topic Re: Connecting to Internal Network VPN/SSL Client in SASE and Remote Access

Connecting to Internal Network VPN/SSL Client

Cristian_Rosa — Mon, 18 Apr 2022 14:32:27 GMT

Hello guys,

How to prevent the user on the LAN internal network from connecting to the SSL VPN/Client itself. We come across this case, where the user should only be able to access an SSL VPN/Client when they are internal, not when they are internal.

I wouldn't want users to access our own SSL/Client VPN from the internal network.

Congrats,

Cristian Rosa

Re: Connecting to Internal Network VPN/SSL Client

the_rock — Mon, 18 Apr 2022 15:28:05 GMT

Im not real sure what you are trying to achieve here. You dont want user thats internal to be able to access VPN client??

Re: Connecting to Internal Network VPN/SSL Client

Cristian_Rosa — Mon, 18 Apr 2022 17:27:26 GMT

240 / 5,000

Yes When the user is inside the internal network, he connects to the SSL VPN as if he were externally. Should this happen? Does Checkpoint accept this connection, even the user within the internal network? I wish it weren't possible.

Re: Connecting to Internal Network VPN/SSL Client

the_rock — Mon, 18 Apr 2022 17:59:39 GMT

You can restrict it, but there is no need to do this from internal.

Re: Connecting to Internal Network VPN/SSL Client

Cristian_Rosa — Mon, 18 Apr 2022 18:14:12 GMT

And how would I do?

Can you help me ?

Congrats,

Cristian Rosa

Re: Connecting to Internal Network VPN/SSL Client

skandshus — Mon, 18 Apr 2022 18:16:44 GMT

Dont you have the ability to select the interface its accesible from?

i got that on several things if you open the gateway properties

Re: Connecting to Internal Network VPN/SSL Client

Cristian_Rosa — Mon, 18 Apr 2022 18:23:37 GMT

I don't know how to inform. I searched but couldn't find where to configure it.

Re: Connecting to Internal Network VPN/SSL Client

the_rock — Mon, 18 Apr 2022 18:46:23 GMT

Honestly, I never heard of a way to do this specifically from the firewall object itself or even global properties. There might be some way possible via gw file trac_client_1.ttm, but not 100% sure how. Maybe someone else will chime in and confirm for you. Personally, there would need to be some sort of mechanism that would recognize user being internal that would prevent them from even being able to connect, unless they come from external source.

Re: Connecting to Internal Network VPN/SSL Client

Cristian_Rosa — Mon, 18 Apr 2022 19:01:44 GMT

Yes Exactly. I think this is the way I hadn't seen that happen yet.

Re: Connecting to Internal Network VPN/SSL Client

the_rock — Mon, 18 Apr 2022 19:03:15 GMT

Lets see if someone else may have an idea, Im also interested to see the suggestions/advice or if its even possible.

Re: Connecting to Internal Network VPN/SSL Client

Wolfgang — Tue, 19 Apr 2022 06:10:14 GMT

@Cristian_Rosa you can disable the implied rule for MOB access if you switch your gateway object configuration "Accessibility" to "According to the Firewall policy"

With these setting you have to define access rules for access to the MobileAccessPortal like this one

Re: Connecting to Internal Network VPN/SSL Client

G_W_Albrecht — Tue, 19 Apr 2022 08:46:30 GMT

Yep - it is rather old and called Location Awareness:

SmartDashboard - go to Policy menu - click on Global Properties... - expand Remote Access - click on Endpoint Connect - in the Connectivity Settings section, refer to Network Location Awareness field - select Yes - click on Configure... button - enjoy the options...

Re: Connecting to Internal Network VPN/SSL Client

the_rock — Tue, 19 Apr 2022 12:55:25 GMT

Ah, yes, good point, totally forgot about that.

Re: Connecting to Internal Network VPN/SSL Client

Cristian_Rosa — Tue, 19 Apr 2022 19:30:48 GMT

Hello Abrecht,

Your help resolved my case.

Thanks a lot...

Cristian Rosa

CCSA