This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Visham
Participant
‎2023-04-18 10:03 PM
Jump to solution

Policy to control users connecting through VPN

Hello,

My Environment:

Check Point Security Gateway 6600
Gaia R81.20 (Build 627)
IPSec VPN Blade Enabled

I am trying to create a policy to restrict users connecting through VPN to get access to specific Networks and Server:

1. User 1 must access only LAN 2
2. User 2 must only access a specific server in LAN 1
3. User 3 must access LAN 1 and LAN 2

Configuration:

In the "RemoteAccess" VPN Community:

Participating Gateways:
MyGateway - VPN Domain (LAN 1 & LAN 2) in a network group X

Participating User Groups
(User 1, User 2 and User 3) in a user group A


In the Policy:

Source: Access Role containing Group with only User 1
Destination: LAN 2
VPN: RemoteAccess

Source: Access Role containing Group with only User 2
Destination: ServerName
VPN: RemoteAccess

Source: Access Role containing Group with only User 3
Destination: network group X
VPN: RemoteAccess

After creating new policies with the above conditions, the 3 users can access both LAN 1 and LAN 2. It is not working as per policy created. 

I believe as all 3 policies are using "RemoteAccess" Community as VPN, it is overriding the policies?

Thanks for any help.

Visham

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2023-04-21 02:22 AM
In response to Visham
Jump to solution

You should use Identity Awareness and Access  Roles (sk86441).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-04-20 04:10 PM
Jump to solution

Rules with "Any" in the VPN column will also match rules for VPN (either Site-to-Site or Remote Access).
Which means an entirely different rule could have allowed this traffic.
Review the full log card to see what precise rule number matched the relevant traffic.
A screenshot of these logs (with sensitive data redacted) would be helpful.

(1)
Visham
Participant
‎2023-04-21 01:38 AM
In response to PhoneBoy
Jump to solution

You are totally right!! Thanks for clearing this out.

An entirely different rule allowed this traffic! 

The issue I am getting for my scenario:

   1. User 1 must access only LAN 2

   2. User 2 must only access a specific server in LAN 1

   3. User 3 must access LAN 1 and LAN 2

 is that when I add the user in the "source", the policy does not work. From the logs the IP of the VPN client is being blocked. When I add "CP_default_Office_Mode_addresses_pool" in the "source", I can control the access in the policy table for my scenario above.

I wanted to control access based on User, but does not seems to work or I am doing something wrong.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-04-21 02:22 AM
In response to Visham
Jump to solution

You should use Identity Awareness and Access  Roles (sk86441).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Visham
Participant
‎2023-04-21 02:45 AM
In response to G_W_Albrecht
Jump to solution

Thanks for the hint. Issue is addressed 😁

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events