topic Re: Compliance blade Endpoint security client in SASE and Remote Access

Compliance blade Endpoint security client

ajax — Tue, 17 Dec 2024 17:13:48 GMT

Hi all!

I try to configure Compliance Policy for remote access VPN clients (endpoint security) in my LAB network, and have some troubles with this. My lab: Checkpoint Cluster 81.10 , JHF take 170

I create Compliance policy, where define, for what users this policy must work. In this policy i check Antivirus (McAffee for test), and set Action "Restrict" , if client machine don't have Antivirus McAffee.

Ok, after that i create endpoint client package, deploy it to client machine, install, and try to check, how it's work.

But.. It's not work..

What i have now:

Endpoint Client connect to CP by VPN (it's work!)

Client had check for compliance (for enabled blades). After i see, that client not compliante, because don't have McAffee AV. And after 5 minutes (5 heartbeat * 60 seconds), client change state to Restricted.

But!

Client still has access to internal network!! And after 5 minutes and after 10 minutes and so on

Nobody change, the internal network remains available.

What i did incorrectly?

I check documectation , and found that (in Harmony Endpoint Administration guide https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-Common-for-HEP/Connected-Disconnected-Restricted-Rules.htm)

Restricted state rule is enforced when an endpoint computer is not in compliance with the enterprise security requirements. In this state, you usually choose to prevent users from accessing some, if not all, network resources. You can define a Restricted policy for only some of the Endpoint Security components

Where Compliance don't have Restricted actions.

Is this mean, that Restricted Action don't work for Compliance Rules??

I hope somebody can explain me, how it work..

Re: Compliance blade Endpoint security client

PhoneBoy — Wed, 18 Dec 2024 01:05:58 GMT

I'd start here to understand how this works: https://support.checkpoint.com/results/sk/sk162635

Re: Compliance blade Endpoint security client

ajax — Thu, 19 Dec 2024 11:33:12 GMT

Thank you for answer!

But, i read this sk, and still don't understand, why this function don't work?

My VPN-client now Restricted by compliance blade, but anyway has access to internal network through VPN (icmp and rdp as minimum). Why this access not blocked?!

Re: Compliance blade Endpoint security client

PhoneBoy — Thu, 19 Dec 2024 21:15:11 GMT

Have you configured any of the settings here?

Re: Compliance blade Endpoint security client

ajax — Fri, 20 Dec 2024 08:59:47 GMT

Option "Apply Secure Configuration Verification" is not enabled.

In my Compliance config , i use "VPN client verification process will use Endpoint Security Compliance" (not VPN SCV compliance), therefore i think that "Apply Secure Configuration Verification" don't needed.

Or needed?

Re: Compliance blade Endpoint security client

PhoneBoy — Fri, 20 Dec 2024 21:29:11 GMT

I agree, that might not be the right place.
What policy do you have for Restricted?
This is where you define what your clients can do when they are in a Restricted state.

Re: Compliance blade Endpoint security client

ajax — Fri, 20 Dec 2024 22:30:43 GMT

Wow, i don't have Harmony Endpoint Server 😕

I have just CheckPoint 81.10 (JHF take 170) with Evaluate License and enabled blades:

On SMS:

Endpoint Policy Management

Compliance

On SG:

IPSEC VPN (with Policy Server)

Mobile Access

And i thoght this blades enough for deploying Harmony Endpoint Client to remote users and Compliance check..

I need Harmony Endpoint Server product additionally? Without him it's can't work?

Re: Compliance blade Endpoint security client

PhoneBoy — Mon, 23 Dec 2024 20:19:36 GMT

Because you are using an eval license AND enabled Endpoint Policy Management, you do, in fact, have Endpoint Management. 😉
Endpoint is managed with SmartEndpoint and/or a separate WebUI.
The screenshot I showed was from Infinity Portal, but I believe it's similar on the local WebUI.

Compliance checks can be done with one of two methods:

Endpoint Compliance (requires Harmony Endpoint management, which must be licensed).
SCV (does not require Harmony Endpoint, but requires crafting a local.csv file). See: https://support.checkpoint.com/results/sk/sk38702

Compliance (as configured on the Management object) has nothing to do with Endpoint or VPN.
See: https://support.checkpoint.com/results/sk/sk120256

If your intention is not to have Harmony Endpoint management, then you should work with SCV, and the screenshot I provided above definitely applies.