This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
support_suppor1
Participant
‎2022-03-01 05:31 AM

SAML Azure AD - Remote access Access Role policy

Hi,

 

We are having a problem now on implementation when using SAML Azure AD authentication. Everything is working - authentication etc. Users can login properly - connectivity is ok. 

My problem is that when we use the access role and choose a specific user / group - the access role is not working and traffic goes thru Clean up rule. Access role works when it is set to "Any Authenticated" but this would not be helpful when there are multiple user with different access. Any help is appreciated - is there a special config or is this a limitation. We are running R81 + JHF 56 (latest)

 

Thanks 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2022-03-03 03:42 PM

Are you sure the application in Azure AD is set up per here?
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...
The groups needed for Azure AD are retrieved via the Graph API (supported in R81 and above).

0 Kudos
Zoran_Filipac
Explorer
‎2022-04-01 07:11 AM
In response to PhoneBoy

Had the same  issue on R81, login to Azure SAML worked fine  but after that  ,   cleanup rule was used  instead  of the specific access role policy rule.  TAC  provided a hotfix and this started working after we applied the hotfix to the gateway and installed the policy.  Hotfix will be custom and dependent on your HFA level.  

0 Kudos
lrossi89
Contributor
‎2022-05-30 02:11 AM
In response to Zoran_Filipac

i have the same issue on r81.10 take 45 , Is there a public SK on this?

0 Kudos
lrossi89
Contributor
‎2022-05-30 07:02 AM
In response to Zoran_Filipac

can you share the SR# number ?

0 Kudos
Gaurav_Pandya
MVP
MVP
‎2022-11-11 01:44 AM
In response to lrossi89

We had same issue. After SAML authentication (Azure AD), Users were not able to access LAN networks. Access role was not matched. We followed below steps to resolve issue.

Capture.PNG

 

Now I have different problem. I cannot use mobile access application with Azure IDP access role as per sk171557. I am checking if I need to use simple "destination" field to restrict user for specific destination or not.

 

0 Kudos
lrossi89
Contributor
‎2022-11-11 02:42 AM
In response to Gaurav_Pandya

Check this : sk179788 Access Roles are not enforced when using SAML authentication

Gaurav_Pandya
MVP
MVP
‎2022-11-14 12:02 AM
In response to lrossi89

Hi,

Access role issue is already resolved but my concern is how I can use Access role Azure identity with mobile access application to restrict user for certain destination.

As per sk171557, we cannot do that

 

0 Kudos
lrossi89
Contributor
‎2023-01-10 02:05 AM
In response to Gaurav_Pandya

Through this SK179788 it works, but we are finding an anomaly:


- We are using Azure AD groups directly, and it seems to work correctly.

step -> Using Azure AD for Authorization https://sc1.checkpoint.com/documents/r81/webadminguides/en/cp_r81_centityAWareness_adminguide/topics... 

- But in a random way sometimes the firewall "not retrieve the correct group from AD Azure" and makes the retrieval from the LOCAL LDAP groups (from local Active Directory), and in this case VPN connections doesn't work because non match the correct AR Azure.

Then just after an install policy everything recovers and the firewall retrieve the correct information from azure

Has anyone made this integration, without setting manual groups and works without anomalies?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-10 05:45 AM
In response to lrossi89

Sounds like a bug and I recommend opening a TAC case.

0 Kudos
nflnetwork29
Advisor
‎2023-05-12 06:10 PM
In response to PhoneBoy

 

  • Step 1 - d

  • Click New Application > Non-gallery application.

Can we use the pre populated Checkpoint Secure VPN access application or is the specific requirement to create a new non-gallery application? what is the reason. 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events