topic Re: Endpoint Connect VPN Compliance and scanning for Spyware in SASE and Remote Access

Endpoint Connect VPN Compliance and scanning for Spyware

Blason_R — Thu, 08 Aug 2019 03:38:53 GMT

Hi there,

I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.

I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.

Or do I need to activate any other settings to make these settings enforce for the users?

Please confirm.

TIA

Blason R

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Mon, 12 Aug 2019 00:50:53 GMT

I believe that should suffice here.
However, that will only work if the endpoints have the full Endpoint client installed (as opposed to Check Point Mobile or SecuRemote).

Re: Endpoint Connect VPN Compliance and scanning for Spyware

Lesther_Reyes — Fri, 20 Mar 2020 04:35:40 GMT

To use mobile access compliance, you need to enter via web sslvpn only. In other words, you cannot apply a compliance policy or Secure WorkSpace with the VPN client for Windows.

Re: Endpoint Connect VPN Compliance and scanning for Spyware

Lesther_Reyes — Fri, 20 Mar 2020 04:59:40 GMT

In you enter on global properties/Remote Access/Endpoint Connect:

This feature only apply for CheckPoint GO Clients.

I have tested it by activating it for EndPoint Security and Mobile Client for windows and it does not work.

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Fri, 20 Mar 2020 05:01:42 GMT

There is a separate Compliance framework for Endpoint VPN clients managed by an Endpoint Security Server.
That does require appropriate licensing

Re: Endpoint Connect VPN Compliance and scanning for Spyware

Blason_R — Fri, 20 Mar 2020 05:08:30 GMT

Hello,

So to clear the confusion - ESOD for mobile access blade will not work for Endpoint Client? And then there is a separate solution for Endpoint Client to maintain the compliance? Can I know what that solutions is? so that we can evaluate in our lab?

TIA

Blason R

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Fri, 20 Mar 2020 05:39:49 GMT

Yes, ESOD is for Mobile Access Blade and NOT for Endpoint Client.
The Endpoint version of this is called Compliance Blade.
You can read about it here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk162635

Re: Endpoint Connect VPN Compliance and scanning for Spyware

Blason_R — Fri, 20 Mar 2020 05:43:30 GMT

Oh! This is EPM, so to achieve we need to have EPM licenses as well for Endpoint VPN clients connecting from home using office mode?

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Fri, 20 Mar 2020 05:55:12 GMT

Correct.
The other option is to use SCV which can be distributed from the Security Gateway but uses a different mechanism.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147416

Re: Endpoint Connect VPN Compliance and scanning for Spyware

Lesther_Reyes — Fri, 20 Mar 2020 06:55:04 GMT

But ESOD Mobile is only for mobile ssl web not for client windows.

Client-based - Client application installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer. The client supplies access to most types of corporate resources according to the access privileges of the user.
Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.
On demand client - Users connect through a web browser and a client is installed when necessary. The client supplies access to most types of corporate resources according to the access privileges of the user.

Re: Endpoint Connect VPN Compliance and scanning for Spyware

Myx — Fri, 18 Dec 2020 09:01:06 GMT

What exactly is the difference between these two options and what would you recommend for which scenario?

Re: Endpoint Connect VPN Compliance and scanning for Spyware

the_rock — Thu, 20 May 2021 19:28:47 GMT

@PhoneBoy ..just wondering, I dont see that global property option in R81 mgmt server. Was it removed by design and if so, is there another place where it can be configured?

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Thu, 20 May 2021 20:18:45 GMT

It's been removed, but likely for good reason.

What pops up when I click on the "Configure" button next to "Scan Endpoint for spyware and compliance" on R80.40 is Endpoint Security on Demand.
The documentation says ESOD is for SNX connections in particular, which makes sense since the other VPN clients have other ways to do posture checking (SCV or Endpoint Compliance).
And yes, if you want to use this compliance checking for SNX, you can configure it in Mobile Access.

SNX is tied to Mobile Access these days.
That said, we also support the use of SNX without Mobile Access and have a portal on the gateway where a client can activate SNX from.
I presume this has existed since the Connectra days.

For both MAB and the classic SNX portal, deployment of SNX/ESOD requires a browser plugin (Java or ActiveX), both of which have been deprecated by the various browser makers.
In Mobile Access, we created a new deployment agent that doesn't require plugins, but still requires Java on the client.
That's described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113410
This is integrated into the product from R80.40 onward.

The classic SNX portal still uses the old deployment methodology, and from what I can tell, there are no plans to update it.
Which basically means: that property is not terribly useful, which is likely why that particular Global Property was removed.

Bottom line: if you want to do client posture checking, you have three options:

SCV (supported in Check Point Mobile and Endpoint Security VPN)
Endpoint Compliances (supported in Endpoint Security VPN)
Endpoint Security on Demand (supported with SNX and Mobile Access Blade)

Re: Endpoint Connect VPN Compliance and scanning for Spyware

the_rock — Thu, 20 May 2021 20:41:30 GMT

Thanks D. What do you recommend in this case for sandblast/endpoint VPN? Global property for SCV? That would apply in this case? If so, I dont see any option there for scanning before connecting to vpn. Anyway, we opened official tac case to get an answer on it!

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Thu, 20 May 2021 20:52:55 GMT

The answer is "it depends."
Endpoint Compliance works on Windows and Mac but requires a full Endpoint license (SBA/Harmony/legacy ACCESS license).
SCV works on Windows clients only (I believe Mac is planned) but also works on Check Point Mobile.
In both cases, it will allow connection, but if you're not compliant, you can be blocked from accessing all but specific resources (i.e. for Remediation purposes).

Re: Endpoint Connect VPN Compliance and scanning for Spyware

the_rock — Thu, 20 May 2021 20:58:00 GMT

So for SCV, can it be used for sandblast, as well as endpoint VPN clients?

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Thu, 20 May 2021 21:01:57 GMT

Yes, assuming that client includes Remote Access.
The actual SCV rules are stored on the gateway itself (local.scv).
Which means the SCV checks can't be executed until the client is actually connected to the gateway via Remote Access.

Endpoint Compliance can operate independently of being connected to the gateway via Remote Access.

Re: Endpoint Connect VPN Compliance and scanning for Spyware

the_rock — Thu, 20 May 2021 21:19:17 GMT

I will have to look into it, as I cant recall now if that endpoint compliance is actual fw blade or just global property check.

Re: Endpoint Connect VPN Compliance and scanning for Spyware

PhoneBoy — Thu, 20 May 2021 21:20:23 GMT

Endpoint Compliance is a separate Endpoint blade.

Re: Endpoint Connect VPN Compliance and scanning for Spyware

the_rock — Thu, 20 May 2021 22:02:00 GMT

I guess thats probably enabled on endpoint side, as I dont see it anywhere on the fw...