This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nmelay
Collaborator
‎2022-03-08 10:46 AM

Identity Agent IP exclusion

Hi all,

One of my customers recently started using a new remote access solution (from another vendor), which terminates on two "connectors" inside the corporate network.
Some of these remote users are also running the Identity Agent on their computer.
From the gateways's perspective, all of them are sharing the same two internal IP addresses.
This group of Identity Agents are thus competing for these IP's ownership, and make IA go crazy on the gateway.

I know the Identity Collector can be configured to exclude/ignore some specific IPs.
As far as I can see, no such provision has been made for the Identity Agent.

I guess I could try to solve this by blocking the Identity Agent from connecting to the gateway.
Is there a cleaner and more elegant way to do it?

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-03-08 05:02 PM

Consult with TAC if the workaround proposed in sk111374 is valid for your use case (or self test).

CCSM R77/R80/ELITE
0 Kudos
nmelay
Collaborator
‎2022-03-08 05:53 PM
In response to Chris_Atkinson

Thanks Chris for checking on this.
This SK seems unrelated though: it's about AD Query conflicting with Identity Agent, and how to prevent it from doing so.
Here, only Identity Agents are in use.

In this setup, I actually want to disable any form of IA from occurring from the connectors IPs, as the user access policy security is handled by the third party product.
A few users just happen to be running the Identity Agent on their computers (so that they get correctly identified when they're  actually on site, vs remotely connected).

Is seems like the only identity sources that allow any kind of filtering are AD Query and Identity Collector.

Then again, I guess I just need to prevent the Identity Agent from being able to reach the gateway in the first place.
I'll just try this before getting involved with TAC.

0 Kudos
Tobias_Moritz
Advisor
‎2022-03-11 06:57 AM
In response to nmelay

Not sure if this works, but have you tried setting gateway properties -> Identity Awareness -> Identity Agent Settings -> Agent Access -> Accessibility: "According to the Firewall policy" in combination with appropriate rules allowing your on-site client networks and denying these twoe remote access connector IPs?

If this does not work because of implied rules, maybe you can disable implied rule for "Accept Identity Awareness control connections" in Global Properties -> Firewall and configure all needed rules for your Identity Awareness setup manually (including rules for Identity Sharing if in use)?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top