This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ramon_efca
Participant
‎2025-05-02 07:42 AM
Jump to solution

How to hide internal IP networks attached to Security Gateways from the Mobile Access users

Hi Check Point colleagues,

We have configured remote access in a Security Gateway with 81.10. We followed the common steps creating users, groups, access rules, etc, and also configured a VPN Community with topology "Remote Access" and VPN Domain all internal networks that can be accessible from MA users. It is important to note that MA users can only access to networks allowed in the Access control policies that applied to each of them.

The problem is that any MA user connected to the SSL VPN can list all these VPN Domain networks just running "route print".

How can I hide VPN Domain networks from MA users and show only networks allowed in the policies?

 

Thanks in advantage.

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2025-05-04 08:28 AM
Jump to solution

Change your VPN domain object and list only networks allowed by the policy and not all internal networks. Reinstall policy, then it should be okay.

View solution in original post

the_rock
Legend
Legend
‎2025-05-05 03:35 AM
In response to ramon_efca
Jump to solution

There was never a way to add more than one RA community, not possible.

Andy

View solution in original post

12 Replies
_Val_
Admin
Admin
‎2025-05-04 08:28 AM
Jump to solution

Change your VPN domain object and list only networks allowed by the policy and not all internal networks. Reinstall policy, then it should be okay.

ramon_efca
Participant
‎2025-05-05 12:57 AM
In response to _Val_
Jump to solution

Thanks for your answers, but it is a little bit complex. We have 6 different user groups, with 6 different access roles. Each of these access roles has an specific policy to allow access to 6 different internal network ranges.

The problem I found is that I can only have one "Remote Access" VPN community, and only one VPN Domain associated to the participating Gateway. So I have to add the 6 different internal network ranges to this VPN Domain.

0 Kudos
the_rock
Legend
Legend
‎2025-05-05 03:35 AM
In response to ramon_efca
Jump to solution

There was never a way to add more than one RA community, not possible.

Andy

the_rock
Legend
Legend
‎2025-05-04 02:51 PM
Jump to solution

What @_Val_ said 100% makes perfect sense, thats what you need to do.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-05 02:34 PM
Jump to solution

All users who connect to your gateway will receive routes for all configured networks in your RemoteAccess encryption domain.
This is expected behavior at current.

0 Kudos
the_rock
Legend
Legend
‎2025-05-05 02:45 PM
In response to PhoneBoy
Jump to solution

I think its been that way since long time ago. Not sure what @ramon_efca wants to do is even possible...

Andy

0 Kudos
ramon_efca
Participant
‎2025-05-06 12:22 AM
In response to the_rock
Jump to solution

OK, probably. This is my first time with Mobile Access. I have experience with other VPN SSL providers that you can define different "realms", with completely isolated accesses. I thought the Check Point equivalent would be Remote Access VPN Communities, but if you can only have one, I see no alternatives.

Thanks!

0 Kudos
the_rock
Legend
Legend
‎2025-05-06 03:42 AM
In response to ramon_efca
Jump to solution

Yea, sorry, it was never possible to have more than one.

Andy

PhoneBoy
Admin
Admin
‎2025-05-06 10:03 AM
In response to the_rock
Jump to solution

With Traditional Mode VPN (deprecated in R60), I believe it actually was possible to do something like this.

Note that you can still restrict access to the various subnets today, just not prevent the inaccessible subnets from showing up in the client's routing table.

0 Kudos
the_rock
Legend
Legend
‎2025-05-06 06:09 AM
In response to ramon_efca
Jump to solution

Hey Ramon,

Just to make sure and please forgive me if Im way off here when I say this, but sounds like you want to do something along the lines where say different users can be assigned to different realms?

This was the answer I got from TAC on January 6th 2022, but does not appear this is still possible.

******************************

Hello Andy, 

After consulting with escalations, assigning specific users to desired authentication method in Check Point Multiple Login Options is not a supported feature yet, and there is already an existing RFE submitted for that. However, you can configure only RADIUS authentication, and have the RADIUS server determine who gets MFA or who does not, meaning configure the MFA on the RADIUS server/Using DUO or some other MFA services on the account itself instead of having the gateway to do the MFA. 

0 Kudos
ramon_efca
Participant
‎2025-05-06 07:03 AM
In response to the_rock
Jump to solution

Yes, I would like to create different isolated realms with different groups of users, and different internal network access. For example, if I want to have group1 with access to internal network1, and group2 with access to internal network2, I do not want that user1 from group1 could see network2 on his device (with SSL Network Extender client)  just executing "route print", and vice versa. But if I need to add network1 and network2 to the only VPN Domain that I can associate to the Gateway in the RA VPN Community, it seems that it could not be possible.

The answer you got is related to authentication method, but for me, in this case it is not a problem.

Thanks.

the_rock
Legend
Legend
‎2025-05-06 08:22 AM
In response to ramon_efca
Jump to solution

K, got it. 

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events