Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ken2
Explorer

How to restrict a remote access user to only allowed to access to one subnet

Jump to solution

Hi folks,

How to restrict a remote access user to only allowed to access to one subnet on spark 1600? Let say I have created a user call "UserA" and grant the remote access permission for that user. From Access Policy > Firewall Access Blade policy is Standard. No user awareness enabled. From Access Policy > Firewall Policy > Incoming, Internal and VPN traffic, I have a rule to allow UserA (source) to access to 192.168.10.0 (destination) for any service. 

But once UserA remotes access to the office, UserA can access any internal subnet but is not restricted to only access 192.168.10.0. Is there anything I have set the CheckPoint device wrongly? 

Thanks

Ken

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

If there is a manual rule granting access to UserA he will - the other 14 users have no access then without new rules...

CCSE CCTE SMB Specialist

View solution in original post

(1)
5 Replies
_Val_
Admin
Admin

Please add screenshots here

0 Kudos
ken2
Explorer

Here are the screenshots... 

UserA has remote access granted

userA_setting.png

From the Incoming, Internal and VPN traffic, I have created Onlyto Network object group in which only contain the 192.168.10.0 subnet. 

userA.pngbladesetting.PNG

There is another auto Generated rules referring to VPN Remote Access in which I do not have a clue of what it is. 

autogeneratedRule.PNGuserAwareness.PNG

Thanks _Val_

0 Kudos
G_W_Albrecht
Legend
Legend

When enabling RA VPN, you check "allow traffic from Remote Access users" and a buildt-in rule is enabled. Disable it and your rule will work.

CCSE CCTE SMB Specialist
ken2
Explorer

 

Hi, thanks for you reply, too. Do you mean to uncheck the Allow traffic from Remote Access users checkbox in order to get the rule valid? If I uncheck the box, can UserA still be able to do remote access from the outside world? 

raSetting.PNG

0 Kudos
G_W_Albrecht
Legend
Legend

If there is a manual rule granting access to UserA he will - the other 14 users have no access then without new rules...

CCSE CCTE SMB Specialist
(1)