This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2024-01-03 11:14 AM
Jump to solution

Identity Awareness questions

Good Afternoon everyone and Happy New Year!

As mentioned in my prior post before the holidays, I'd like to limit a network resource to a certain group of users/laptops for auditing purposes.  Every user has their own laptop.

While in the office, this would be a fairly easy task by simply assigning static IPs to the 4 users, then creating a Check Point access rule limiting access to this resource to these 4 host machines.

The prickly part is for when these same 4 users WFH.  I'm pretty sure I could assign static IPs via Check Point to these 4 users by editing the ipassignment.conf file (correct me if I'm wrong) while still using my normal Check Point IP pool for all other WFH users.

It was suggested that I go the Identity Awareness route as this would scale much better and be much easier to change on the fly by simply adding/deleting  members from my AD security group.

Fortunately, I have a non-production Check Point AIO device running R81.20 at our DR site that I can test this out on.

Here are the steps I've taken so far:

  • Enabled the Identity Awareness blade on my test Check Point in DR and configured it to use the AD controller at the same site.
  • Created an "Access Role" test object.  Right now, it only contains my AD user account. 
  • Enabled Identity Logging under the "Management" tab in the gateway "General Properties."

Created an Access Role object:
Access Role object
Networks:Any   
Users:Specific users/groups - Me
Machines:Any
Remote Access Clients:Any

Created an access rule
Source - "Access Role" object
Destination - network resource
VPN - Any
Services & Applications - Any
Action - Drop

  • Installed database (not sure if this needed to be done) and installed policy.
  • Then I tested by running a ping to the off-limits network resource. 

I was able to still ping...

 

Obviously, I'm missing something.

 

As always, any help is always appreciated.

 

Labels
0 Kudos
1 Solution

Accepted Solutions
Joe_Kanaszka
Advisor
‎2024-01-04 09:34 AM
In response to the_rock
Jump to solution

Good Afternoon Andy and thank you for the prompt reply - it's much appreciated!  

So you were right - without enabling the IA blade - you can create an Access Role object - but you cannot create an access rule.  If you try and install policy without enabling the IA blade first you'll get an error.

So...this discussion just got a bit easier.  Please correct me if I'm wrong. 

We cannot use IA for our mobile users - IA does not support NAT.  When my mobile users come in, they are using an IP from the Check Point IP pool - these IPS are not part of our internal nets established on the Check Point interfaces.  If a WFH users tries to access an internal resource, they get assigned the internal IP of the Check Point.   Ugh.  Am I correct in my conclusion?

 

 

View solution in original post

0 Kudos
16 Replies
the_rock
Legend
Legend
‎2024-01-03 11:31 AM
Jump to solution

Hey Joe,

Happy new year mate. Can you see which rule traffic is accepted on? Seems to me its skipping rule you created with access role...

Best,

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-01-03 11:37 AM
In response to the_rock
Jump to solution

Hey Rock - Happy New Year!

 

I was thinking this may be the case.  It's almost like these rules need to be on top before any other rules..

In my case - for doing what I need to do, I probably need two rules:

Rule 1

Source:allowed users

Destination:resource

Action: Accept

Rule 2

Source:everyone else

Destination:resource

Action:drop

 

Thoughts?

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-03 11:43 AM
In response to Joe_Kanaszka
Jump to solution

Thats it buddy...OR, the other way around works too, block 1st, allow 2nd. Sort of like geo block method.

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-01-03 12:02 PM
In response to the_rock
Jump to solution

Ok - I'm gonna test out.  Thanks again man!

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-03 12:30 PM
In response to Joe_Kanaszka
Jump to solution

My first corny joke of 2024...for you, no charge...EXCEPT Iphone charge 🙂

Best,

Andy

 

 

(1)
Joe_Kanaszka
Advisor
‎2024-01-03 12:33 PM
In response to the_rock
Jump to solution

@the_rock wrote:

My first corny joke of 2024...for you, no charge...EXCEPT Iphone charge 🙂

Best,

Andy

 

 

Oooomph.   (Dad joke alert)

 

LOL!   😂

(1)
the_rock
Legend
Legend
‎2024-01-03 12:35 PM
In response to Joe_Kanaszka
Jump to solution

hahaha...no kids here, so cant use it on them, BUT, I pretty much tell that to anyone and they "forcefully" laugh, so I would not get offended...but, Im eastern European, we humanly dont get offended to anything LOL

Best,

Andy

Joe_Kanaszka
Advisor
‎2024-01-03 12:52 PM
In response to the_rock
Jump to solution

My family hates when I spew my dad humor.  They roll their eyes and sigh.  😁

One more question for you my friend.

My boss may want to go the static IP route - (this is an auditor's request/question from last year) - so he may simply want to give them what they are asking for - even though we know that IA is probable the best solution. 

I'd like to have two choices to show him and let him decide which way to go.

So with that being said, how best to use the ipassignment.conf file in an Active Directory environment?  Can we integrate it with our Active Directory, or simply create an allowed users group object in the local Check Point database?

Here's my wish list:

Be able to add remove users on the fly to our Active Directory group OU and have the ipassignement.conf reference this.  Then assign static IPs to this AD group.  (By the way - this will only be applicable for WFH users when they connect to our gateway via the Check Point Mobile client.  When these users are in the office - I could assign them static IPs like we would usually do.)

So my access rule would have two sources:  The IPs of the WFH users and the IPs of the same users but in the office.

 

Thank you again!  

 

 

 

 

 

 

 

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-03 01:05 PM
In response to Joe_Kanaszka
Jump to solution

Will have to double check on that and let you know, but I believe its possible.

Best

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-01-03 01:19 PM
In response to the_rock
Jump to solution

Cool  Thanks Andy!  Just thought of another question my boss may ask.  Why enable Identity Awreness blade?  I'm guessing so you can see the user information in logging?  Otherwise you can create an Access Role object and create access rules without having the IA blade enabled...

 

Thanks again sir!

0 Kudos
the_rock
Legend
Legend
‎2024-01-03 04:56 PM
In response to Joe_Kanaszka
Jump to solution

K, so just checked some old notes and yes, you can modify ipassignment.conf file with groups as sk indicates, as long as they match with what you have on AD side. TAC confirmed this while ago in case we had for a customer.

Btw, below is sk Im referring to:

https://support.checkpoint.com/results/sk/sk33422

Now...WHY enable IA blade? Im sure different people may give you different answers, but personally, here is what I ALWAYS say to people. Its because logs will follow the user no matter where they log in, otherwise, good luck tracking it down by an IP address. And yes, you do have to have IA blade enabled to create access roles, otherwise, policy would never install without it.

Hope that helps.

Best,

Andy

(1)
the_rock
Legend
Legend
‎2024-01-03 04:57 PM
In response to Joe_Kanaszka
Jump to solution

And btw, no need to call me sir, Im not that old...Im just 44 lol

You can call me Andy or Rock or Larry or mr Portokalo, I wont be offended, I promise 🤣🤣

Joe_Kanaszka
Advisor
‎2024-01-04 09:34 AM
In response to the_rock
Jump to solution

Good Afternoon Andy and thank you for the prompt reply - it's much appreciated!  

So you were right - without enabling the IA blade - you can create an Access Role object - but you cannot create an access rule.  If you try and install policy without enabling the IA blade first you'll get an error.

So...this discussion just got a bit easier.  Please correct me if I'm wrong. 

We cannot use IA for our mobile users - IA does not support NAT.  When my mobile users come in, they are using an IP from the Check Point IP pool - these IPS are not part of our internal nets established on the Check Point interfaces.  If a WFH users tries to access an internal resource, they get assigned the internal IP of the Check Point.   Ugh.  Am I correct in my conclusion?

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-04 09:37 AM
In response to Joe_Kanaszka
Jump to solution

Thats it brother : - )

Best,

Andy

(1)
Joe_Kanaszka
Advisor
‎2024-01-04 10:59 AM
In response to the_rock
Jump to solution

Thanks again Andy.  By the way, I'm 53.  At every company I've worked at we've taken to calling all our colleagues sir.  It's just a thing now that I say to my male colleagues. 🙂  

 

Have a good one!

 

-Joe

0 Kudos
the_rock
Legend
Legend
‎2024-01-04 11:00 AM
In response to Joe_Kanaszka
Jump to solution

Man, you are young buck then, is that how they say? You can tell English is not my first language 🤣🤣

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events