Hi, can you share where exactly this disconnected policy exists and how to confgiure it?

Hi, I know this doc as I shared it in initial message.

This page in guide regarding location-based policy does not specify where exactly should I configure connected/disconnected policy, this is not obvious.

In that very document, it says (bold markings are mine):

The administrator defines the Desktop Security Policy in the Desktop Rule Base in SmartDashboard. You can assign rules to specified user groups or to all users.

SmartDashboard, Desktop Policy, it is documented.

Also, in the same document:

Configuring Desktop Security

To enable the Security Gateway to be a Policy Server for Desktop Security:

1. Click Gateways & Servers and double-click the Security Gateway.

   The Security Gateway window opens and shows the General Properties page.

2. On the Network Security tab, select IPsec VPN and Policy Server.

3. Click OK.

4. Publish the changes.

To activate the Desktop Security policy:

1. Click Security Policies and open the Manage Policies window (CTRL + T).

2. Click the All icon.

3. Select the policy to edit and click Edit.

   The policy window opens.

4. Select Desktop Security.

5. Click OK.

6. Install policy.

To configure the Desktop Policy rules:

1. Click Security Policies, and from the navigation tree, click Access Control > Desktop.

2. Click Open Desktop Policy in SmartDashboard.

   SmartDashboard opens and shows the Desktop tab.

3. Configure the inbound rules: Click Rules>Add Rule to add rules to the policy.

   In inbound rules, the client computer (the desktop) is the destination. Select user groups to which the rule applies.

4. Configure the outbound rules. Click Rules>Add Rule to add rules to the policy.

   In outbound rules, the client computer (the desktop) is the source. Select user groups to which the rule applies.

5. Click Save and close SmartDashboard.

6. Install the policy.

   Make sure that you install the Advanced Security policy on the Security Gateways and the Desktop Security policy on your Policy Servers.

THanks, but I can read the guide as well and I followed all the steps.

Guide says that we have Connected policy and Disconnected policy.

It is not clear where you configure those 2 different policies?

Below is a screenshot from SmartDashboard, where should I configure Connected policy and Disconnected policy?

This screenshot does not look right. Which version are you using? The GUI looks like a very old version

Screenshot looks right, SMS version is 81.20 take 105.

This is a SmartDashboard for configuring desktop policy, screenshot below shows where you open it

You don't really configure a specific "disconnected" policy, but it changes the relevant "encrypt" rules to allow.
See here: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN... 

Again, I saw this doc and followed all the steps. If it was clear from the guide how it works I wouldn't create this topic.

The goal is to restrict user's Internet access while not connected to VPN. I was hoping to configure connected/disconnected policy like it is mentioned in the guide, but it is not clear exactly how.

The guide says:

• Connected Policy - Enforced when:

  • VPN is connected.

  • VPN is disconnected and Location Awareness determines that the endpoint computer is on an internal network. The Connected Policy is not enforced "as is" but modified according to the feature's mode (the disconnected_in_house_fw_policy_mode property).

• Disconnected Policy - Enforced when the VPN is not connected and Location Awareness sees that the endpoint computer is not on an internal network.

So, it says that connected policy will be inforced also when VPN is disconnected but modified according to property

Later guide says regarding this property (disconnected_in_house_fw_policy_mode):

Possible values are:

• encrypt_to_allow - Connected policy will be enforced, based on last connected user. Encrypt rules will be transformed to Allow rules (default).

• any_any_allow - "Any - Any - Allow" will be enforced.

So, it is not clear what does it mean "based on last connected user" and "Encrypt rules will be transformed to Allow rules", what user we talking about, what encrypt rules we talking about?

All in all not clear what this feature do exactly

As this is a legacy feature very seldom enabled and used, i would suggest to open SR# with CP TAC to get the procedure to accomplish your goal !

What is IA?

Can you elaborate please how access role in access rule can help accomplish the goal?

Identity awareness. I will take video later and upload.

Andy

@KirillMuravyev 

Attached. Btw, once you have access role configured, you can use it in policy rule to restrict access.

Andy

Thanks for video, I do have IA enabled and I understand how to configure the access role.

The question was how this setup will help me restrict remote user's Internet access while not connected to VPN ?

The goal is to force people connect to VPN while they are remote, always-connect feature is on but it still allowes user to click "disconnect" button

One way it can help is to add type of clients in access role and then use that role to allow or restrict access.

Andy

So how to set this policy work only for "disconnected" clients?

Let me do some tests in the lab later and will verify.

Andy

@KirillMuravyev Excellent...thanks for letting us know.

Andy