Create a Post
Showing results for 
Search instead for 
Did you mean: 

Comparision network group and access role

When having a access role only consisting of a network group, is it worth the same as the network group itself when applying each of them in a rule?

NG-A consists of the network

AR-B consists of NG-A and has users, machines, and remote access clients set to any.

Is there a difference when using AR-B in a rule, than directly the NG-A?

0 Kudos
2 Replies

I've never actually tried that to be honest, but lets think about it:

  • Gateway allows traffic, when it matches an allow rule in rulebase (somewhat simplified)
  • When you use an access role in a rule as source (common example), this rule will only match, wenn connection source is associated to that access role from this gateways point of view.
  • A gateway associates an ip adress with an access role, when its pepd (via its pep table) tells it so. Check it with command "pep s u q usr cid IP-ADDRESS"
  • A gateways pep table is populated by pdpd (via its pdp table). Check it with command "pdp monitor ip IP-ADDRESS" on the responsible pdp in your environment
  • A pdp gets its pdp tabled filled by the various identity sources you configure (legacy AD-Query, Identity Collector, Identity Agents, RADIUS, Remote Access, ...)

This means that there is a difference between a network group and an access-role filled with the same network group and set all other filters to any: The access-role will only match, wenn there is a identity acquired for the ip address. It does not matter which identity or identity type and what group memberships this identity may have or which account unit it may belong to. But is has to be a learned identity for that ip adress.

When using a network group, matching is only done by ip address.


Also you are introducing additional layer of Identity Awareness blade. Don't get me wrong, I like IA, however when you get nasty bug and identities are not fetched properly then your rule would intermittently stop working. That's not much of the fun

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events