- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi all,
One of my customers recently started using a new remote access solution (from another vendor), which terminates on two "connectors" inside the corporate network.
Some of these remote users are also running the Identity Agent on their computer.
From the gateways's perspective, all of them are sharing the same two internal IP addresses.
This group of Identity Agents are thus competing for these IP's ownership, and make IA go crazy on the gateway.
I know the Identity Collector can be configured to exclude/ignore some specific IPs.
As far as I can see, no such provision has been made for the Identity Agent.
I guess I could try to solve this by blocking the Identity Agent from connecting to the gateway.
Is there a cleaner and more elegant way to do it?
Consult with TAC if the workaround proposed in sk111374 is valid for your use case (or self test).
Thanks Chris for checking on this.
This SK seems unrelated though: it's about AD Query conflicting with Identity Agent, and how to prevent it from doing so.
Here, only Identity Agents are in use.
In this setup, I actually want to disable any form of IA from occurring from the connectors IPs, as the user access policy security is handled by the third party product.
A few users just happen to be running the Identity Agent on their computers (so that they get correctly identified when they're actually on site, vs remotely connected).
Is seems like the only identity sources that allow any kind of filtering are AD Query and Identity Collector.
Then again, I guess I just need to prevent the Identity Agent from being able to reach the gateway in the first place.
I'll just try this before getting involved with TAC.
Not sure if this works, but have you tried setting gateway properties -> Identity Awareness -> Identity Agent Settings -> Agent Access -> Accessibility: "According to the Firewall policy" in combination with appropriate rules allowing your on-site client networks and denying these twoe remote access connector IPs?
If this does not work because of implied rules, maybe you can disable implied rule for "Accept Identity Awareness control connections" in Global Properties -> Firewall and configure all needed rules for your Identity Awareness setup manually (including rules for Identity Sharing if in use)?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY