topic Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic in SASE and Remote Access

Query related to blocking the internet when capsule users are connected to VPN from mobile devices v

naveda — Wed, 27 Apr 2022 05:48:12 GMT

Hi Team,

A customer has a requirement, where they wanted to block the internet for Remote access VPN users when they are connected, to achieve that I have configured desktop policy and their requirement is fulfilled but now they have the same requirement for all mobile users using the capsule.

Is it possible to do so, or do we have any alternate option to fulfil this requirement?

Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic

G_W_Albrecht — Wed, 27 Apr 2022 09:43:53 GMT

This is possible using the Route All Traffic feature:

https://dl3.checkpoint.com/paid/5e/5ee546112df339d6bef37872e26c2434/CP_CapsuleVPNClient_AdminGuide.pdf?HashKey=1651059754_696925a4b709a8afad39aa53f3ba4ae4&xtn=.pdf

Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic

naveda — Thu, 28 Apr 2022 08:19:48 GMT

@GW_W_Albrecht, thank you for your response. I have checked the guide, it just shows the way to route all traffic to the gateway. I also want to know if I configure route all traffic to the gateway, wouldn't this way increase the overhead on the gateway, when all traffic from the client will be passed through the gateway.

If the customer will agree to do that, after enabling the feature, we can restrict the traffic in policy right?

Please clarify on this. Thanks!

Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic

G_W_Albrecht — Thu, 28 Apr 2022 09:26:16 GMT

Of course the Route All Traffic feature will increase GW load ! As this feature only works while VPN is connected it also will only do TP for client traffic during that time. This was your customers request and he may have good reasons for it - i would prefer not to use the Route All Traffic feature, but also install the Harmony Mobile protect app on mobile devices. This gives safety anytime !

Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic

naveda — Thu, 28 Apr 2022 12:55:18 GMT

By that means, with harmony mobile, we can achieve the requirement to restrict users to access the internet when VPN is connected or it is just to prevent malicious traffic to route through the gateway.

Also, I want to know if we can suggest them to go with any 3rd party MDM or achieve that requirement.

Please confirm one more thing, if customer agrees to enable route all traffic through gateway feature, we can restrict particular user traffic by access policy but blocking destination as internet, right?

Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic

PhoneBoy — Thu, 28 Apr 2022 12:59:58 GMT

Harmony Mobile doesn't filter all Internet traffic, but it does block certain malicious traffic (phishing/bots).
And no, an MDM can't do that alone, but an MDM can be used to place restrictions on the device when it falls out of compliance and/or isn't secure according to Harmony Mobile.

Whether or not you "block" Internet when using Route All Traffic is a function of the specific access policy.

Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic

naveda — Thu, 28 Apr 2022 13:15:18 GMT

Thanks @G_W_Albrecht and @PhoneBoy I will try to do this in my lab and propose this option as route all traffic to the gateway to achieve their requirement.

Re: Query related to blocking the internet when capsule users are connected to VPN from mobile devic

G_W_Albrecht — Thu, 28 Apr 2022 15:07:20 GMT

No, as @PhoneBoy wrote, harmony mobile protects mobile devices all the time. Complete internet traffic by connected clients using the Route All Traffic feature can be restricted and undergo TP on GW. Or disabled completely, of course...