We have attempted to do something which I expected to work and has not. Can anyone see a flaw in my plan here...
R80.10 (jumbo 103) management server
R77.30 gateway cluster
R77.30 second line firewall cluster to a more secured network zone
There's a shared LAN in-between the two clusters.
All routing etc. is all fine, this is just about Access roles and user identity.
We have (currently working) Mobile VPN (SSL) users with a native application rule allowing a user to Remote Admin (Famatech Ramin) or RDP through the Internet gateway cluster, where the connection is decrypted and then routed via the shared LAN to the second line cluster, where we have a rule allowing the *entire* Office Mode Pool to access a server within that more secure zone. This is working fine.
What we wanted to do today was to limit that access on the second pair to specific users. Traditionally I would have used ipassigment.conf to allocate specific users an IP address, created objects for these and used them on the second line firewalls. We wanted to be more 'up to date' and use access roles to achieve this in a better and more manageable way.
We enabled Identity Awareness on the second line firewalls, unticked all methods with the exception of Identity Sharing *from* the gateway cluster. We created an Access Role with a *LOCAL* Check Point user group as the 'users' and the Office Mode IP Pool as the network. and added this to a rule that looks like this:
We see the connection come through the gateway cluster and get decrypted, then we see it reach the second line cluster but the rule does not seem to be applied, even thought the username *is* recognised and logged.
I have redacted the username here but it is the same in both fields on both log entries. You can see from the ORIGIN that the connection is allowed, and decrypted by fwl-0001 and then the second line firewall fwl-0010 drops it (at the cleanup rule).
Should this work?
Any thoughts on why it doesn't would be much appreciated.