- Products
- Learn
- Local User Groups
- Partners
- More
This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Eastern Africa
- Israel
- Nordics
- Middle East and Africa
- Balkans
- Italy
- Bulgaria
- Cyprus
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
AI Security Masters E7:
How CPR Broke ChatGPT's Isolation and What It Means for You
Blueprint Architecture for Securing
The AI Factory & AI Data Center
Call For Papers
Your Expertise. Our Stage
Good, Better, Best:
Prioritizing Defenses Against Credential Abuse
Ink Dragon: A Major Nation-State Campaign
Watch HereCheckMates Go:
CheckMates Fest
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- CheckMates
- :
- Products
- :
- Hybrid Mesh
- :
- SASE and Remote Access
- :
- Need help in understanding policy for mobile acces...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
This widget could not be displayed.
1 Solution
Accepted Solutions
This widget could not be displayed.
6 Replies
We have a customer who wants the following setup with remote access
1)Designated user groups in AD should be able to login ( no one else )
I created the attached policy for Login with having the designated the security group part of Remote Access object as participating groups, now whoever is not part of the group is not able to login so this works
2)Then create policies on the basis of those groups different sets of policies when connected through remote access.
I am not able to get the policy to work on specific applications for eg ANZ-VPN should be only able to access RDP services only, EMEA-VPN should be only able to access http/https services ,
Will these access rules be created below the auth policy ( for remote access ) ?
If someone can share snapshots of policy how they achieved this would be awesome or a document .
Setup
GAIA - R81
Smart Cloud Mgmt with a Cluster + duo MFA setup
Any help would be apprecciated
Jump to solution
Jump to solution
Jump to solution
Need help in understanding policy for mobile access users ( based on security group)
Need help in understanding policy for mobile access users ( based on security group)
Need help in understanding policy for mobile access users ( based on security group)
We have a customer who wants the following setup with remote access
1)Designated user groups in AD should be able to login ( no one else )
I created the attached policy for Login with having the designated the security group part of Remote Access object as participating groups, now whoever is not part of the group is not able to login so this works
2)Then create policies on the basis of those groups different sets of policies when connected through remote access.
I am not able to get the policy to work on specific applications for eg ANZ-VPN should be only able to access RDP services only, EMEA-VPN should be only able to access http/https services ,
Will these access rules be created below the auth policy ( for remote access ) ?
If someone can share snapshots of policy how they achieved this would be awesome or a document .
Setup
GAIA - R81
Smart Cloud Mgmt with a Cluster + duo MFA setup
Any help would be apprecciated
We have a customer who wants the following setup with remote access
1)Designated user groups in AD should be able to login ( no one else )
I created the attached policy for Login with having the designated the security group part of Remote Access object as participating groups, now whoever is not part of the group is not able to login so this works
2)Then create policies on the basis of those groups different sets of policies when connected through remote access.
I am not able to get the policy to work on specific applications for eg ANZ-VPN should be only able to access RDP services only, EMEA-VPN should be only able to access http/https services ,
Will these access rules be created below the auth policy ( for remote access ) ?
If someone can share snapshots of policy how they achieved this would be awesome or a document .
Setup
GAIA - R81
Smart Cloud Mgmt with a Cluster + duo MFA setup
Any help would be apprecciated
We have a customer who wants the following setup with remote access
1)Designated user groups in AD should be able to login ( no one else )
I created the attached policy for Login with having the designated the security group part of Remote Access object as participating groups, now whoever is not part of the group is not able to login so this works
2)Then create policies on the basis of those groups different sets of policies when connected through remote access.
I am not able to get the policy to work on specific applications for eg ANZ-VPN should be only able to access RDP services only, EMEA-VPN should be only able to access http/https services ,
Will these access rules be created below the auth policy ( for remote access ) ?
If someone can share snapshots of policy how they achieved this would be awesome or a document .
Setup
GAIA - R81
Smart Cloud Mgmt with a Cluster + duo MFA setup
Any help would be apprecciated
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Thanks for the reply, i tested the rule which has source as Access Role and allowed port, but it doesn't work .
I believe there is a rule underneath with Office_Mode Pool IP addresses included in 1 Policy, the question is that do i remove the Office Mode as source when we are doing access role in the policies ?
I will test the above scenario as well today and would let u know how it goes.
Hi ,
Thanks for the reply, i tested the rule which has source as Access Role and allowed port, but it doesn't work .
I believe there is a rule underneath with Office_Mode Pool IP addresses included in 1 Policy, the question is that do i remove the Office Mode as source when we are doing access role in the policies ?
I will test the above scenario as well today and would let u know how it goes.
Hi ,
Thanks for the reply, i tested the rule which has source as Access Role and allowed port, but it doesn't work .
I believe there is a rule underneath with Office_Mode Pool IP addresses included in 1 Policy, the question is that do i remove the Office Mode as source when we are doing access role in the policies ?
I will test the above scenario as well today and would let u know how it goes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should not need to use the Office Mode IPs directly in rules when using Access Roles (unless some Remote Access user isn't covered by an Access Role).
You should not need to use the Office Mode IPs directly in rules when using Access Roles (unless some Remote Access user isn't covered by an Access Role).
You should not need to use the Office Mode IPs directly in rules when using Access Roles (unless some Remote Access user isn't covered by an Access Role).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
I just tried the above
so removed officemode pool from the policy and defined the specific AD group as access role in source and allowed some applications
but still no go, in the logs, i am seeing it is hitting clean up rule.
My question is what happens if the user is part of multiple groups in AD ? and am i missing something.
Hi ,
I just tried the above
so removed officemode pool from the policy and defined the specific AD group as access role in source and allowed some applications
but still no go, in the logs, i am seeing it is hitting clean up rule.
My question is what happens if the user is part of multiple groups in AD ? and am i missing something.
Hi ,
I just tried the above
so removed officemode pool from the policy and defined the specific AD group as access role in source and allowed some applications
but still no go, in the logs, i am seeing it is hitting clean up rule.
My question is what happens if the user is part of multiple groups in AD ? and am i missing something.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple groups shouldn’t matter.
As long as it matches one of the groups defined in the Access Role it should be included.
Is Remote Access one of the identity sources configured for the relevant gateway in Identity Awareness?
Multiple groups shouldn’t matter.
As long as it matches one of the groups defined in the Access Role it should be included.
Is Remote Access one of the identity sources configured for the relevant gateway in Identity Awareness?
Multiple groups shouldn’t matter.
As long as it matches one of the groups defined in the Access Role it should be included.
Is Remote Access one of the identity sources configured for the relevant gateway in Identity Awareness?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help, I tested again today and it is working as expected.
One thing I did was in Gateway Properties>>Remote Access>>Policy was selected as legacy instead of unified, I changed it to unified.
Thanks for your help, I tested again today and it is working as expected.
One thing I did was in Gateway Properties>>Remote Access>>Policy was selected as legacy instead of unified, I changed it to unified.
Thanks for your help, I tested again today and it is working as expected.
One thing I did was in Gateway Properties>>Remote Access>>Policy was selected as legacy instead of unified, I changed it to unified.
