topic Re: temporary disable remote access in SASE and Remote Access

temporary disable remote access

Wolfgang — Tue, 08 Oct 2024 12:04:09 GMT

For a migration test we are looking for a way to disable quick and temporary remote access on a gateway and get it back enable as fast as possible.

We are using the Endpoint VPN client only to connect to the gateway, no SNX.

Blocking access to the gateway for NAT-T and HTTPs with a firewall in front of the gateway does work. But we have some site2site VPNs using NAT-T and they are blocked, which we not want.

Removing the gateway from the remote access community is a solutions but this has to much impact of the configuration, we don't want.

Any other ways to disable or block or anything else like stopping a service to disable the remote access temporary?

Re: temporary disable remote access

G_W_Albrecht — Tue, 08 Oct 2024 12:23:33 GMT

I do not think so - looking through https://support.checkpoint.com/results/sk/sk97638 all possibilities to stop processes for RA VPN will also affect S2S VPN...

Re: temporary disable remote access

Alex- — Tue, 08 Oct 2024 12:27:54 GMT

You could add a top layer with the office mode network allowed by default and blocked when you need it, followed by any/any/accept to your main layer.

Re: temporary disable remote access

PhoneBoy — Tue, 08 Oct 2024 19:51:18 GMT

HTTPS isn't needed for S2S VPN so it can be safely blocked.
If you have remote VPN peers with fixed IPs, you can block NAT-T from other hosts (temporarily) to effectively "disable" Remote Access using fwaccel dos commands.

Re: temporary disable remote access

Wolfgang — Thu, 10 Oct 2024 07:19:54 GMT

Just to inform....blocking HTTPS from any to our RemoteAccess-gateway via the firewall-gateway in front does the job. No need to block NAT-T.