topic Re: Disabling all traces of SSL VPN portal in Mobile

Disabling all traces of SSL VPN portal

Joe_Kanaszka — Mon, 03 Feb 2025 16:58:11 GMT

Hey guys.

Question.

We are going to undergo an external vuln scan & pen test in the next month and I'd like to make sure my gateway is as "clean" as can be.

I've recently turned off the SSL VPN portal by simply unticking the options under "VPN Clients" (Other) and Mobile Access (Web).

We are only using the Check Point Mobile IPsec client.

So now in my testing when I go to https://ipaddress of gateway/sslvpn or /admin or /dlp, I receive an error page that basically says:

Error (in red) - the service is no longer offered...With my old SSL VPN site banner on top of the page.

No big deal I suppose but I'd like the user to just receive a "Not Found" page.

I found the option under "Mobile Access" / "Portal Settings" that allows you to specify how the portal is accessible:

"Accessibility" / "The portal is accessible only through internal interfaces" - changed from "Through all interfaces"

Once I specify that the portal is only accessible through internal interfaces, now in my testing I see a "Not Found" page.

Of course this does not solve the issue if someone does an internal scan, then they'll see that error page again - again, not sure If I'm making a bigger deal out of this than is warranted. There is no input allowed on the warning page. There are no services offered in the portal.

FYI - I tried creating a SAM rule that blocks all external traffic to port 443 on the gateway but that broke my ability to create sites to the gateway via my Check Point Mobile client. Existing sites worked fine - I just could not create new sites until the SAM rule was disabled.

Thoughts?

Re: Disabling all traces of SSL VPN portal

the_rock — Mon, 03 Feb 2025 17:46:33 GMT

Is mobile access blade enabled?

Andy

Re: Disabling all traces of SSL VPN portal

Joe_Kanaszka — Mon, 03 Feb 2025 20:03:12 GMT

Afternoon Andy! Apologies for the late response. Yes. We need it for Check Point Mobile client VPN access for WFH.

Re: Disabling all traces of SSL VPN portal

the_rock — Mon, 03 Feb 2025 20:37:34 GMT

What does below look like?

Andy

Re: Disabling all traces of SSL VPN portal

Joe_Kanaszka — Mon, 03 Feb 2025 20:41:46 GMT

Just "Desktops / Laptops" is checked.

Re: Disabling all traces of SSL VPN portal

the_rock — Mon, 03 Feb 2025 20:52:55 GMT

Is SNX greyed out but checked or is it unchecked?

Andy

Re: Disabling all traces of SSL VPN portal

Joe_Kanaszka — Mon, 03 Feb 2025 21:07:11 GMT

Unchecked

Re: Disabling all traces of SSL VPN portal

the_rock — Mon, 03 Feb 2025 21:46:52 GMT

There was recent post about this where someone else asked very similar question. I believe @PhoneBoy responded saying that MAB had to be unchecked for this to work properly, but I could be mistaken. let me see if I can find the link.

Andy

Re: Disabling all traces of SSL VPN portal

PhoneBoy — Tue, 04 Feb 2025 03:12:47 GMT

Yes, the VPN client uses TCP Port 443 for creating the new site as well as Visitor Mode.
Blocking that port externally prevents these things from working.

What's answering the query is Multiportal where /sslvpn is redirected to the relevant web server for Mobile Access (if it is enabled).

Re: Disabling all traces of SSL VPN portal

emacias-pronet — Thu, 06 Nov 2025 16:48:16 GMT

Hi, we have a scenario very similar than this but explicit rules are not working yet. We have blocking rules for traffic coming and going to certain countries, but logs says that connections are accepted from one of those forbidden countries and accepted by a Implicit Rule.

I viewed on the Global Properties and I saw that all control connection are enabled. Does one of those rules may be the reason of this?

Re: Disabling all traces of SSL VPN portal

PhoneBoy — Thu, 06 Nov 2025 21:14:24 GMT

It's an Implied Rule accepting this traffic, yes.
If you want to do county-specific blocking of this traffic, see: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396