https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221055#M3480 <P>Good day.</P><P>According to R81.20 Remote Access manual created SVC check with additional test desktop security firewall policy (just simple block outgoing traffic to 8.8.8.8).</P><P>SCV works perfectly but firewall policy always in active state even when there is no connection to VPN server.</P><P>How to enforce Endpoint client to disable firewall in disconnected state? I would not like to allow remote clients to decide for themselves when to turn off the firewall.</P><P>I know that Harmony has such functionality, but we use simple SCV.</P><P>&nbsp;</P> Wed, 17 Jul 2024 12:50:01 GMT akurtasanov 2024-07-17T12:50:01Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221055#M3480 <P>Good day.</P><P>According to R81.20 Remote Access manual created SVC check with additional test desktop security firewall policy (just simple block outgoing traffic to 8.8.8.8).</P><P>SCV works perfectly but firewall policy always in active state even when there is no connection to VPN server.</P><P>How to enforce Endpoint client to disable firewall in disconnected state? I would not like to allow remote clients to decide for themselves when to turn off the firewall.</P><P>I know that Harmony has such functionality, but we use simple SCV.</P><P>&nbsp;</P> Wed, 17 Jul 2024 12:50:01 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221055#M3480 akurtasanov 2024-07-17T12:50:01Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221111#M3481 <P>You can configure a different policy for connected and disconnected using the Desktop Security features (not as part of SCV).<BR />I don't believe you can disable the firewall entirely, but you can make the policy "any any" if you'd like:&nbsp;<A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Desktop-Security.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Desktop-Security.htm</A>&nbsp;</P> Wed, 17 Jul 2024 17:56:32 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221111#M3481 PhoneBoy 2024-07-17T17:56:32Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221150#M3482 <P>Added next:<BR /><BR />:allow_ipv6 (<BR />:gateway (allow_ipv6<BR />:default (false)<BR />)<BR />)<BR />:disconnected_in_house_fw_policy_enabled (<BR />:gateway (disconnected_in_house_fw_policy_enabled<BR />:default (true)<BR />)<BR />)<BR />:disconnected_in_house_fw_policy_mode (<BR />:gateway (disconnected_in_house_fw_policy_mode<BR />:default (any_any_allow)<BR />)<BR />)</P><P>Installed policy</P><P>Nothing on client. After several tries Any Any Deny in Desktop Security rule still in active state after VPN disconnection.</P> Thu, 18 Jul 2024 07:08:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221150#M3482 akurtasanov 2024-07-18T07:08:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221271#M3483 <P>Where did you put this configuration exactly?<BR />These look like ttm settings, just want to confirm.</P> Thu, 18 Jul 2024 17:05:07 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221271#M3483 PhoneBoy 2024-07-18T17:05:07Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221344#M3484 <P>Yes in&nbsp;trac_client_1.ttm.</P> Fri, 19 Jul 2024 02:14:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221344#M3484 akurtasanov 2024-07-19T02:14:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221348#M3485 <P>There are errors in the official documentation:</P><P>1)&nbsp;any_any_allow - is wrong. In&nbsp;sk75221 there is no&nbsp;&nbsp;any_any_allow&nbsp; in disconnected_in_house_fw_policy_mode section. Only&nbsp;<SPAN>all_allow instead off&nbsp;&nbsp;any_any_allow</SPAN></P><P><SPAN>2) Even with enabled&nbsp;right&nbsp;all_allow option&nbsp;"Any - Any - Allow" will not be enforced. Enforced will be first "Any User@Any" with block or allow action.</SPAN></P><P><SPAN>3) With enabled&nbsp;Location Awareness for desktop firewall is much better to use&nbsp;"Any - Any - Encrypt" default implied rules for inbound and outbound connections +&nbsp;encrypt_to_allow in&nbsp;disconnected_in_house_fw_policy_mode section in ttm file.</SPAN></P><P>&nbsp;</P> Fri, 19 Jul 2024 04:26:13 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Desktop-Security-firewall-policy-in-active-state-after-Endpoint/m-p/221348#M3485 akurtasanov 2024-07-19T04:26:13Z