This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alexander_Koch
Contributor
‎2019-12-23 12:14 AM

Allow an Non-Admin to allow VPN user for specific time range

Hello all,

within an organisation some VPN users are for technicians outside the organisation. They are from

vendors to help in emergencies or to maintain the vendor machines.  The requirement is to allow these

users in case of an emergency without to have call an firewall admin to allow the user in the policy. 

 

At the moment I tend to solve this via management API and time objects, it seems for me the best solution.

To have a sub-layer and an admin account with less privileges was another thought. The user properties

looks not so flexible.

 

This requirement seems not to unusually, so how is this solved by others?

 

Regards,

Alex

  

7 Replies
Maarten_Sjouw
Champion
Champion
‎2019-12-23 01:40 AM

Within a layer you can allow a defined read-only admin user write access without needing the access to any other layer.

That said, you could build a webpage that would be allowed to update that layer with a single click, for instance telling it to allow the user in for the next hour.

Regards, Maarten
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-12-23 03:01 AM
In response to Maarten_Sjouw

If these are contractors another option may simply be to control this at the Active Directory level depending on the specifics?

 

- Group membership & Identity Rules

- Account Enabled or Disabled

 

CCSM R77/R80/ELITE
0 Kudos
Alexander_Koch
Contributor
‎2019-12-27 12:30 AM
In response to Chris_Atkinson

The requirement is to have Check Point Users. You're right, with an
external user directory this would be easy.
Alexander_Koch
Contributor
‎2019-12-27 12:32 AM
In response to Maarten_Sjouw

So instead of Time Object just a complete layer. Will look into that.

With that the API user will have lower rights than using Time Objects, is that what you mean?
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-12-27 08:35 AM
In response to Alexander_Koch

Not really, what I mean is that the user behind the webpage will have enough rights to be able to edit the rules in the layer. But the user accessing the webpage does not have to be the same user as the one used in the background for the API.
Regards, Maarten
Alexander_Koch
Contributor
‎2019-12-27 10:39 AM
In response to Maarten_Sjouw

Yes, that was also my thoughts. A webpage with own users and a "backend" wich has the Check Point API user.

 

At the moment my idea is to have time objects with tags. The tags helps to identify the time objects. The firewall

admin can build the rules needed and give the rules the time objects.

The non firewall user log into a webpage and sees only the time objects he could allow. A click and the time

object will be updated to allow the rule for some hours.

What would be the benefit of layers instead of time objects? At the moment I cannot use layers anyway. But I'm

always happy to hear opinions.

 

The requirement for such a scenario seems not to specific, perhaps there are other solutions which are I'm

not aware of.

 

Regards,

Alex

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-12-27 03:08 PM
In response to Alexander_Koch

Well the main advantage of using a layer is that you can allow the user that needs to modify the time object, only access to the layer that could contain a rule stating any any any accept during-time.
The next rule will be a drop rule and the layer rule will be the exact allow rule with the proper src-dst and port.
Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events