Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ricardo_Gros
Collaborator

Desktop Policy

Hi,


I just stumbled upon this situation where a  Laptop on a public WIFI network  the same network Segment  as on Corporate network.

Example:

Corporate Network: 10.1.1.0/24

WiFi IP of laptop: 10.1.1.25  (received on insecure WIFI connection)

Desktop policy rule that states:  FROM 10.1.1.0/24 to Corporate and vice versa any any accept.

Desktop policy has cleanup rule set to  drop

So the idea is that all connections to laptop that is not connected to VPN are dropped.

Location awareness is set to detect internal interface connections (also tried DC probing same effect).

Now the effect we have is that if the Laptop network address is different from Corporate (10.1.1.0/24) then this works.
All connections are dropped until vpn is connected.

However if laptop network address is inside of the 10.1.1.0/24 (for example laptop receives 10.1.1.25) then all connections are accepted before VPN is connected.

So the Desktop policy triggers even if Location awareness detects the Laptop as outside of corporate network.

Location awareness works because VPN connection is possible and the client does pop up for connection.

We have a case open for this for quite some time now so i´m  wondering if someone had this issue or can replicate this.

I´m strongly inclined to a configuration error somewhere, Trac files have been checked and location awareness is enabled.

11 Replies
PhoneBoy
Admin
Admin

It looks like TAC is still trying to work with you on setting up a remote session to observe the behavior.

My understanding is the Desktop Policy applies whether you are connected to the VPN or not.

A screenshot of your inbound firewall rules might be helpful.

0 Kudos
Ricardo_Gros
Collaborator

Hi,

So I have a statement from TAC now and indeed  the default behavior can be set on the parameter Disconnected_in_house_fw_policy_mode

It seems only 2 modes are available, accept or follow policy.


So the statement from TAC was, not possible we need to ask for a feature request, this is OK but

After looking at this case I m  wondering if adding a new parameter deny  would not be helpful to avoid creating a security hole due to simply not testing this specific scenario where the private IP range is the same as corporate. The idea to block all traffic if VPN is not connect is something i have seen more often and the simple fact that it works on all other scenarios may lead to having this little issue and not being aware of it.

Thank you for your answer Smiley Happy

0 Kudos
PhoneBoy
Admin
Admin

I'm curious if your policy wouldn't make more sense in terms of zones.

I assume the "Trusted_Zone" would not apply when not connected via VPN.

This is the "default" policy (from Demo mode) 

0 Kudos
Ricardo_Gros
Collaborator

Hi,

This is a good idea, however I'm having trouble to find this menu either on 77.30 or 80.10, on the Desktop policy itself i am unable to apply zone objects.

0 Kudos
PhoneBoy
Admin
Admin

In SmartEndpoint, right clicking on the Firewall rule and choosing "Edit Shared Action":

0 Kudos
Ricardo_Gros
Collaborator

Hi,

Customer does not use smart endpoint, but just Desktop policy, using Endpoint this issue does not happen at all.

This only happens using desktop policy.

0 Kudos
PhoneBoy
Admin
Admin

That is true, Desktop Policy does not permit use of Dynamic Objects.

That said, I think if you have a license for Desktop Policy, you probably can use SmartEndpoint. 

0 Kudos
(1)
Ricardo_Gros
Collaborator

I will investigate this on Monday, probably we will suggest the usage of Endpoint. 

But going back to Desktop Policy, if I understood correctly the current implementation on the client triggers the desktop policy independent of Location awareness. This means that if a Client falls into a network on a segment that happens to be included on the Desktop Policy the rules will trigger, even if this is an insecure network.

In my personal opinion  this feels a little insecure, it would make more sense in my opinion to have a Link between Location awareness and Desktop policy where if LA detects client is outside connections are blocked and desktop policy is ignored.

It would seem more user friendly and intuitive i think. 

Can you share your view on this?

0 Kudos
PhoneBoy
Admin
Admin

Desktop Policy is actually kind of a legacy feature as it predates Check Point having a full endpoint suite.

It was introduced with SecureClient a couple decades ago and why it is configured in SmartDashboard versus SmartEndpoint.

Location Awareness was added later as a feature of Endpoint Security.

Endpoint Security VPN clients have a firewall that can be managed in SmartEndpoint, which is a different policy from the Desktop Policy.

As far as I know, all current management licenses include Endpoint Management--you just need to enable it.

Also, the license for Desktop Policy on the client should be the same as it would be for Endpoint Security VPN clients.

So there's no reason you shouldn't be able to manage the and deploy endpoint firewall rules with SmartEndpoint.

Ricardo_Gros
Collaborator

Hi, 

First let me thank you for taking the time to discuss this with me.

I do Agree with you End Point will definitely have to be the way to go forward on this one,actually the idea behind this post was  to have some other views on this predicament.

I´m now actually wondering if this is the only customer trying to achieve this with Desktop Policy. 



PhoneBoy
Admin
Admin

I'll be honest, I hadn't heard of anyone using Desktop Policy in some time.

Took me a bit to figure out how to enable it in SmartConsole for R80.20 (which ultimately brings up the legacy SmartDashboard). Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events