This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2023-12-21 09:41 AM
Jump to solution

Need to create an access control policy to restrict access to a network object

Good morning!  I need some advice and guidance.  I've been tasked with restricting access to a network object to a small group of department users for auditing purposes.  The access rule should permit access to this object only to members of this department.

We are a small shop of 25 users.  The department that should be allowed access has 5 members.

We are in a hybrid environment - both in-office and WFH.

Restricting users while they are working in the office would be easy - I could just assign them static IPs and allow only those IPs access.

While WFH - our remote users receive an IP from the Check Point security gateway IP pool network that I have defined.  This IP pool is on a separate network than the internal users but is allowed access via access rules.

Currently we are not utilizing the Identity Awareness blade.  

I'm guessing that this may be the best solution?  

Can someone point me in the right direction?  We have a disaster recovery site that I can use for testing purposes. 

 

Thanks guys and gals.

 

 

 

 

 

 

 

Labels
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2023-12-21 01:55 PM
In response to Joe_Kanaszka
Jump to solution

Man, thats my new nickname, Rock, among many I already have haha. Anyway, I dont think its hard, but again, going back to what I said, to me, it makes more sense to utilize IA blade, so it goes by user name, no matter what their IP address is.

Best,

Andy (Rock)

Best,
Andy

View solution in original post

(1)
11 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-12-21 10:14 AM
Jump to solution

As they say Joe, you hit the nail on the head with IA blade argument and here is why. If you think about it logically, thats really the best feature of IA, it ALWAYS follows the user, regardless what IP they are assigned. Without it, its almost impossible to track those things. So, if identity awareness is not an option, then sounds to me that you have to rely on what IP they get, but then again, if they are assigned OM address from the pool, then most likely, it would always be different when they connect.

Best,

Andy

Best,
Andy
Joe_Kanaszka
Advisor
‎2023-12-21 01:41 PM
In response to the_rock
Jump to solution

Thanks Rock!  Given the small environment, how hard would it be to configure static IPs for the renmote users via the $FWDIR/conf/ipassignment.conf?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-12-21 01:55 PM
In response to Joe_Kanaszka
Jump to solution

Man, thats my new nickname, Rock, among many I already have haha. Anyway, I dont think its hard, but again, going back to what I said, to me, it makes more sense to utilize IA blade, so it goes by user name, no matter what their IP address is.

Best,

Andy (Rock)

Best,
Andy
(1)
Joe_Kanaszka
Advisor
‎2023-12-21 01:57 PM
In response to the_rock
Jump to solution

HA!  Makes sense to me as well.  Thanks Andy (Rock)!   🙂

the_rock
MVP Platinum
MVP Platinum
‎2023-12-21 02:05 PM
In response to Joe_Kanaszka
Jump to solution

You can also call me Mr Portokalo lol. Thats cause I do Greek accent well haha and it comes from my favorite movie "My big fat Greek wedding". Thats actually one of our Canadian women in it, Nia Vardalos.

Best,

Andy

Best,
Andy
Joe_Kanaszka
Advisor
‎2023-12-21 02:07 PM
In response to the_rock
Jump to solution

Thanks again Andy!

 

 

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-12-21 02:09 PM
In response to Joe_Kanaszka
Jump to solution

Happy to help mate!

Best,

Andy aka Rock aka Mr Portokalo

Best,
Andy
0 Kudos
sbastani
Explorer
‎2023-12-22 12:02 PM
In response to the_rock
Jump to solution

My Big Fat Greek Wedding was a great movie!

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-12-22 12:05 PM
In response to sbastani
Jump to solution

Yes sir! 😉

Specially the speech Gus Portokalos gave when Toula got maried 🤣🤣🤣

Best,

Andy

Best,
Andy
(1)
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-12-21 01:12 PM
Jump to solution

Identity Awareness or IP per user for Office mode e.g. ( $FWDIR/conf/ipassignment.conf ) might by sufficient given the small scale here.

CCSM R77/R80/ELITE
Joe_Kanaszka
Advisor
‎2023-12-21 01:39 PM
In response to Chris_Atkinson
Jump to solution

Thanks Chris!  Gotta think about this.  I'd rather not over-engineer a solution to solve a small issue, but if IA is easy to setup it may be worth it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events