topic Re: Want help with traffic blocking from one side in Spark Firewall (SMB)

Want help with traffic blocking from one side

Satyam_mehrotra — Sat, 15 Sep 2018 14:52:36 GMT

hi guys, i have 40 computer setup on which online examinations are going on. I want to block internet on all computers so that students cant cheat by looking on internet. but problem is teachers should be able to connect remotely to any computer from outside. is there any way, if so please help.

Re: Want help with traffic blocking from one side

Vladimir — Sun, 16 Sep 2018 02:59:04 GMT

What is the model of the gateway/management appliance you are using and the version of the software on it?

Re: Want help with traffic blocking from one side

PhoneBoy — Sun, 16 Sep 2018 05:37:01 GMT

Another relevant question: how are the instructors connecting to the computers remotely?

Because that will determine what the policy looks like.

Re: Want help with traffic blocking from one side

JozkoMrkvicka — Sun, 16 Sep 2018 07:06:40 GMT

Block http and https during exam, or setup non-working proxy which cannot be changed by students (only teachers - administrators).

Re: Want help with traffic blocking from one side

Satyam_mehrotra — Sun, 16 Sep 2018 12:50:02 GMT

my UTM is 730 Wireless

Re: Want help with traffic blocking from one side

Satyam_mehrotra — Sun, 16 Sep 2018 12:51:27 GMT

I have 730 Wireless UTM

Re: Want help with traffic blocking from one side

Satyam_mehrotra — Sun, 16 Sep 2018 12:52:32 GMT

through remote desktop connection

Re: Want help with traffic blocking from one side

Vladimir — Sun, 16 Sep 2018 13:18:37 GMT

We should really know how the exam is being administered.

If it is a browser-based exam and the PCs should be able to access the resources outside to run it, we cannot simply block HTTP/HTTPS. You should define custom site and permit access to it using URLF/App Control in the rule above that preventing HTTP(S) access to other sites.

Remote administration of PCs could be accomplished by either configuring a mobile access for the teacher, to connect tot the gateway via VPN and running RDP to the PCs, or by deploying a jump host, like Apache Guacamole™ ,configuring it to run on custom port not conflicting with any of Check Point services.

For example:

1. Create custom HTTPS service:

2. Create these objects:

a dummy object with Gateway's external IP:

and a real object for the JumpHost:

students's network:

custom Site:

and Test Time(s):

3. Configure NAT rules:

4. Enable "Time" column in the Policy view:

5. And configure the access rules:

This should do it.

Re: Want help with traffic blocking from one side

Satyam_mehrotra — Sun, 16 Sep 2018 14:17:16 GMT

Is there any way to connect through anydesk type software.

Re: Want help with traffic blocking from one side

Vladimir — Sun, 16 Sep 2018 14:49:56 GMT

From what I understand, it relies on unrestricted HTTPS connectivity from the clients, so this would likely be difficult to achieve.

You can try creating a custom site/URL with their site in it, permitting the traffic to it and to DNS from the students' PCs and restricting their access to anything else in the rule below to see if it works.

This scenario assumes that there is no Active Directory with recursive DNS server in place.

Re: Want help with traffic blocking from one side

PhoneBoy — Sun, 16 Sep 2018 16:26:45 GMT

Which means this is really an SMB question, so let's move it to the correct space: SMB and SMP‌