This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kolobok
Explorer
‎2022-02-22 07:19 PM

Limit management access

Hello,

I am at the beginning of my journey with CheckPoints. Starting with 1570W. The Security Gateway is very easy to understand and learn. 

I have a question, which I couldn't find the answer for. The gateway is being used as default gateway for 3 subnets - 192.168.1.X, 192.168.2.X and 192.168.99.X. The third subnets is for management.

I would like to limit the management accessibility in such a way that admins will be able to access the firewall just by the management IP address. Currently, any person on these 3 subnets can access the firewall over port 4434.

I tried to make a policy, which prevents access over port 4434 to the IP address other then the management IP, but this didn't work.

Can you please advise if this is achievable? 

0 Kudos
8 Replies
Danny
MVP Platinum
MVP Platinum
‎2022-02-22 11:36 PM

Can you show us your prevent configuration? What does your firewall log show?

G_W_Albrecht
MVP Silver
MVP Silver
‎2022-02-23 01:15 AM

If you have fixed IPs on the internal networks, you can configure Device > System > Admin Access to let just selected users log in from these 3 subnets...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-02-23 03:48 AM
In response to G_W_Albrecht

@_Val_  - can you put this to SMB ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
_Val_
Admin
Admin
‎2022-02-23 06:57 AM
In response to G_W_Albrecht

done

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-02-23 07:58 AM

@Danny made a good point...maybe if you send us few screenshots showing how this is configured, we would get better idea to assist you.

Best,
Andy
0 Kudos
Kolobok
Explorer
‎2022-02-23 07:19 PM
In response to the_rock

Here is a screenshot of the internal interfaces. 

The idea is to allow manage the firewall just by accessing the 192.168.99.1 and prevent the ability to manage it through 192.168.10.1 or 192.168.20.1.

Preview file
9 KB
0 Kudos
K_montalvo
Advisor
‎2022-02-24 10:44 AM
In response to Kolobok

Hello,

I found this on the CP_R80.20.35_1500_1600_1800_Appliance_Series_AdminGuide_Locally_Managed starting on page 109; The Device > Administrator Access page lets you configure the IP addresses and interface sources that
administrators can use to access the Quantum Spark Appliance. You can also configure the Web and SSH
ports.

I don't know witch Embedded Gaia are you running but you can see if the above works for you,

https://sc1.checkpoint.com/documents/SMB_R80.20.35/AdminGuides/Locally_Managed/EN/Topics/Quantum-Spa...

 

Thanks!

0 Kudos
K_montalvo
Advisor
‎2022-02-23 01:36 PM

When you said any person can access the firewall are you referring to accounts with admin permissions?

What you are trying is just that the firewall is reachable via 1 IP address only or to just permit access using the least privilege mode to only specific admins accounts?

What are your expectations, please elaborate,

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events