Generate mail alert for "illegal" access

[pemuller]

I currently have a rule in my SmartCenter specifying that a certain User Group is allowed SecuRemote access to a certain number of hosts using a certain set of protocols.

I would like to set up a mail alert to be generated if a user tries to access other hosts than those allowed or if a user tries to use a protocol other than those allowed. How can I do this?

[dsb.nepo]

It is possible if you crate a group for all SecuRemote users, them move all the Remote access rules at the top of the rulebase.
Create the a cleanup rule for the Remote access after the Remote access permit rules

for example:

Code:

source       | destination |     VPN     | service | action | track 
-------------|-------------|-------------|---------|------------------
SR-Users@any | SRV-GRP1    |RemoteAccess | http    | accept | log
SR-Users@any |   any       |RemoteAccess | any     | reject | mail

Before implementing this take a look at your logfiles, look at the VPN log section with a filter like this
'column USER not empty' to get an impression how many mails you will find in your mailbox.

[pemuller]

I had thought of this, but I end up getting the error message:
Action can be only Accept when the "VPN" includes SR Community Objects
when I verify the policy.

[MarioL]

Interesting, please do keep us posted on results, sadly I don't "own" any Check Point now, so I can't really check or advise on this (since demo mode doesn't allow me to "Verify Policies").

One thing that will happen if you get this working is that you will get loads of emails. There will be broadcasts, mistakes, etc...

[dsb.nepo]

If you only accept office mode you can use the assigned network for a alert rule.

Lets say you have assigned 192.168.10.0/24 as the office mode pool you can make a rule like the following.

Code:

source            | destination |     VPN     | service | action | track 
------------------|-------------|-------------|---------|------------------
SR-Users@any      | SRV-GRP1    |RemoteAccess | http    | accept | log
Net_192.168.10-24 |   any       |RemoteAccess | any     | reject | mail

[pemuller]

Good thinking. I may be able to do something with this idea. I currently however have several different groups of SecuRemote users, some allowed access to the specific servers and other "groups" not. They all use the same Office Mode addresses. I need to think a bit more about this.

[dsb.nepo]

There is a way you can control the ipaddress of your users.
- with radius, i have done this with IAS (use this only if the radius is exclusive for CP and not also for other network devices)
- ipassignment.conf (needs sometimes a restart of cp so not prefered)
- '$> vpn macutil username' and reserved IP at the dhcp server for OfficeMode (i use this at the moment)

That gives me also the whish to have a simple tool at the GUI station to generate the virtual MAC, if you use splat you can do this at the moment only on the MGMT/FW modul as expert.