- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Mobile access VPN and Unified policy observations
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mobile access VPN and Unified policy observations
VPN unified access and the rules it follows are not too easy in Check Point. Wrote down some experiences since I haven't seen any collection of this. Could you fix my perceptions to gather a better list?
You have to configure in GW object
- Identity Awareness: Remote Access - to make Access Role work in rule base
- Mobile Access: Unified Access Policy - to use Access Roles instead of old policy
- Rest of the Mobile Access options as you wish
In rule base
- If you use Inline layers, you cannot have a legacy user access in the same set as Access roles.
- If you use Ordered layers, you cannot have a legacy user access in the layer.
- Remote Access Community is not used in VPN column in Unified rules, but is used to allow user to use Remote Access. It is unknown if it is possible to actually create more than one Remote Access community, at least not from GUI it seems impossible. On the other hand, it is enough to put all user groups to that community to let them authenticate, but maybe it would be nice to create a second community if you want to limit the GW that the users can use.
- You cannot mix e.g. network objects with Access Roles, even if it lets you put one in the column.
In Access role objects
- Only LDAP users/groups OR Internal User Groups in one Access Role - not both
- Only LDAP users can be added directly to Access Role - not Internal users
Other things to consider?
Btw, how does "Mobile Access differ" from the "VPN clients" section in GW object? What determines which one's settings are used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe R80.40+ allows mixing network and Access Roles.
For VPN clients, the gateway setting determines what clients are allowed to connect, the Access Role setting determines what clients are included.
This allows you to have a different access policy for different types of clients.
And, no, there is only one remote access community.
You cannot create more than one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I use the same rule (with native application) both with SNX client and Check Point Mobile E83.20?