This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Tom_Cripps
Advisor
‎2019-07-24 05:12 AM

Multiple types of objects in source column leading to Policy Verification Failure

Hi all,

I'm wondering if anyone knows why and if there is a way around this other than creating a duplicate rule and removing the foreign objects from one rule and placing them in the duplicated rule.

 

Also, 

I'm curious if this is planned to be rectified in the near future?

 

Tom

Preview file
6 KB
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2019-07-25 11:13 AM

Didn't realize this was a limitation.
What release are you using here?
0 Kudos
Tom_Cripps
Advisor
‎2019-07-29 03:31 AM
In response to PhoneBoy

Hi Damon,

SmartConsole version 105

Gateway and Mgmt HotFix 169 on R80.10.

 

Tom

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-30 08:39 AM
In response to Tom_Cripps

It's definitely not allowed in R80.20 either.

@Dima_M any ideas on this one?

0 Kudos
Dima_M
Employee
Employee
‎2019-07-31 05:46 AM
In response to PhoneBoy

@Tom_Cripps @PhoneBoy 

You're right, this behavior is by design, motivation is to prevent collisions.

Could you please share more details about your use case?

Access Role can represent Any User@Specific Network - do you think it will be useful in your case?

0 Kudos
Tom_Cripps
Advisor
‎2019-07-31 05:59 AM
In response to Dima_M

Hi Dima,

Okay, that's something we also thought about internally as well and I can see the reasoning behind it. 

All I wanted to avoid was including both an access role and networks in a single rule to avoid having two identical rules apart from the source column; not a huge deal just wondered if this was a fault I'd done or was by design.

Let me know though if you have any suggestions though?

Tom

0 Kudos
Dima_M
Employee
Employee
‎2019-07-31 07:22 AM
In response to Tom_Cripps

Hey Tom,

How about {Any/Any Identified Users/Machines} + {Specific Network} in access role - can it substitute the network object in your case?

0 Kudos
Tom_Cripps
Advisor
‎2019-08-02 12:21 AM
In response to Dima_M

Hi Dima,

That could potentially work, would take a slight redesign from our current standard, but seems like a viable option.

 

Thanks for the tip.

Tom.

0 Kudos
Norbert_Bohusch
Advisor
‎2019-08-01 12:40 AM
In response to Dima_M

I most often see a use case for this in the following scenario:
- Internally not using IA
- IA used only for RemoteAccess users
- RemoteAccess users are both internal employees and external contractors
- Traffic to a specific destination allowed for all internal users, which means using client network for internal clients and using Access Role for internal employees using RemoteAccess

In this case it doubles all "client to server" rules because of this limitation.

There are some possible workarounds for this:
1. create a shared layer with all client to server connections and assign it two parent rules with one having source client network, one having source access role of internal employees
2. assign RemoteAccess OM IPs differently for internal/external and use the relevant IPs for the source
3. Start using IA internally, which might be difficult because of some other limitations IA brings. Examples of such issues are: Identity Sharing via Site2Site VPN causes IPSec replay attacks in some cases, Identity Sharing between gateways managed by differend MDM domains is not that easys and so on....
4. your idea of using a Access Role limited only by network, which I must admit I wouldn't have thought off