VPN unified access and the rules it follows are not too easy in Check Point. Wrote down some experiences since I haven't seen any collection of this. Could you fix my perceptions to gather a better list?
You have to configure in GW object
- Identity Awareness: Remote Access - to make Access Role work in rule base
- Mobile Access: Unified Access Policy - to use Access Roles instead of old policy
- Rest of the Mobile Access options as you wish
In rule base
- If you use Inline layers, you cannot have a legacy user access in the same set as Access roles.
- If you use Ordered layers, you cannot have a legacy user access in the layer.
- Remote Access Community is not used in VPN column in Unified rules, but is used to allow user to use Remote Access. It is unknown if it is possible to actually create more than one Remote Access community, at least not from GUI it seems impossible. On the other hand, it is enough to put all user groups to that community to let them authenticate, but maybe it would be nice to create a second community if you want to limit the GW that the users can use.
- You cannot mix e.g. network objects with Access Roles, even if it lets you put one in the column.
In Access role objects
- Only LDAP users/groups OR Internal User Groups in one Access Role - not both
- Only LDAP users can be added directly to Access Role - not Internal users
Other things to consider?
Btw, how does "Mobile Access differ" from the "VPN clients" section in GW object? What determines which one's settings are used?