This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Brandon_Cotter
Contributor
‎2020-07-10 10:34 AM
Jump to solution

Assign Office Mode Remote Access clients to a security zone?

Hi, I'm trying to build a policy that makes the switch from network-based to zone-based. I'd like it if the Office Mode clients were in Security Zone "VPNZone," but since they are not associated with an interface, I am not sure if I can do that. Any advice?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-07-10 01:39 PM
Jump to solution

Why not create an Access Role for Remote Access users and use that instead of a zone?

View solution in original post

0 Kudos
7 Replies
Danny
Champion Champion
Champion
‎2020-07-10 11:11 AM
Jump to solution

If though you can use security zones with Check Point you should be aware that Check Point isn't a provider of classic zone based firewalls. Therefore using security zones comes with a couple of limitations.

0 Kudos
Brandon_Cotter
Contributor
‎2020-07-10 11:17 AM
In response to Danny
Jump to solution

When they are making the IPSEC connection with a source IP of their public address, they are in ExternalZone - but that's true even once they've gotten an Office Mode IP, and their originating address changes?

I think I might have a workaround. If I create a rule that allows all traffic from VPN clients and apply that only to the remote access VPN gateway, I can create an interface on the adjacent DMZ gateway, assign that interface to "VPNZone," and then use that zone in policy, as all DMZ-bound traffic from Office Mode clients will be coming in on that interface.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-10 01:39 PM
Jump to solution

Why not create an Access Role for Remote Access users and use that instead of a zone?
0 Kudos
Brandon_Cotter
Contributor
‎2020-07-10 02:04 PM
In response to PhoneBoy
Jump to solution

I considered that, but since we have Identity Collectors inside, the Access roles would also match those AD users when not logged in to VPN. We do VPN required for privileged access to resources (SSH, SQL, etc). Still, that's worth noodling.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-10 03:08 PM
In response to Brandon_Cotter
Jump to solution

Not if you specify a specific VPN client be used as part of the Access Role.  

Screen Shot 2020-07-10 at 3.07.21 PM.png

Brandon_Cotter
Contributor
‎2020-07-10 03:10 PM
In response to PhoneBoy
Jump to solution

Dude, yes! I didn't know about that. Thank you!
0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-10 03:11 PM
In response to Brandon_Cotter
Jump to solution

That was added in R80.10.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events