Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AkiYa
Explorer

Access role rule over VPN remote access

Hi all,

I need to create a rule to allow specific traffic towards specific IPs for some users AND their machines only.
The inline rule from within the LAN is working, so the ADuser+ADmachine+LAN combo can reach the IPs on specific ports; All the other traffic is dropped.
I've created another inline rule for the VPN connected users (Office Mode, CheckPoint Mobile client) but the traffic is always dropped even though enters the rule; I tried different combinations in the source and destination, but I can't understand if it's a problem in the policy or in the way the users are recognized through the VPN.

My current rule is this:

1-    src: Any   / dst: IP_1, IP_2 / VPN: RemoteAccess / svc: Any / action: (inline layer)

1.1- src: myAccess_Role (ADuser+ADmachine) / dst: Any / VPN: Any / svc: RDP, http / action: Accept

1.2- src: Any / dst: Any / VPN: Any / svc: Any / action: Drop

But I already tried to change the src in the rule 1 (to myAccess_Role or legacy "ADusersVPN@Any"), adding the Office Mode net in the myAccess_Role.

Thanks for any help

0 Kudos
9 Replies
Chris_Atkinson
Employee
Employee

What identity sources are set in your Identity Awareness config for the relevant gateway/s?

0 Kudos
AkiYa
Explorer

Sorry for the late reply, the sources were:

Active Directory Query
Identity Collector
Remote Access

and today I've added the Identity agent (but I'm not sure is properly configured...)
Still not working though.

0 Kudos
the_rock
Champion
Champion

What I did for customer I always work with is create parent rule say office mode to any, any service as parent rule, then few access roles as child rules and we never had a problem.

 

Can you send a screenshot? Sorry for spelling mistakes, was typing this on my phone.

 

Happy holidays.

Andy

0 Kudos
mcatanzaro
Employee
Employee

Hi,

If you are using remote access as your identity source then I don't think specifying a machine in your AR will work.

The way I would see to accomplish this would be to use the identity agent.

See below where my user identified with remote access was not matched to my AR that specified a user and machine group. You can also see that the user was correctly matched to the AR when sourced from the identity agent.

1.png

What I found interesting with this is that the identity agent was able to take over the session even though it has a lower score than remote access per conciliation config. This is convenient in this case where we want both a user and machine association though.

0 Kudos
AkiYa
Explorer

Thank you for the reply,

I've configured the Identity Agent (not sure if I did it the right way though since the documentation is not very clear), I can see that my user now is identified by the ID Agent but if I try to connect to the machines by RDP the traffic is still dropped.
I attach the current rule (n. 24), the 24.1 is:

Networks: Any network
Users: Specified users/groups (5 AD users)
Machines: Specific machines/groups (5 AD clients)
Remote access clients: Any client

 

2022-01-10 15_46_23-10.20.0.240 - SmartConsole.png

 

0 Kudos
AkiYa
Explorer

There is an update:

I've tried changing the rule 24.1 NOT specifying the machine and the rule is matched, so the problem is that machines are not recognized through the VPN: can you please explain me how to configure the Identity Agent?
I've installed the client on my pc and set the cluster active member as the Server, it says connected but I'm sure this is not complete.
Thanks

0 Kudos
K_montalvo
Advisor

Hello,

Whats the IP you get when doing a ipconfig or ifconfig on Linux when connected?

The internal network you are triying to reach is different that the one configure for the office mode ip pool (the net you get with the ipconfig result?)

Do you have any error that can provide screenshots?

 

0 Kudos
AkiYa
Explorer

Hi,

I'm connected through VPN and I get an Office Mode IP, the rule should allow this traffic since it's set to Any network (I've also tried setting the Office Mode pool specifically).

I don't know which screenshots to provide, at this point it's just a matter of the rule not matching because the user role combo is not matched for the machine.
The identity agent is connected and installed as full version, so I don't know where to configure to recognize the machine.

0 Kudos
K_montalvo
Advisor

Ok check the logs and monitor tab to see if there's anything there you can identify and need to adjust a FW rule. Also you can try at your own risk just to test and identify the services/ips etc you need for the rules to create one above the last cleanup rule doing an any any with the vpn community specified and accept then connect and see the logs matching that rule and adjust the corresponding one if this is the case. Thats all for now that i can help so i dont know further, i case you have support also open a TAC case.

0 Kudos