This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Collaborator
Tuesday

Grouping multiple Access Roles into a single object

Hi all,

We currently have an environment integrated with Microsoft Entra ID and Check Point, using Identity Awareness with Access Roles.

At the moment, our policy is structured as follows:

  • We use an inline layer rule.

  • In the parent rule, we define the VPN C2S network (IP pool) as the source.

  • In the child rules, we define multiple Access Roles as the source.

  • Each Access Role maps to Entra ID groups using the naming convention EXT_ID_<group_name>, as described in the admin guide.

However, although this setup is currently allowing traffic, it is effectively working due to the cleanup rule in the inline layer being set to Accept, which we understand is not a correct or secure design.

However, we are evaluating a policy redesign. The idea is to move toward a cleaner rule structure where each Access Role would have its own rule.

That said, a question came up internally:

👉 Is it possible to create a group of Access Roles (similar to a Network Group), so that multiple Access Roles can be combined into a single object and used in one rule?

Has anyone implemented something similar, or is there a recommended workaround or best practice for this scenario?

Thanks in advance for your insights!

Labels
0 Kudos
1 Reply
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Tuesday

I don't know that we can group access roles, but traditionally we can put multiple AD groups into one Access role. That wouldn't work with your Entra setup though due to how the naming scheme works to use them. 

What I would suggest though is to get in touch with your local sales office to see if Infinity Identity will work for you, as it more properly integrates with Entra ID and does away with the clunky 'ext_id_' groups. There would be some things to work out with how it integrates with your remote access solution but it would give you the option to be adding multiple Entra groups into your Access Roles. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events