This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Karan0587
Explorer
‎2021-06-02 08:44 PM
Jump to solution

Need help in understanding policy for mobile access users ( based on security group)

We have a customer who wants the following setup with remote access

 

1)Designated user groups in AD should be able to login ( no one else )

I created the attached policy for Login with having the designated the security group part of Remote Access object as participating groups, now whoever is not part of the group is not able to login so this works

2)Then create policies on the basis of those groups different sets of policies when connected through remote access.

 I am not able to get the policy to work on specific applications for eg ANZ-VPN should be only able to access RDP services only, EMEA-VPN should be only able to access http/https services , 

 

Will these access rules be created below the auth policy ( for remote access ) ?

 

If someone can share snapshots of policy how they achieved this would be awesome or a document .

 

Setup 

GAIA -  R81 

Smart Cloud Mgmt with a Cluster + duo MFA setup 

 

 

Any help would be apprecciated

Preview file
18 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-06-07 08:24 AM
In response to Karan0587
Jump to solution

Multiple groups shouldn’t matter.
As long as it matches one of the groups defined in the Access Role it should be included.
Is Remote Access one of the identity sources configured for the relevant gateway in Identity Awareness?

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-06-04 09:21 PM
Jump to solution

You would create similar rules to the one you've attached with Access Roles that refer to the different groups of users, destinations, and applications.
What precisely did you try and what was the precise result?

0 Kudos
Karan0587
Explorer
‎2021-06-06 05:10 PM
In response to PhoneBoy
Jump to solution

Hi ,

 

Thanks for the reply, i tested the rule which has source as Access Role and allowed port, but it doesn't work .

I believe there is a rule underneath with Office_Mode Pool IP addresses included in 1 Policy, the question is that do i remove the Office Mode as source when we are doing access role in the policies ?

I will test the above scenario as well today and would let u know how it goes.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-06 11:11 PM
In response to Karan0587
Jump to solution

You should not need to use the Office Mode IPs directly in rules when using Access Roles (unless some Remote Access user isn't covered by an Access Role).

0 Kudos
Karan0587
Explorer
‎2021-06-07 05:39 AM
In response to PhoneBoy
Jump to solution

Hi ,

 

I just tried the above 

so removed officemode pool from the policy  and defined the specific AD group as access role in source and allowed some applications 

but still no go, in the logs, i am seeing it is hitting clean up rule.

 

My question is what happens if the user is part of multiple groups in AD ? and am i missing something.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-07 08:24 AM
In response to Karan0587
Jump to solution

Multiple groups shouldn’t matter.
As long as it matches one of the groups defined in the Access Role it should be included.
Is Remote Access one of the identity sources configured for the relevant gateway in Identity Awareness?

0 Kudos
Karan0587
Explorer
‎2021-06-08 05:49 AM
In response to PhoneBoy
Jump to solution

Thanks for your help, I tested again today and it is working as expected.

One thing I did was in Gateway Properties>>Remote Access>>Policy was selected as legacy instead of unified, I changed it to unified.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events