This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkiYa
Collaborator
‎2022-09-23 08:59 AM
Jump to solution

Cannot reach Azure VM when MFA active

Hi,

I have a strange issue while connecting to some Azure Cloud VM when using the remote access with MFA.

There is a s2s VPN between the HQ firewall and the Azure Cloud, everything works from LAN clients to the VMs;

People connecting with Remote Access (default AD authentication), can reach the Azure VMs;

People connecting with Remote Access with MFA (Microsoft Authenticator), can't reach these VMs; All the traffic to the LAN or even to another branch office (s2s) passes.

 

If I change the authentication method on the same client I can reach or not the VMs, so I suppose that something happens on "Microsoft side", but I can't understand what.
The logs on the firewall just show VPN routing when connected without MFA, and drops when using it.

Can you help me?

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-09-26 08:25 AM
In response to AkiYa
Jump to solution

AD_Users@Any will only work with legacy authentication methods.\
In general, this should no longer be used.
The correct way to do this is with an Access Role.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2022-09-25 02:50 PM
Jump to solution

Version/JHF level?
What are the precise rules in the Access Policy that are permitting the two groups of users?
Are they different rules?
Please provide a screen shot of log card entries for the two classes of users (masking sensitive data) and the relevant rules.

0 Kudos
AkiYa
Collaborator
‎2022-09-26 12:47 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

the cluster is R80.40 with two 6700 appliances, take 158

The rules are quite simple:
- Source: LAN, server_network, OfficeMode_network
- Destination: Azure_VMs_network
- VPN: Azure_VPN
- Services&App: icmp, rdp, HttpandHttps, tcp_(some custom ports)
- Action: Accept

The rule above is matched for LAN to Azure connections.

 

- Source: AD_Users@Any
- Destination: Azure_VMs_network
- VPN: RemoteAccess
- Services&App: icmp, rdp, HttpandHttps, tcp_(some custom ports)
- Action: Accept

The rule above is matched from VPN remote access users WITHOUT mfa, just normal AD user/psw match

1.png

- Source: Any
- Destination: Azure_VMs_network
- VPN: Any
- Services&App: Any
- Action: Drop

The rule above is matched from VPN remote access users using mfa.

2.png

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-26 08:25 AM
In response to AkiYa
Jump to solution

AD_Users@Any will only work with legacy authentication methods.\
In general, this should no longer be used.
The correct way to do this is with an Access Role.

0 Kudos
AkiYa
Collaborator
‎2022-09-28 01:03 AM
In response to PhoneBoy
Jump to solution

Thank you,

we figured out that the problem was about this group: with MFA authentication another group was triggered and since there wasn't the specific rule the traffic was not passing.

Adding a rule with the MFA group did the trick.

But if I understand well I could just use the Access Role and the user should match for both the auth methods, is it right?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-29 07:16 AM
In response to AkiYa
Jump to solution

Yes, assuming the Access Role covers all Remote Access users.

_Val_
Admin
Admin
‎2022-09-25 11:31 PM
Jump to solution

Do you use Office Mode for your RAS VPN connectivity? Also, cloud VM, is it part of RAS VPN site? If not, you may need to force all traffic to be routed through the central VPN GW to make it work.

0 Kudos
AkiYa
Collaborator
‎2022-09-26 12:54 AM
In response to _Val_
Jump to solution

Hi _Val_,

yes I do use Office Mode and no, the cloud VM is not part of the RAS VPN site.

I already tried to set the Endpoint client to force all the traffic to the gateway but it doesn't change the behavior.

What I cannot understand is the relationship between the use of the Azure MFA (or not) and the VPN routing; I suppose that the MFA should be involved in the authentication process only, but I have the feeling that since I'm also connecting to Azure VMs it might be a sort of "mismatch" of the users allowed to access it, but it would be a nonsense to me.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events