This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-06-05 09:36 AM
Jump to solution

Error when creating Access Role

Hello everyone.

I currently have a ClusterXL R81.10, on which I want to implement a security rule, for a group of remote VPN users.
I think I understand that this works by putting the group object in an Access Role (and I have done so), but the problem is that when installing policies, I get an error, for not having activated the Identity Awaraness blade.

Is it mandatory to activate the blade, to work the Access Role?

There is no other way to work the local users that I have created in the Firewall, to give permissions to remote VPN user connections?

Greetings.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-06-05 10:20 AM
Jump to solution

Identity Awareness is required to use Access Roles, yes.
The only other way to do it is to use Legacy User Access rules, but these are only supported in "Firewall only" layers per: https://support.checkpoint.com/results/sk/sk169493

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2023-06-05 10:20 AM
Jump to solution

Identity Awareness is required to use Access Roles, yes.
The only other way to do it is to use Legacy User Access rules, but these are only supported in "Firewall only" layers per: https://support.checkpoint.com/results/sk/sk169493

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-05 10:37 AM
In response to PhoneBoy
Jump to solution

Hello,

Thank you for your reply.

I have created a security rule, calling in the origin to a legacy object, for the connection of a remote VPN user, but it is not allowing me the connection, and it shows me the following error message.

AC11.png

AC2.png

Any idea why I get this error message and how to correct it?

The locally created group object is already inside the VPN Community, Remote Access.

Cheers.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-06-05 10:48 AM
In response to Matlu
Jump to solution

Thats probably auth method issue on the gateway object properties.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-05 11:09 AM
In response to Matlu
Jump to solution

Your rule is a "Legacy User Access" style.
As far as I know, this method only allows for a single authentication method.
This log implies you have more than one configured.

Try it with a properly configured Access Role and see if you get the same issue.

Matlu
MVP Silver
MVP Silver
‎2023-06-05 11:13 AM
In response to PhoneBoy
Jump to solution

Sure, I could try it, but this demands that I activate the AI blade, right?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-05 11:27 AM
In response to Matlu
Jump to solution

Yes, as stated previously.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-06-05 11:48 AM
In response to Matlu
Jump to solution

For creating IA access roles, yes buddy.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-06-05 10:22 AM
Jump to solution

Yes, what @PhoneBoy said is correct, because TAC told me the same in the past. If you do not want to enable IA blade, sk is the only other way to do this.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events