- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
I suspect I'm missing something obvious, so I'm after some help please.
I've set up remote access using Azure AD auth (Identity Provider) - both for Mobile Access (with SNX) and client VPN. Both authenticate fine and I get an Office Mode IP. Great.
I've configured an Access Role where I've specified certain users from Azure AD. When I click "add" it browses Azure AD with no problem, and I select the users I want.
The Access Role is in a rule allowing access to the LAN.
But it doesn't work. It's as if nothing is being picked up on that Access Role rule. Traffic is dropped on the cleanup.
If I add a rule lower down to allow the Office Mode net to get to the LAN, then my traffic works on that rule.
I can't work out why my traffic isn't allowed on the Access Role rule which has my Azure name in it? Obviously I don't want to leave the Office Mode rule in otherwise I have no way of creating rules based on the person. I presumed Access Roles should do this but they are being completely ignored 😞
I've tried with and without Remote Access in the VPN column, and also tried with Captive Portal in the Accept column. No difference...
Does anyone have any ideas please?!
With some help from TAC I got it working. The current instructions from CP don't quite give the full story, so I've attached some notes to supplement and clarify some steps. The golden rule is - don't miss any steps in SK172909, and don't miss any steps in my attached supplementary notes which fill in some critical gaps in SK172909.
If anyone finds a different/simpler way to achieve this I'd love to know 🙂
Hey Matt,
Interesting issue for sure...I have experience with access roles, as I constantly work with customer who uses identity awareness. Here is some basics I would check...so, when it does not work, say if username is (for argument's sake) john123. If you ran command on the firewall pdp monitor user john123...do you see anything at all? If not, what happens is you run pdp update all and try after 30 seconds or so?
In case you still dont see anything, are there any logs at all on that rule since you created it?
What do you see if you run adlog a dc command?
I have some time Thursday, happy to do remote session and see if we can fix this for you.
I've done some more testing following installation of T38 and I've noticed the following behaviour.
When my access role is set to Users > All Identified Users, then my client traffic to the LAN works via the correct Access Role rule number, and I see the following on the gateway:
[Expert@xxxxxxxx:0]# pdp monitor user matt.dunn@xxxxxxxx.co.uk
Session: 8874a8a4
Session UUID: {A496290D-51C6-D19F-FA8A-CCA85A19F050}
Ip: 192.168.51.4
Users:
Matt.Dunn@xxxxxxxx.co.uk {ecc188a5}
LogUsername: Matt.Dunn@xxxxxxxxx.co.uk
Groups: All Users
Roles: Azure_AD_VPN_Client_Users
Client Type: Remote Access
Authentication Method: Trust
Distinguished Name:
Connect Time: Thu Mar 24 09:35:31 2022
Next Reauthentication: Thu Mar 24 17:36:01 2022
Next Connectivity Check: -
Next Ldap Fetch: -
Packet Tagging Status: Not Active
Published Gateways: Local
*****************************************************************
But, if I set my access role to Users > Specific Users then it does not work, and I get the following on the gateway:
[Expert@xxxxxxxx:0]# pdp monitor user matt.dunn@xxxxxxxx.co.uk
Session: 63d74b8b
Session UUID: {7B3C4106-7A78-07D5-13FA-4E5EFC0322F5}
Ip: 192.168.51.4
Users:
Matt.Dunn@xxxxxxxx.co.uk {04a3d0c5}
LogUsername: Matt.Dunn@xxxxxxxx.co.uk
Groups: All Users
Roles: -
Client Type: Remote Access
Authentication Method: Trust
Distinguished Name:
Connect Time: Thu Mar 24 10:04:36 2022
Next Reauthentication: Thu Mar 24 18:05:06 2022
Next Connectivity Check: -
Next Ldap Fetch: -
Packet Tagging Status: Not Active
Published Gateways: Local
*****************************************************************
Notice when I specify users, and I log in as one of the specified users, the gateway no longer detects me as belonging to that access role. The "Roles:-" line is empty.
When I change back again to All Identified Users then it works again, the "Roles:-" line is populated again, and pdp monitor shows me in that access role.
So now the issue is - why doesn't it work when I specify usernames in the Access Role?
I really wish I could give you logical answer, but I dont know at this point. I would do IA debugs and see if we can pin point a reason. I will find the debugs TAC sent me once and send them to you here.
Andy
Thanks Andy. I take a bit of comfort in the knowledge I'm not doing anything completely obviously wrong at this stage?!
Do you have time for remote session? I think we spoke once before during COVID, you are in UK if I recall? If so, if you are free at say 2 pm your time, just message me privately and we can do remote...I have some ideas.
Andy
Hi,
On the gateway object, identity awareness tab, is "Remote Access" option checked on the list of Identity Sources? after the vpn client connects to the gateway, check if the firewall has any identity related to that IP "pdp monitor ip X.X.X.X" or "pep show user all | grep X.X.X.X"
Regards
Forgot that part about remote access, good point.
With some help from TAC I got it working. The current instructions from CP don't quite give the full story, so I've attached some notes to supplement and clarify some steps. The golden rule is - don't miss any steps in SK172909, and don't miss any steps in my attached supplementary notes which fill in some critical gaps in SK172909.
If anyone finds a different/simpler way to achieve this I'd love to know 🙂
Amazing job Matt, thanks for that!
Andy
Thanks - I needed to follow your AAD instructions to get matches on my AAD Identity Awareness policies. Much appreciated 🙂
Hello biskit
Detto i'm facing the same issue. But now i'm trying this on my trial Azure AD (Groups is not possible) and using users. Could you please help me with more details.
Hi Biskit
I also facing the same challenge, But in my case i'm using the cloudguard gateways (GCP). I tried the document you have shared but no luck for me. Cloud you please help me to resolve this.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
16 | |
11 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 | |
3 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY