Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MarcuzShinz
Contributor
Contributor
Jump to solution

Understand some cases of Access Role better

Dear Guy!

I am configuring an Access Role for VPN Remote Access related usage.

Specifically, with Access Role there will be 4 data fields is: Networks, Users, Machines, Remote Access Clients.

Let's say I configure a Role with values.

Networks: Any

Users: User local on Checkpoint

Machines: Machine On LDAP

Remote Access Clients: Any

So if I VPN in with a user that matches the user field but the Machines are different, can I access the data according to the rule?

 

0 Kudos
1 Solution

Accepted Solutions
MarcuzShinz
Contributor
Contributor

Dear @_Val_ 

1. You need to access the Client machine, open MMC => Certificate => Personal tab and request certificate.

2024-08-13_164044.png

2. Now there will be a certificate on the local machine and export it.

2024-08-13_164107.png

3. Finally go to Smart Dashboard and import it into trust ca server of checkpoint at https inspection.

*Note: Remember to create Trust CA object in Smartconsole with CA certificate first. After completing the above, just create an Access Role with the information you want.

View solution in original post

0 Kudos
14 Replies
_Val_
Admin
Admin

No. In your case, you are locking access for specific machines only. Clients who can authenticate but not on those specific machines, or when their machine identity cannot be checked, will not be matched to the rule

 

0 Kudos
MarcuzShinz
Contributor
Contributor

So does that mean, if we use machines for Access then we only need specific machines only. And the other values ​​not change?

0 Kudos
PhoneBoy
Admin
Admin

Correct.
Note that we only acquire identities when a user generates a login event.

0 Kudos
MarcuzShinz
Contributor
Contributor

I’m not sure if what i am doing below is correct? i am still trying to lab it before asking customer to do it. If you have step by step, could you share with about that? 

Much respect to anyone who has adopted this configuration and shared it with me. Is it necessary to use User login and AD user? or any user is fine?

I have created a CA named mtech-lab.local and created a Trust Server CA on Check Point.

TronNQ_0-1722523499727.png

Next, I go to IPsec in Object GW and create an enroll cert, then put it in CA issue and complete on GW.

TronNQ_1-1722523499732.png

I have installed the machine and CA certificates on the local machine and in the Personal & Trusted Root Certification Authorities folders.

TronNQ_2-1722523499736.png

Next, I enabled cert authen and created a policy. I use local user created on Check Point to authenticate VPN and machine is on AD.

TronNQ_3-1722523499737.png

TronNQ_4-1722523499738.png

As a result, when VPN we still cannot connect to internal resources. When we switch Auhen Machine to Mandatory and VPN, we get an error message "Machine Certificate Is Required". This means that the Import Cert is still incorrect.

0 Kudos
PhoneBoy
Admin
Admin

Identity Awareness only works with Active Directory users.
For requirements on Machine Certificates, see: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

0 Kudos
MarcuzShinz
Contributor
Contributor

If you see is there config i provide above, i tried it as document you share but it not work!

Do you have configure machine authen before?

0 Kudos
PhoneBoy
Admin
Admin

Personally? No.
Check if this SK applies: https://support.checkpoint.com/results/sk/sk175111

0 Kudos
MarcuzShinz
Contributor
Contributor

I track the log file trac.log and I see it not found the cert between root CA and SMS, how can create that certificate?

 

2024-08-02_095712.png

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
MarcuzShinz
Contributor
Contributor

Now the certificate part is passed, however. I still don't understand because no traffic still doesn't match Access Roles.I tested with 2 Test cases as follows:

Case 1:

I configure the access role with:

- Nework: 172.168.100.0/24

- User: Internal Group

- Machine: choose device from LDAP CN=DESKTOP-B1L79C9,CN=Computers,DC=mtech-lab,DC=local

After VPN we used command pdp monitor and see, it's not work if IP not match access role

2024-08-05_153333.png2024-08-05_153356.png2024-08-05_153410.png

 

Case 2: 

I configure the access role with:

- Nework: 172.168.100.0/24

- User: Internal Group

- Machine: Any

After VPN we used command pdp monitor and see, this time the IP match role and traffic pass.

2024-08-05_153654.png

I'm not sure why when specific machine it doesn't match role

 

 

 

 

0 Kudos
MarcuzShinz
Contributor
Contributor

I have solved this problem, thanks everyone for your support.

0 Kudos
_Val_
Admin
Admin

@MarcuzShinz Would you please share the solution?

0 Kudos
MarcuzShinz
Contributor
Contributor

Dear @_Val_ 

1. You need to access the Client machine, open MMC => Certificate => Personal tab and request certificate.

2024-08-13_164044.png

2. Now there will be a certificate on the local machine and export it.

2024-08-13_164107.png

3. Finally go to Smart Dashboard and import it into trust ca server of checkpoint at https inspection.

*Note: Remember to create Trust CA object in Smartconsole with CA certificate first. After completing the above, just create an Access Role with the information you want.

0 Kudos
_Val_
Admin
Admin

Thanks, this was for the community

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events