This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SamiH
Contributor
‎2020-11-04 11:24 AM

Mobile access VPN and Unified policy observations

VPN unified access and the rules it follows are not too easy in Check Point. Wrote down some experiences since I haven't seen any collection of this. Could you fix my perceptions to gather a better list?

 

You have to configure in GW object

- Identity Awareness: Remote Access - to make Access Role work in rule base

- Mobile Access: Unified Access Policy - to use Access Roles instead of old policy

- Rest of the Mobile Access options as you wish

In rule base

- If you use Inline layers, you cannot have a legacy user access in the same set as Access roles.

- If you use Ordered layers, you cannot have a legacy user access in the layer.

- Remote Access Community is not used in VPN column in Unified rules, but is used to allow user to use Remote Access. It is unknown if it is possible to actually create more than one Remote Access community, at least not from GUI it seems impossible. On the other hand, it is enough to put all user groups to that community to let them authenticate, but maybe it would be nice to create a second community if you want to limit the GW that the users can use.

- You cannot mix e.g. network objects with Access Roles, even if it lets you put one in the column.

In Access role objects

- Only LDAP users/groups OR Internal User Groups in one Access Role - not both

- Only LDAP users can be added directly to Access Role - not Internal users

 

Other things to consider?

 

Btw, how does "Mobile Access differ" from the "VPN clients" section in GW object? What determines which one's settings are used?

 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-11-04 07:30 PM

I believe R80.40+ allows mixing network and Access Roles.
For VPN clients, the gateway setting determines what clients are allowed to connect, the Access Role setting determines what clients are included.
This allows you to have a different access policy for different types of clients.

And, no, there is only one remote access community.
You cannot create more than one.

lorenzopugnaghi
Explorer
‎2021-03-05 01:38 AM
In response to PhoneBoy

Can I use the same rule (with native application) both with SNX client and Check Point Mobile E83.20?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events