Creating Access Roles
After you enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. (see Enabling Identity Awareness on the Security Gateway), you create Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. objects.
You can use Access Role objects as source and/or destination parameter in a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. Access Role objects can include one or more of these objects:
-
Networks
-
Users and user groups
-
Computers and computer groups
-
Remote Access clients
To create an Access Role object:
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., open the Object Explorer (press the CTRL+E keys).
-
Click New > Users > Access Role.
The New Access Role window opens.
-
Enter a Name and Comment (optional).
-
On the Networks page, select one of these:
-
Any network.
-
Specific networks - Click the plus [+] sign and select a network > click the plus [+] sign next to the network name, or search for a known network.
-
-
On the Users page, select one of these:
-
Any user.
-
All identified users - Includes users identified by a supported authentication method.
-
Specific users/groups - Click the plus [+] sign and select a user > click the plus [+] sign next to the username, or search for a known user or user group.
-
-
On the Machines page, select one of these:
-
Any machine.
-
All identified machines - Includes computers identified by a supported authentication method.
-
Specific machines/groups - Click the plus [+] sign and select a device > click the plus [+] sign next to the device name, or search for a known device or group of devices.
For computers that use Full Identity Agents, you can select (optional) Enforce IP Spoofing protection.
-
-
On the Remote Access Clients page, select one of these:
-
Any Client.
-
Specific Client - Select the current allowed client, or create a new allowed client.
Note - For Identity Awareness Gateways R77.xx or lower, you must select Any Client.
-
-
Click OK.