This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
constant69
Contributor
‎2020-11-08 11:58 AM
Jump to solution

Mobile Access - AD users not belonging to an access role have access to mobile access portal

Hi team,

I need your help on this matter.

 

Here is the environment

  • R80.40
  • Dedicated Management
  • Cluster of 5600

We are using MS Active Directory Integration with Access Mobile Access and we defined access role.

But, AD users not belonging to an access role have access to mobile access portal, why ? In the log we see in the usergroup_-"user do not belong to any group".

I want to know if this is an expected behaviour ? from my understanding, an Access Role is how the firewall determines what users are allowed access and those that are not define will be dropped.

Regards

Labels
0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2020-11-09 05:40 AM
In response to constant69
Jump to solution

Ok, looks like expected behaviour.

If the gateway is member of the remote access community and the "participant user groups" ist set to "all users" this is working as designed.

The users can authenticate but have no access to any MOB application or VPN connection.

If you want to limit to a specific usergroup you have to define them and replace the "all users". If you don't use any remote-access VPN on your gateway (SSL extender, checkpoint mobile etc.) you can remove the gateway from the remote access community.

Wolfgang

Wolfgang

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2020-11-08 05:23 PM
Jump to solution

It may be depending on how you've configured it.
Screenshots of the relevant configuration would be helpful.

0 Kudos
constant69
Contributor
‎2020-11-08 11:54 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

Thank for your reply.

This is a basic configuration in R80.40 ( I have the same behavior in my lab R80.10)

- 2 Access roles

- 2 rules with the both access roles in the source and mobile access application

I have attached screenshots

 

Regards

Access_roles.png
Preview file
6 KB
Detail-one-access-role.png
Preview file
24 KB
Logs-related_user_belon_access_role.png
Preview file
39 KB
Logs-related_user_not_belong_access_role.png
Preview file
33 KB
Firewall_rules.png
Preview file
21 KB
0 Kudos
Wolfgang
Authority
Authority
‎2020-11-09 02:24 AM
In response to constant69
Jump to solution

@constant69 

are the users with no group-mebership able to login only and did not see any MOB-defined application ?

Wolfgang

0 Kudos
constant69
Contributor
‎2020-11-09 04:47 AM
In response to constant69
Jump to solution

Hi,

The users with no group-membership are able to login only and they did not see any MOB-defined application,

Regards

0 Kudos
Wolfgang
Authority
Authority
‎2020-11-09 05:40 AM
In response to constant69
Jump to solution

Ok, looks like expected behaviour.

If the gateway is member of the remote access community and the "participant user groups" ist set to "all users" this is working as designed.

The users can authenticate but have no access to any MOB application or VPN connection.

If you want to limit to a specific usergroup you have to define them and replace the "all users". If you don't use any remote-access VPN on your gateway (SSL extender, checkpoint mobile etc.) you can remove the gateway from the remote access community.

Wolfgang

Wolfgang

0 Kudos
constant69
Contributor
‎2020-11-09 05:48 AM
In response to Wolfgang
Jump to solution

Thank for your help on this matter.

To sum up, as we cannot select Access Roles, the following procedure is relevant
1) Create a ldap group that containt the AD users allowed
2) Then, select the previous ldap group in the remote access community

Regards

0 Kudos
constant69
Contributor
‎2020-11-10 07:02 AM
In response to constant69
Jump to solution

Hi Wolfgang,

Thank for your help on this matter: that solved my issue!

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top