convention EXT_ID_<Azure group name> may not be properly identified.
While reviewing the documentation and the video, I understand that these User Groups are associated with an Access Role. However, I am unsure whether a separate Access Role is required for each User Group, or if multiple User Groups can be grouped within a single Access Role.
What is the video you mentioned? I dont see any link for it.
Im fairly sure name would need to match and you would be able to add mulsiple groups in a single access role.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 70 | |
| 23 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Fri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY