This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nmelay
Contributor
‎2022-03-08 10:46 AM

Identity Agent IP exclusion

Hi all,

One of my customers recently started using a new remote access solution (from another vendor), which terminates on two "connectors" inside the corporate network.
Some of these remote users are also running the Identity Agent on their computer.
From the gateways's perspective, all of them are sharing the same two internal IP addresses.
This group of Identity Agents are thus competing for these IP's ownership, and make IA go crazy on the gateway.

I know the Identity Collector can be configured to exclude/ignore some specific IPs.
As far as I can see, no such provision has been made for the Identity Agent.

I guess I could try to solve this by blocking the Identity Agent from connecting to the gateway.
Is there a cleaner and more elegant way to do it?

0 Kudos
3 Replies
Chris_Atkinson
Employee
Employee
‎2022-03-08 05:02 PM

Consult with TAC if the workaround proposed in sk111374 is valid for your use case (or self test).

0 Kudos
nmelay
Contributor
‎2022-03-08 05:53 PM
In response to Chris_Atkinson

Thanks Chris for checking on this.
This SK seems unrelated though: it's about AD Query conflicting with Identity Agent, and how to prevent it from doing so.
Here, only Identity Agents are in use.

In this setup, I actually want to disable any form of IA from occurring from the connectors IPs, as the user access policy security is handled by the third party product.
A few users just happen to be running the Identity Agent on their computers (so that they get correctly identified when they're  actually on site, vs remotely connected).

Is seems like the only identity sources that allow any kind of filtering are AD Query and Identity Collector.

Then again, I guess I just need to prevent the Identity Agent from being able to reach the gateway in the first place.
I'll just try this before getting involved with TAC.

0 Kudos
Tobias_Moritz
Advisor
‎2022-03-11 06:57 AM
In response to nmelay

Not sure if this works, but have you tried setting gateway properties -> Identity Awareness -> Identity Agent Settings -> Agent Access -> Accessibility: "According to the Firewall policy" in combination with appropriate rules allowing your on-site client networks and denying these twoe remote access connector IPs?

If this does not work because of implied rules, maybe you can disable implied rule for "Accept Identity Awareness control connections" in Global Properties -> Firewall and configure all needed rules for your Identity Awareness setup manually (including rules for Identity Sharing if in use)?

0 Kudos