This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ken2
Participant
‎2022-07-03 11:08 PM
Jump to solution

How to restrict a remote access user to only allowed to access to one subnet

Hi folks,

How to restrict a remote access user to only allowed to access to one subnet on spark 1600? Let say I have created a user call "UserA" and grant the remote access permission for that user. From Access Policy > Firewall Access Blade policy is Standard. No user awareness enabled. From Access Policy > Firewall Policy > Incoming, Internal and VPN traffic, I have a rule to allow UserA (source) to access to 192.168.10.0 (destination) for any service. 

But once UserA remotes access to the office, UserA can access any internal subnet but is not restricted to only access 192.168.10.0. Is there anything I have set the CheckPoint device wrongly? 

Thanks

Ken

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-07-04 01:33 AM
In response to ken2
Jump to solution

If there is a manual rule granting access to UserA he will - the other 14 users have no access then without new rules...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

(1)
5 Replies
_Val_
Admin
Admin
‎2022-07-04 12:50 AM
Jump to solution

Please add screenshots here

0 Kudos
ken2
Participant
‎2022-07-04 01:26 AM
In response to _Val_
Jump to solution

Here are the screenshots... 

UserA has remote access granted

userA_setting.png

From the Incoming, Internal and VPN traffic, I have created Onlyto Network object group in which only contain the 192.168.10.0 subnet. 

userA.pngbladesetting.PNG

There is another auto Generated rules referring to VPN Remote Access in which I do not have a clue of what it is. 

autogeneratedRule.PNGuserAwareness.PNG

Thanks _Val_

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-07-04 01:02 AM
Jump to solution

When enabling RA VPN, you check "allow traffic from Remote Access users" and a buildt-in rule is enabled. Disable it and your rule will work.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
ken2
Participant
‎2022-07-04 01:29 AM
In response to G_W_Albrecht
Jump to solution

 

Hi, thanks for you reply, too. Do you mean to uncheck the Allow traffic from Remote Access users checkbox in order to get the rule valid? If I uncheck the box, can UserA still be able to do remote access from the outside world? 

raSetting.PNG

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-07-04 01:33 AM
In response to ken2
Jump to solution

If there is a manual rule granting access to UserA he will - the other 14 users have no access then without new rules...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events