topic Re: Compliance Endpoint Security in SASE and Remote Access

Compliance Endpoint Security

Julian_Sanchez — Wed, 10 Mar 2021 02:27:07 GMT

Hello guys,

We have a customer that have the most of their employes working remote. In addition, they have configurate the Remote Access VPN, and now they have a question about the compliance. For example, I have this questions:

1. Is possible that compliance can validate that only can connect to Remote VPN desktops of domain?

2. Is possible if the connect is sucessful, take the policies that are configurated in the firewall as if the employ is in the LAN company?

3. Is possible block or not allowed connections of cellphones?

I was reading about Endppoint Security Compliance on Demand that can be configurated in global propierties, and another solution is SCV Secure Configuration Validation altough is like me more hard. What is the best way? or What tool offer us configurate the requierements?

Thanks for your advices.

Re: Compliance Endpoint Security

PhoneBoy — Wed, 10 Mar 2021 07:15:17 GMT

1. This can be done with SCV or Endpoint Compliance, the latter of which is easier to configure and works on Macs and PCs (SCV is Windows only currently).

2. You would have to “route all traffic” back to headquarters, which may not be desirable. That said it would be possible using the other Harmony components to achieve a similarly configured policy for VPN endpoints without routing all traffic back to the corporate office.

3. You can restrict which types of VPN clients that can connect globally to prevent mobile phones (or other client types) from connecting if desired. This doesn’t even require Endpoint Compliance.

Re: Compliance Endpoint Security

Ruan_Kotze — Wed, 10 Mar 2021 08:27:04 GMT

Regarding point 1 - I posted a detailed walkthrough of implementing domain membership validation for VPN clients on my blog.

Re: Compliance Endpoint Security

Julian_Sanchez — Thu, 11 Mar 2021 18:24:58 GMT

Thank you for your answer. Relly useful. Only last question or doubt about the SCV or Endpoint Compliance. If I want to use Endpoint Compliance it work with the Endpoint Security only for VPN, the client normal or not?

Or for use Endpoint Compliance I need the agent of SBA? regards

Re: Compliance Endpoint Security

Ruan_Kotze — Thu, 11 Mar 2021 18:27:42 GMT

The Check Point Mobile client is fine for what you want to do. You do not need the SBA.

Re: Compliance Endpoint Security

PhoneBoy — Thu, 11 Mar 2021 23:10:40 GMT

Harmony Endpoint (formerly SandBlast Agent) does offer additional features.
Endpoint Security VPN is sufficient to use Compliance, however.
SCV can be used on Check Point Mobile (in addition to Endpoint Security VPN).

Re: Compliance Endpoint Security

Julian_Sanchez — Wed, 24 Mar 2021 14:55:38 GMT

Hello,

I have a question acording to the point 3. I disable or un check for preventing mobile phones. However if I want to give exclusions is possible? or block all phones?

Re: Compliance Endpoint Security

PhoneBoy — Wed, 24 Mar 2021 17:22:18 GMT

The setting for which clients are allowed to connect is global (meaning either all of X-type clients are allowed to connect or none).
You can create (and use) Access Roles to control who is allowed to do what from what type of client once they are connected.