Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Kanaszka
Advisor
Jump to solution

Need to create an access control policy to restrict access to a network object

Good morning!  I need some advice and guidance.  I've been tasked with restricting access to a network object to a small group of department users for auditing purposes.  The access rule should permit access to this object only to members of this department.

We are a small shop of 25 users.  The department that should be allowed access has 5 members.

We are in a hybrid environment - both in-office and WFH.

Restricting users while they are working in the office would be easy - I could just assign them static IPs and allow only those IPs access.

While WFH - our remote users receive an IP from the Check Point security gateway IP pool network that I have defined.  This IP pool is on a separate network than the internal users but is allowed access via access rules.

Currently we are not utilizing the Identity Awareness blade.  

I'm guessing that this may be the best solution?  

Can someone point me in the right direction?  We have a disaster recovery site that I can use for testing purposes. 

 

Thanks guys and gals.

 

 

 

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Man, thats my new nickname, Rock, among many I already have haha. Anyway, I dont think its hard, but again, going back to what I said, to me, it makes more sense to utilize IA blade, so it goes by user name, no matter what their IP address is.

Best,

Andy (Rock)

View solution in original post

(1)
11 Replies
the_rock
Legend
Legend

As they say Joe, you hit the nail on the head with IA blade argument and here is why. If you think about it logically, thats really the best feature of IA, it ALWAYS follows the user, regardless what IP they are assigned. Without it, its almost impossible to track those things. So, if identity awareness is not an option, then sounds to me that you have to rely on what IP they get, but then again, if they are assigned OM address from the pool, then most likely, it would always be different when they connect.

Best,

Andy

Joe_Kanaszka
Advisor

Thanks Rock!  Given the small environment, how hard would it be to configure static IPs for the renmote users via the $FWDIR/conf/ipassignment.conf?

0 Kudos
the_rock
Legend
Legend

Man, thats my new nickname, Rock, among many I already have haha. Anyway, I dont think its hard, but again, going back to what I said, to me, it makes more sense to utilize IA blade, so it goes by user name, no matter what their IP address is.

Best,

Andy (Rock)

(1)
Joe_Kanaszka
Advisor

HA!  Makes sense to me as well.  Thanks Andy (Rock)!   🙂

the_rock
Legend
Legend

You can also call me Mr Portokalo lol. Thats cause I do Greek accent well haha and it comes from my favorite movie "My big fat Greek wedding". Thats actually one of our Canadian women in it, Nia Vardalos.

Best,

Andy

Joe_Kanaszka
Advisor

Thanks again Andy!

 

 

(1)
the_rock
Legend
Legend

Happy to help mate!

Best,

Andy aka Rock aka Mr Portokalo

0 Kudos
sbastani
Explorer

My Big Fat Greek Wedding was a great movie!

(1)
the_rock
Legend
Legend

Yes sir! 😉

Specially the speech Gus Portokalos gave when Toula got maried 🤣🤣🤣

Best,

Andy

(1)
Chris_Atkinson
Employee Employee
Employee

Identity Awareness or IP per user for Office mode e.g. ( $FWDIR/conf/ipassignment.conf ) might by sufficient given the small scale here.

CCSM R77/R80/ELITE
Joe_Kanaszka
Advisor

Thanks Chris!  Gotta think about this.  I'd rather not over-engineer a solution to solve a small issue, but if IA is easy to setup it may be worth it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events