CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E


Results 1 to 3 of 3

Thread: User access role not working properly

  1. #1
    Join Date
    Rep Power

    Default User access role not working properly

    Hi All,

    I was practicing identity awareness blade on checkpoint firewall. My lab deployment is as follows.

    SM - R80.10
    SG - R77.30

    Windows XP, window AD, Management server, Gateway --> all in one subnet (internal)
    External ---> Internet

    Windows XP -
    SM -
    SG -

    AD is properly integrated with checkpoint and Window XP. I can login into XP through multiple accounts that is created in AD.

    In network policy i created 2 user based rules:

    1. source ( ABC user) , Destination - Internet , Services - Any , log , permit
    2. Source (XYZ User) , Destination - Internet, Services - Any, log , drop

    Both users are login through same XP machine.

    When i test from user machine for example by login through ABC account. I am able to reach internet. Then i switch user and login into XP through XYZ account, still i can reach internet.

    In logs, 1 rules is matched. But ideally for XYZ account 2 rule should match but its not happening.

    whatever 1 rule is always 1 rule is matched for all accounts and not go to check 2nd rule.

    Please guide.


  2. #2
    Join Date
    Rep Power

    Default Re: User access role not working properly

    Do you have "Assume that only one user is connected per computer" checked? Gateway properties -> Identity Awareness -> Settings

  3. #3
    Join Date
    Rep Power

    Default Re: User access role not working properly

    By Default a User Association will last for serveral hours, 720min is I think the default.

    Unless you have the "Assume that only one user is connected per computer" enabled then when the next user logs onto the machine then the previous user remains associated still.

    When the next user logs in then not only are they associated but you will also see the 1st user associated still.

    Logs will show both Users which will confirm that this is what is happening.

    When there are multiple users associated like this then if 1 of the users is permitted then will match and be granted access.

Similar Threads

  1. Access Role issue
    By suthakar in forum Firewall Blade
    Replies: 8
    Last Post: 2013-08-08, 06:41
  2. Check if QoS Rules Working Properly
    By matthias.nees in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 5
    Last Post: 2013-04-10, 12:48
  3. Forum Runner is now working properly!
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 2
    Last Post: 2012-04-14, 11:58
  4. We're testing some improvements; let me know if something isn't working properly
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 0
    Last Post: 2012-03-12, 16:31
  5. VRRP/NGX failover not working properly.
    By jparnell in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2006-06-07, 16:49

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts