This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkiYa
Contributor
‎2021-12-23 07:21 AM

Access role rule over VPN remote access

Hi all,

I need to create a rule to allow specific traffic towards specific IPs for some users AND their machines only.
The inline rule from within the LAN is working, so the ADuser+ADmachine+LAN combo can reach the IPs on specific ports; All the other traffic is dropped.
I've created another inline rule for the VPN connected users (Office Mode, CheckPoint Mobile client) but the traffic is always dropped even though enters the rule; I tried different combinations in the source and destination, but I can't understand if it's a problem in the policy or in the way the users are recognized through the VPN.

My current rule is this:

1-    src: Any   / dst: IP_1, IP_2 / VPN: RemoteAccess / svc: Any / action: (inline layer)

1.1- src: myAccess_Role (ADuser+ADmachine) / dst: Any / VPN: Any / svc: RDP, http / action: Accept

1.2- src: Any / dst: Any / VPN: Any / svc: Any / action: Drop

But I already tried to change the src in the rule 1 (to myAccess_Role or legacy "ADusersVPN@Any"), adding the Office Mode net in the myAccess_Role.

Thanks for any help

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2021-12-24 01:54 AM

What identity sources are set in your Identity Awareness config for the relevant gateway/s?

CCSM R77/R80/ELITE
0 Kudos
AkiYa
Contributor
‎2022-01-10 06:45 AM
In response to Chris_Atkinson

Sorry for the late reply, the sources were:

Active Directory Query
Identity Collector
Remote Access

and today I've added the Identity agent (but I'm not sure is properly configured...)
Still not working though.

0 Kudos
the_rock
Legend
Legend
‎2021-12-24 03:29 AM

What I did for customer I always work with is create parent rule say office mode to any, any service as parent rule, then few access roles as child rules and we never had a problem.

 

Can you send a screenshot? Sorry for spelling mistakes, was typing this on my phone.

 

Happy holidays.

Andy

0 Kudos
mcatanzaro
Employee
Employee
‎2021-12-24 08:52 PM

Hi,

If you are using remote access as your identity source then I don't think specifying a machine in your AR will work.

The way I would see to accomplish this would be to use the identity agent.

See below where my user identified with remote access was not matched to my AR that specified a user and machine group. You can also see that the user was correctly matched to the AR when sourced from the identity agent.

1.png

What I found interesting with this is that the identity agent was able to take over the session even though it has a lower score than remote access per conciliation config. This is convenient in this case where we want both a user and machine association though.

0 Kudos
AkiYa
Contributor
‎2022-01-10 07:01 AM
In response to mcatanzaro

Thank you for the reply,

I've configured the Identity Agent (not sure if I did it the right way though since the documentation is not very clear), I can see that my user now is identified by the ID Agent but if I try to connect to the machines by RDP the traffic is still dropped.
I attach the current rule (n. 24), the 24.1 is:

Networks: Any network
Users: Specified users/groups (5 AD users)
Machines: Specific machines/groups (5 AD clients)
Remote access clients: Any client

 

2022-01-10 15_46_23-10.20.0.240 - SmartConsole.png

 

0 Kudos
AkiYa
Contributor
‎2022-01-10 07:28 AM
In response to AkiYa

There is an update:

I've tried changing the rule 24.1 NOT specifying the machine and the rule is matched, so the problem is that machines are not recognized through the VPN: can you please explain me how to configure the Identity Agent?
I've installed the client on my pc and set the cluster active member as the Server, it says connected but I'm sure this is not complete.
Thanks

0 Kudos
K_montalvo
Advisor
‎2022-01-10 09:42 AM
In response to AkiYa

Hello,

Whats the IP you get when doing a ipconfig or ifconfig on Linux when connected?

The internal network you are triying to reach is different that the one configure for the office mode ip pool (the net you get with the ipconfig result?)

Do you have any error that can provide screenshots?

 

0 Kudos
AkiYa
Contributor
‎2022-01-10 11:32 PM
In response to K_montalvo

Hi,

I'm connected through VPN and I get an Office Mode IP, the rule should allow this traffic since it's set to Any network (I've also tried setting the Office Mode pool specifically).

I don't know which screenshots to provide, at this point it's just a matter of the rule not matching because the user role combo is not matched for the machine.
The identity agent is connected and installed as full version, so I don't know where to configure to recognize the machine.

0 Kudos
K_montalvo
Advisor
‎2022-01-11 04:46 AM
In response to AkiYa

Ok check the logs and monitor tab to see if there's anything there you can identify and need to adjust a FW rule. Also you can try at your own risk just to test and identify the services/ips etc you need for the rules to create one above the last cleanup rule doing an any any with the vpn community specified and accept then connect and see the logs matching that rule and adjust the corresponding one if this is the case. Thats all for now that i can help so i dont know further, i case you have support also open a TAC case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events