Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Yip_KokFong
Participant

Firewall Policy VS Desktop Policy for Remote Access VPN user

Hi All,

From the console : "The Desktop Policy is defined in the Desktop Policy Rule Base. This policy is installed on Security Management servers and downloaded by remote access clients when a site update is performed. Once downloaded, this policy determines access control on client machines." 

If implement Remote Access VPN, should I enable the Desktop Policy or just the firewall policy will enough for defining rule for VPN user? Or both also need to define?

Any advise on this?

Thank you.

 

 

7 Replies
G_W_Albrecht
Legend Legend
Legend

The Desktop Policy for Remote Access VPN users handles the personal firewall of the used PC - Clients enforce the Desktop Policy to accept, encrypt, or drop connections based on the Source, Destination, and Service. The Dashboards Access Policy is the firewall policy for the site behind the gateway and its local users. Also, access to the site for Remote Access VPN users is ruled here.

This is explained very deeply in Remote Access VPN Administration Guide R80.20 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Oscar_Figueruel
Participant

Hello team,

We need to export the desktop policy rules however, following the SK 120342 , we are not able to export them.

Exporting Check Point configuration from Security Management Server into readable format using "Show...

Could you please let me know how we can export them ?

thank you in advance

Oscar

 

 

G_W_Albrecht
Legend Legend
Legend

The Desktop Policy is usually very, very simple and a screenshot should contain all the needed information ! You can configure the Desktop policy only in legacy SmartDashboard...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Oscar_Figueruel
Participant

we have more than 100 desktop policy rules in our company, very very large company  so screenshot does not work :'(

 

I have raised an SR to Check Point but I am very concerned about that it's not possible to export the desktop policy rules in an automated way with show package tool 😞

 

 

G_W_Albrecht
Legend Legend
Legend

Desktop Policy is only used with the Stand-Alone RA VPN client - if you need more than 100 desktop policy rules you should rather deploy EPS clients and use EPSS for Management.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Tobias_Moritz
Advisor

A quick&dirty way would be to grab the desktop_policy.ini file from a VPN clients program directory (must have connected at least once to download the current desktop policy from your platform). You will find the desktop policy rules in a readable form in that file.

Other option, without the need for a client:

Get the content of the desktop policy by querying your management server by CPMI asking for object Policies->slp_polices->$your_policy_name.

You can do this by (gui)dbedit for example.

There may be a better way than these two options, but I'm not aware of any.

Oscar_Figueruel
Participant

thanks so much Tobias and G_W,

 

I liked a lot your proposal, I had a look to the GuiDBEdit but unfortunately the desktop policies are not there and it is also very diffucult to export them on a readable format

 

 

I will go further with the VPN Client option which is more feasible, will see what the outcome is.

 

thanks so much for your suggestions!

 

BTW: We raised a ticket to Check Point TAC and Diamond and the reponse was:  there is no any option to export the desktop policies,  so thanks again.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events