This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
User1234
Contributor
‎2022-01-13 12:24 AM

Comparision network group and access role

When having a access role only consisting of a network group, is it worth the same as the network group itself when applying each of them in a rule?

NG-A consists of the network 192.168.0.0/24

AR-B consists of NG-A and has users, machines, and remote access clients set to any.

Is there a difference when using AR-B in a rule, than directly the NG-A?

0 Kudos
2 Replies
Tobias_Moritz
Advisor
‎2022-01-13 06:29 AM

I've never actually tried that to be honest, but lets think about it:

  • Gateway allows traffic, when it matches an allow rule in rulebase (somewhat simplified)
  • When you use an access role in a rule as source (common example), this rule will only match, wenn connection source is associated to that access role from this gateways point of view.
  • A gateway associates an ip adress with an access role, when its pepd (via its pep table) tells it so. Check it with command "pep s u q usr cid IP-ADDRESS"
  • A gateways pep table is populated by pdpd (via its pdp table). Check it with command "pdp monitor ip IP-ADDRESS" on the responsible pdp in your environment
  • A pdp gets its pdp tabled filled by the various identity sources you configure (legacy AD-Query, Identity Collector, Identity Agents, RADIUS, Remote Access, ...)

This means that there is a difference between a network group and an access-role filled with the same network group and set all other filters to any: The access-role will only match, wenn there is a identity acquired for the ip address. It does not matter which identity or identity type and what group memberships this identity may have or which account unit it may belong to. But is has to be a learned identity for that ip adress.

When using a network group, matching is only done by ip address.

abihsot__
Advisor
‎2022-01-18 01:28 AM

Also you are introducing additional layer of Identity Awareness blade. Don't get me wrong, I like IA, however when you get nasty bug and identities are not fetched properly then your rule would intermittently stop working. That's not much of the fun

0 Kudos