topic Re: Connection Awareness in SASE and Remote Access

Connection Awareness

Alex- — Sun, 31 Mar 2024 22:48:14 GMT

According to the documentation, we can configure a ping to a destination or HTTP/S GET done every 30 seconds.

We looked at this feature for a fully segmented network behind a Quantum cluster doing the full Threat Prevention policing already.

We want to adjust some settings to avoid redundant use on some blades and extra processing time for users, for this we are looking at a connected/disconnected policy.

Here are the challenges we found:

The documentation doesn't speak much about ICMP behaviour, what is the frequency of pings and when is the system considered to be disconnected or connected again
For users behind VPN using split-tunnelling, we need some extra configuration like blocking ping to the inside destination in the firewall policy which looks a bit like a DIY approach
For our larger deployments with hundreds of endpoints, we are creating a sort of DDOS setup to an inside system
The client says Online when it can reach Internet but it's not clear for end-users or administrator if we are operating in connected or disconnected mode and its tracking
We need to set up at least two destinations to avoid having all clients to switch to disconnected should for instance the probed system require a reboot or similar which doubles the traffic.

Our clients would prefer a posture-based approach policy, like membership of subnet X and domain Y with DNS server being Z and assign them to a connected or disconnected status, which would then also address the situation of VPN users in split-tunneling.

Re: Connection Awareness

MikeB — Tue, 09 Apr 2024 16:07:45 GMT

you made this post in the wrong place (endpoint location). I suggest you post this in Quantum location.

Re: Connection Awareness

PhoneBoy — Tue, 09 Apr 2024 23:02:46 GMT

To be honest, it's not clear what the intended goal of all this is.
Can you explain?

Re: Connection Awareness

Alex- — Wed, 10 Apr 2024 07:21:27 GMT

This is about connected/disconnected endpoint policy mode.

We are providing complete security packages to our customers with Quantum and Harmony EpmaaS.

The firewalls are doing full segmentation and all the blades are activated.

On Harmony Endpoint with EpmaaS, we would like to avoid running the full suite when users are in the office behind the firewall, instead a lighter version of the policy. When they're outside of the perimeter, the enhanced endpoint policy should be enforced.

However determine the connection awareness status isn't as straightforward as the documentation would imply, based on our tests and what is described in the initial post.

Connection Awareness

Re: Connection Awareness

Alex- — Wed, 10 Apr 2024 07:12:04 GMT

This post is for Harmony Endpoint Connection Awareness, I understand it wasn't directly clear from the start.