This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ken2
Explorer
‎2022-07-03 11:08 PM

How to restrict a remote access user to only allowed to access to one subnet

Jump to solution

Hi folks,

How to restrict a remote access user to only allowed to access to one subnet on spark 1600? Let say I have created a user call "UserA" and grant the remote access permission for that user. From Access Policy > Firewall Access Blade policy is Standard. No user awareness enabled. From Access Policy > Firewall Policy > Incoming, Internal and VPN traffic, I have a rule to allow UserA (source) to access to 192.168.10.0 (destination) for any service. 

But once UserA remotes access to the office, UserA can access any internal subnet but is not restricted to only access 192.168.10.0. Is there anything I have set the CheckPoint device wrongly? 

Thanks

Ken

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend
‎2022-07-04 01:33 AM
In response to ken2

Jump to solution

If there is a manual rule granting access to UserA he will - the other 14 users have no access then without new rules...

CCSE CCTE SMB Specialist

View solution in original post

(1)
5 Replies
_Val_
Admin
Admin
‎2022-07-04 12:50 AM

Jump to solution

Please add screenshots here

0 Kudos
ken2
Explorer
‎2022-07-04 01:26 AM
In response to _Val_

Jump to solution

Here are the screenshots... 

UserA has remote access granted

userA_setting.png

From the Incoming, Internal and VPN traffic, I have created Onlyto Network object group in which only contain the 192.168.10.0 subnet. 

userA.pngbladesetting.PNG

There is another auto Generated rules referring to VPN Remote Access in which I do not have a clue of what it is. 

autogeneratedRule.PNGuserAwareness.PNG

Thanks _Val_

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-07-04 01:02 AM

Jump to solution

When enabling RA VPN, you check "allow traffic from Remote Access users" and a buildt-in rule is enabled. Disable it and your rule will work.

CCSE CCTE SMB Specialist
ken2
Explorer
‎2022-07-04 01:29 AM
In response to G_W_Albrecht

Jump to solution

 

Hi, thanks for you reply, too. Do you mean to uncheck the Allow traffic from Remote Access users checkbox in order to get the rule valid? If I uncheck the box, can UserA still be able to do remote access from the outside world? 

raSetting.PNG

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-07-04 01:33 AM
In response to ken2

Jump to solution

If there is a manual rule granting access to UserA he will - the other 14 users have no access then without new rules...

CCSE CCTE SMB Specialist
(1)