This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jb1
Contributor
Contributor
‎2023-10-09 03:45 AM

Managment interface - administrator access to GW

Hello mates,

 

I'm looking for a way to create a "trusted clients" list to populate on full Gaia. Kinda like the "Administrator access"  in SMB devices. I have FWs on cca 100 diffrent locations. Some od those locations don't have IT staff capable of other tasks than switching cable from one device to new one. So if SIC is successful than great but if not... Need a way to have acces to remote GWs regardless if policy is installed.

Br

 

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2023-10-09 04:22 AM

There is a way to allow WebUI/SSH connectivity to the GW from trusted IPs.

Go to Gaia WebUI, switch to Advanced view, then go to System Management / Host Access

Screenshot 2023-10-09 at 13.19.00.png

Add clients that should be allowed to connect to the GW. 

0 Kudos
jb1
Contributor
Contributor
‎2023-10-09 04:26 AM
In response to _Val_

Hey Val,

thank you for prompt replay. Tried this before postig my question, sadly it doesn't work. Meaning security policy is processed, before this list. As we can see from the picture, default is "Any"

 

Br

0 Kudos
_Val_
Admin
Admin
‎2023-10-09 04:59 AM
In response to jb1

Partially correct.

These rules define limited access through the"Management" interface only, regardless of the policy, if you do not disable the implied rules.

Check if you want to redefine internet facing IF as MANAGEMENT. Lab trials are highly recommended. 

0 Kudos
jb1
Contributor
Contributor
‎2023-10-09 06:48 AM
In response to _Val_

Hm, OK after some testing in lab I came to the following conclusion and questions:

 

- CP admin guides must provide more specific intention of the managment interface and its usage

-meaning GW uses allowed hosts table only when initial policy is loaded, after you install security policy, packet flow to GW is process via policy rules (that was my understaning of the usage of the specific table )

 

Regardnign impled rules- is there an implied rule to process the "allowed hosts" table first? If so could you point me in the right direction.

 

Check if you want to redefine internet facing IF as MANAGEMENT -  to my understanding this sould be the case on all WAN only accesible GWs. OR is there any security limitations? After policy is installed and GW object is defined as destination in security policy, GW is accesible via all interfaces.

 

So I guess this solve my problem when connecting a new GW, after that if policy is in order access should work.

Br

the_rock
Legend
Legend
‎2023-10-09 05:09 AM

What @_Val_ gave you is only thing Ima ware of as well. Otherwise, policy from the management would come into an effect.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events