Check Point's New SASE Solution Powered by Odo: Video, Slides, and Q&A

PhoneBoy — Wed, 07 Oct 2020 16:55:35 GMT

Materials presented available to CheckMates members:

Selected Q&A Below:

How Can We Get a Demo?

Are there any Endpoint Compliance checks done as part of Odo?

Currently, no, but this is a top-priority for us that is in short term roadmap. It will be similar to our existing Endpoint Security on Demand for Mobile Access Blade but a different implementation.

Can users access shared drives with Odo?

Not currently. This is something Mobile Access Blade supports today.

Will this be integrated with CloudGuard Connect?

Initially, no, but this is planned for early next year.

What Identity Providers are supported?

Okta, Duo, Azure AD, onelogin, Ping.

Is Multiple Concurrent IDPs supported?

Not currently, but the "dual-mode" of several IDPs, plus IDP and Local Directory is on the short-term roadmap.

Is Local (On-prem) AD supported?

Yes, assuming the AD is accessible from the Docker agent installed on-premise.

Do I need to allow any inbound access on my perimeter gateways?

No, a Docker agent installed on-premise will initiate an outbound HTTPS connection to the Check Point cloud and will proxy all authorized traffic inbound to the datacenter.

How are applications that require port ranges/dynamic ports supported?

We support applications that tunnel over web, RDP, SQL, or SSH (including SSH tunneling). We do not support arbitrary applications.

How much latency is added to application access?

It is similar to an nginx reverse proxy, which is minimal. Our data plane is located in many different regions to reduce latency.

Will the gateway decrypt the HTTPS connection from the browser and re-establish another HTTPS connection to the connector?

Yes. Since the solution is DNS based we own our own certificate and will send it once opened to the server side (trusted proxy).

Where is the user activity video stored?

In AWS Encrypted File Store. Access to this is limited to admins and is stored by default for 30 days.

Are the user activity recordings indexed?

RDP is not indexed, SSH indexing is on the roadmap.

Can you explain the end-to-end connection flow?

The user authenticates to the controller (hosted in the cloud), which returns a list of available applications. Any authorized access to these applications is routed through the gateway to the on-premise Docker agent.

Is this a replacement for Mobile Access Blade?

It is a complimentary solution to Mobile Access Blade.

What SaaS apps are supported?

Any web-based SaaS app is supported.

Will VDI be supported for both VMware and Citrix?

Depends on the use case. We generally recommend using RDP.

Is this integrated with SmartConsole and/or Infinity Portal?

No, this is not integrated with SmartConsole. We plan to have this as part of Infinity Portal by the end of 2020.

Can you access SmartConsole via Odo?

Only via a machine accessible with RDP. Once a web-based SmartConsole is available (planned in the R81 timeframe), this should be accessible via Odo.

Can RDP Copy/Paste be blocked when connected via Clientless mode?

Yes, we can also block download of files per configuration.

Is VNC supported?

Not currently. If this is of interest, please contact your local Check Point office.

Does this replace VPN?

VPN replacement is a possible use case for Odo, although Odo does not fully replace VPN. Odo only supports Web, SSH, RDP and some database access. As such, it is not a full replacement for Mobile Access Blade, Remote Access VPN, or Site-to-Site VPN.

If applications are defined in an existing IdP, what is the process for moving them to Odo?

The app URL will change as we provide a new FQDN for each app.

Will a DLP solution be integrated?

This is planned for next year as part of CloudGuard Connect.

topic Check Point's New SASE Solution Powered by Odo: Video, Slides, and Q&A in SASE and Remote Access