Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SamiH
Contributor

Mobile access VPN and Unified policy observations

VPN unified access and the rules it follows are not too easy in Check Point. Wrote down some experiences since I haven't seen any collection of this. Could you fix my perceptions to gather a better list?

 

You have to configure in GW object

- Identity Awareness: Remote Access - to make Access Role work in rule base

- Mobile Access: Unified Access Policy - to use Access Roles instead of old policy

- Rest of the Mobile Access options as you wish

In rule base

- If you use Inline layers, you cannot have a legacy user access in the same set as Access roles.

- If you use Ordered layers, you cannot have a legacy user access in the layer.

- Remote Access Community is not used in VPN column in Unified rules, but is used to allow user to use Remote Access. It is unknown if it is possible to actually create more than one Remote Access community, at least not from GUI it seems impossible. On the other hand, it is enough to put all user groups to that community to let them authenticate, but maybe it would be nice to create a second community if you want to limit the GW that the users can use.

- You cannot mix e.g. network objects with Access Roles, even if it lets you put one in the column.

In Access role objects

- Only LDAP users/groups OR Internal User Groups in one Access Role - not both

- Only LDAP users can be added directly to Access Role - not Internal users

 

Other things to consider?

 

Btw, how does "Mobile Access differ" from the "VPN clients" section in GW object? What determines which one's settings are used?

 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I believe R80.40+ allows mixing network and Access Roles.
For VPN clients, the gateway setting determines what clients are allowed to connect, the Access Role setting determines what clients are included.
This allows you to have a different access policy for different types of clients.

And, no, there is only one remote access community.
You cannot create more than one.

lorenzopugnaghi
Explorer

Can I use the same rule (with native application) both with SNX client and Check Point Mobile E83.20?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events