topic Re: Restrict laptop access on site to site vpn in Spark Firewall (SMB)

Restrict laptop access on site to site vpn

bsorgi — Tue, 25 Feb 2020 22:41:09 GMT

Hi All-

I’m wondering if any of you could help me with the following. I’ve set up a site to site vpn between a checkpoint 14xx to a checkpoint 15xx located at the business owners home. He doesn’t want to have to go through the process of using endpoint protection software on his work laptop to connect into the corporate network. From his home location, I only want his work laptop to be able to traverse the site to site vpn for obvious security reasons. I’ve tried tinkering around with the GUI options and can’t seem to figure out how to get this to work.

My thought process / what I tried was assigning the laptop a static IP or dhcp reservation and basing a rule on that, but couldn’t seem to get a rule to work properly on either side.

Any suggestions/ guidance would be most appreciated. I feel like I’m missing something obvious or maybe some simple tweaking in the cli could sort this out.

Re: Restrict laptop access on site to site vpn

PhoneBoy — Tue, 25 Feb 2020 23:14:04 GMT

Redacted screenshots of exactly what you tried to configure would be helpful.

Re: Restrict laptop access on site to site vpn

HristoGrigorov — Wed, 26 Feb 2020 04:32:08 GMT

I believe you need to use VTI for this.

Re: Restrict laptop access on site to site vpn

G_W_Albrecht — Wed, 26 Feb 2020 15:55:17 GMT

This does only work if the main GW (or both) is (are) centrally managed - see sk107641: Configure "Route All Traffic" from locally managed SMB appliances to a centrally managed gateway for details!

Re: Restrict laptop access on site to site vpn

John_Fleming — Thu, 27 Feb 2020 15:55:52 GMT

This is a good case for captive portal if you're using a management server. It wouldn't limit access to just a laptop per say but what it would do is make it so anyone on the remote network would have to authenticate to the firewall in order to gain access to the corp network. Captival portal with Access Roles are pretty granular. You can say allow access to this without auth but require for that.

This way the door isn't always open, but if the right user requests access then they are allowed through.

Now if you aren't using a management server there is something called User Awareness which is kind of similar. You basically say in order to access some remote resource you have to auth to the firewall. Only problem is all access to that destination will require auth meaning you CAN'T (type-o fixed) pick and chose what does and doesn't require auth.