Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Janish_0144
Participant

Unable to create access role for local user in Checkpoint for RA VPN

Jump to solution

Hi All,

 

I'm a newbie to Checkpoint. I have a query regarding the remote access VPN using local user created on Checkpoint and I hope somebody can help me since this is pretty straightforward with other vendors.

We have a 2x 5000 Checkpoint appliance running in an Active/Passive scenario. We have integrated AD with our checkpoint and already we have Client-to-Site VPN running smoothly for the users in AD.

We have a new requirement to allow 3rd party users (3 users) to access our internal resources via RA VPN. These users are external and we don't have them in our AD. 

The configuration steps done so far are:

1) Configured a new local user-group in Checkpoint

2) Configured 3 new local users and added them to the local user-group in Step 1

3) Added the local user-group created in Step 1 to the RA VPN community under Participant User groups

 

The requirement is to allow these three 3rd party users to access different internal resources via RA VPN. For eg, user1 wants to access Server01, user2 wants to access Server02 and user 3 wants to access Server03.

In order to satisfy the above requirement, I configured an access role but I'm unable to attach this access role with individual local users created on the Checkpoint. I'm only able to attach it with the local user-group and not the individual users themselves. Please find the attached image.

The problem is that I can create access roles for local-user groups only and not individual local-users and hence, the firewall rules can only be created based on the local-user group. For now, even though we have 3 firewall rules created, all traffic is going through the top rule only since the access-role object contains the local-user group details only.

As far as I know, we use access roles in Checkpoint to create the firewall rules. Also, I found we can add local-group to the firewall rules by adding legacy user-access option.

May I please know is there any other way we could add individual local users created on Checkpoint to the firewall rules? I believe I'm missing something here.

Can somebody help me to resolve this?

One more query- Besides Checkpoint Capsule, Is there any we could connect IOS/Android devices to Checkpoint RA VPN?

Thank you in advance 🙂

 

equirement

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

Create three user groups, one per user, and three user rolese. Yes, it is a bit silly, but with more users in each, it will make sense later on.

For mobile users, use Mobile Access blade. 

Also, check out our CP4B materials, for example: https://community.checkpoint.com/t5/custom/page/page-id/CommunityBeginnersChild?cat=9

 

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin

Create three user groups, one per user, and three user rolese. Yes, it is a bit silly, but with more users in each, it will make sense later on.

For mobile users, use Mobile Access blade. 

Also, check out our CP4B materials, for example: https://community.checkpoint.com/t5/custom/page/page-id/CommunityBeginnersChild?cat=9

 

0 Kudos
Janish_0144
Participant

Thank you Val for your quick response 🙂

Understood. as you said it is silly since we had to create a new group every time.

Thank you so much for forwarding the CP4B materials.

May I know do I need a Mobile Access license to enable the Mobile Access blade? Because currently the mobile access blade is unsubscribed on the dashboard.

0 Kudos
_Val_
Admin
Admin

How do you mean, unsubscribed?

0 Kudos
Janish_0144
Participant

Sorry, Val. I was looking at the wrong option. I understood its perpetual license for Mobile Access.