Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Brandon_Cotter
Contributor
Jump to solution

Assign Office Mode Remote Access clients to a security zone?

Hi, I'm trying to build a policy that makes the switch from network-based to zone-based. I'd like it if the Office Mode clients were in Security Zone "VPNZone," but since they are not associated with an interface, I am not sure if I can do that. Any advice?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Why not create an Access Role for Remote Access users and use that instead of a zone?

View solution in original post

0 Kudos
7 Replies
Danny
Champion Champion
Champion

If though you can use security zones with Check Point you should be aware that Check Point isn't a provider of classic zone based firewalls. Therefore using security zones comes with a couple of limitations.

0 Kudos
Brandon_Cotter
Contributor
When they are making the IPSEC connection with a source IP of their public address, they are in ExternalZone - but that's true even once they've gotten an Office Mode IP, and their originating address changes?

I think I might have a workaround. If I create a rule that allows all traffic from VPN clients and apply that only to the remote access VPN gateway, I can create an interface on the adjacent DMZ gateway, assign that interface to "VPNZone," and then use that zone in policy, as all DMZ-bound traffic from Office Mode clients will be coming in on that interface.
0 Kudos
PhoneBoy
Admin
Admin
Why not create an Access Role for Remote Access users and use that instead of a zone?
0 Kudos
Brandon_Cotter
Contributor

I considered that, but since we have Identity Collectors inside, the Access roles would also match those AD users when not logged in to VPN. We do VPN required for privileged access to resources (SSH, SQL, etc). Still, that's worth noodling.

0 Kudos
PhoneBoy
Admin
Admin

Not if you specify a specific VPN client be used as part of the Access Role.  

Screen Shot 2020-07-10 at 3.07.21 PM.png

Brandon_Cotter
Contributor
Dude, yes! I didn't know about that. Thank you!
0 Kudos
PhoneBoy
Admin
Admin
That was added in R80.10.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events