This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
yesterday

Location awareness and EpMaaS - possible?

We're trying to activate a specific firewall policy when connected or not, having also specified a connected/disconnected rule.

However, the result always seems to be the generic connected firewall rule and never the disconnected state.

The goal is to have a different firewall access at the office than outside.

Is this possible with EpMaaS?

0 Kudos
3 Replies
Don_Paterson
Advisor
Advisor
yesterday

I don't think that what you are looking for is a dedicated feature/policy option.

Would be nice to have, but an RFE would probably be needed to have it added, sorry to day it (https://support.checkpoint.com/results/sk/sk71840) 

You can always try to ask your SE/Contact at Check Point. 

 

This thread is related and offers Connection Awareness as a kind of work-around but it's not really the desired feature.

https://community.checkpoint.com/t5/Endpoint/what-is-the-purpose-of-disconnected-policy/td-p/205901 

 

 

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_HarmonyEndpointWebManagement_Admin...

 

The disconnected state description in the documentation seems to need to be revised, and seems more specific to an on-prem Endpoint Management Server (EPMS) solution that is only accessible when connected to the LAN/in the office.

Meaning that the EPMS set up does not include access to the server over the Internet (access when off site via static NAT).

 

With MaaS always online and reachable, and endpoints almost always online when booted up (apart from the flight mode or similar scenario) the Disconnected state is less likely.

 

"For example, you can enforce a more restrictive policy if users are working from home and are not protected by organizational resources. You can define a Disconnected policy for only some of the Endpoint Security components."

0 Kudos
Alex-
Leader Leader
Leader
yesterday
In response to Don_Paterson

Thanks for the detailed answer.

In the client settings, there is still a setting which says "Consider the client connected if", then gives the choice of the management service or some custom targets. As per the documentation, we would expect the firewall blade to support either state but even with that setting set manually, the endpoint client shows a connected status.

There doesn't seem to be monitoring for this either.

0 Kudos
Don_Paterson
Advisor
Advisor
yesterday
In response to Alex-

If it is not working as designed then there is a problem that should probably be reported through an SR to TAC.

As long as the custom targets are not reachable/responding the 

The monitoring part makes sense if we consider that the setting is a client side setting (Connection Awareness) and the client can still reach the MaaS even if it can't reach the custom targets, and MaaS is only designed to repost connection state based on heart beats and not Connection Awareness state.

 

@BarYassure  is this something you can advise on?

 

For reference:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_HarmonyEndpointWebManagement... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events