- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Policy to control users connecting through VPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy to control users connecting through VPN
Hello,
My Environment:
Check Point Security Gateway 6600
Gaia R81.20 (Build 627)
IPSec VPN Blade Enabled
I am trying to create a policy to restrict users connecting through VPN to get access to specific Networks and Server:
1. User 1 must access only LAN 2
2. User 2 must only access a specific server in LAN 1
3. User 3 must access LAN 1 and LAN 2
Configuration:
In the "RemoteAccess" VPN Community:
Participating Gateways:
MyGateway - VPN Domain (LAN 1 & LAN 2) in a network group X
Participating User Groups
(User 1, User 2 and User 3) in a user group A
In the Policy:
Source: Access Role containing Group with only User 1
Destination: LAN 2
VPN: RemoteAccess
Source: Access Role containing Group with only User 2
Destination: ServerName
VPN: RemoteAccess
Source: Access Role containing Group with only User 3
Destination: network group X
VPN: RemoteAccess
After creating new policies with the above conditions, the 3 users can access both LAN 1 and LAN 2. It is not working as per policy created.
I believe as all 3 policies are using "RemoteAccess" Community as VPN, it is overriding the policies?
Thanks for any help.
Visham
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use Identity Awareness and Access Roles (sk86441).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rules with "Any" in the VPN column will also match rules for VPN (either Site-to-Site or Remote Access).
Which means an entirely different rule could have allowed this traffic.
Review the full log card to see what precise rule number matched the relevant traffic.
A screenshot of these logs (with sensitive data redacted) would be helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are totally right!! Thanks for clearing this out.
An entirely different rule allowed this traffic!
The issue I am getting for my scenario:
1. User 1 must access only LAN 2
2. User 2 must only access a specific server in LAN 1
3. User 3 must access LAN 1 and LAN 2
is that when I add the user in the "source", the policy does not work. From the logs the IP of the VPN client is being blocked. When I add "CP_default_Office_Mode_addresses_pool" in the "source", I can control the access in the policy table for my scenario above.
I wanted to control access based on User, but does not seems to work or I am doing something wrong.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use Identity Awareness and Access Roles (sk86441).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the hint. Issue is addressed 😁