AnsweredAssumed Answered

User Access Roles and identity sharing in R77.30

Question asked by John Fenoughty on May 18, 2018
Latest reply on May 21, 2018 by Dameon Welch Abernathy

We have attempted to do something which I expected to work and has not. Can anyone see a flaw in my plan here...

R80.10 (jumbo 103) management server

R77.30 gateway cluster

R77.30 second line firewall cluster to a more secured network zone

 

There's a shared LAN in-between the two clusters.

 

All routing etc. is all fine, this is just about Access roles and user identity.

 

We have (currently working) Mobile VPN (SSL) users with a native application rule allowing a user to Remote Admin (Famatech Ramin) or RDP through the Internet gateway cluster, where the connection is decrypted and then routed via the shared LAN to the second line cluster, where we have a rule allowing the *entire* Office Mode Pool to access a server within that more secure zone. This is working fine.

 

What we wanted to do today was to limit that access on the second pair to specific users. Traditionally I would have used ipassigment.conf to allocate specific users an IP address, created objects for these and used them on the second line firewalls. We wanted to be more 'up to date' and use access roles to achieve this in a better and more manageable way.

 

We enabled Identity Awareness on the second line firewalls, unticked all methods with the exception of Identity Sharing *from* the gateway cluster. We created an Access Role with a *LOCAL* Check Point user group as the 'users' and the Office Mode IP Pool as the network. and added this to a rule that looks like this:

 

 

 

We see the connection come through the gateway cluster and get decrypted, then we see it reach the second line cluster but the rule does not seem to be applied, even thought the username *is* recognised and logged.

 

I have redacted the username here but it is the same in both fields on both log entries. You can see from the ORIGIN that the connection is allowed, and decrypted by fwl-0001 and then the second line firewall fwl-0010 drops it (at the cleanup rule).

 

Should this work?

 

Any thoughts on why it doesn't would be much appreciated.

Outcomes