Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alexander_Koch
Contributor

Allow an Non-Admin to allow VPN user for specific time range

Hello all,

within an organisation some VPN users are for technicians outside the organisation. They are from

vendors to help in emergencies or to maintain the vendor machines.  The requirement is to allow these

users in case of an emergency without to have call an firewall admin to allow the user in the policy. 

 

At the moment I tend to solve this via management API and time objects, it seems for me the best solution.

To have a sub-layer and an admin account with less privileges was another thought. The user properties

looks not so flexible.

 

This requirement seems not to unusually, so how is this solved by others?

 

Regards,

Alex

  

7 Replies
Maarten_Sjouw
Champion
Champion

Within a layer you can allow a defined read-only admin user write access without needing the access to any other layer.

That said, you could build a webpage that would be allowed to update that layer with a single click, for instance telling it to allow the user in for the next hour.

Regards, Maarten
Chris_Atkinson
Employee Employee
Employee

If these are contractors another option may simply be to control this at the Active Directory level depending on the specifics?

 

- Group membership & Identity Rules

- Account Enabled or Disabled

 

CCSM R77/R80/ELITE
0 Kudos
Alexander_Koch
Contributor

The requirement is to have Check Point Users. You're right, with an
external user directory this would be easy.
Alexander_Koch
Contributor

So instead of Time Object just a complete layer. Will look into that.

With that the API user will have lower rights than using Time Objects, is that what you mean?
0 Kudos
Maarten_Sjouw
Champion
Champion

Not really, what I mean is that the user behind the webpage will have enough rights to be able to edit the rules in the layer. But the user accessing the webpage does not have to be the same user as the one used in the background for the API.
Regards, Maarten
Alexander_Koch
Contributor

Yes, that was also my thoughts. A webpage with own users and a "backend" wich has the Check Point API user.

 

At the moment my idea is to have time objects with tags. The tags helps to identify the time objects. The firewall

admin can build the rules needed and give the rules the time objects.

The non firewall user log into a webpage and sees only the time objects he could allow. A click and the time

object will be updated to allow the rule for some hours.

What would be the benefit of layers instead of time objects? At the moment I cannot use layers anyway. But I'm

always happy to hear opinions.

 

The requirement for such a scenario seems not to specific, perhaps there are other solutions which are I'm

not aware of.

 

Regards,

Alex

0 Kudos
Maarten_Sjouw
Champion
Champion

Well the main advantage of using a layer is that you can allow the user that needs to modify the time object, only access to the layer that could contain a rule stating any any any accept during-time.
The next rule will be a drop rule and the layer rule will be the exact allow rule with the proper src-dst and port.
Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events