This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oskar_Svedman
Participant
‎2020-01-15 12:45 PM

How to control traffic from remote offices

Hi, I need some tips/recommendations how to control access from remote offices.

Today one main headquarter with all servers behind with two 3200.

20 small remote offices using 730 SMB firewalls with VPN to the 3200.


I want to control so only Windows AD joined computers have full access through the vpn tunnel.
All other devices should have limited access, for example printers, thin clients etc.

I can see 3 different approaches:

1. Control the vpn traffic in the 3200 firewall with user awareness.

2. Control the vpn traffic in the 730 firewalls (I think they also have user awareness with an Active Directory connection)

3. Setup 802.1x wired authentication in all remote switches and control the traffice with different vlans.

What would you do and why?

0 Kudos
5 Replies
Maarten_Sjouw
Champion
Champion
‎2020-01-15 02:08 PM

I would setup Identity awareness and use AD groups to allow your servers' access, this way you keep it simple, when you're not part of the group you cannot access the servers. Do not overcomplicate it by adding IA on all remote devices. only on the central gateways you need to add the access roles. All local IP's that need access can be allowed by IP.
Regards, Maarten
0 Kudos
Oskar_Svedman
Participant
‎2020-01-16 05:13 AM
In response to Maarten_Sjouw

Hi Maarten,

Ok so If I enable Identity Awareness on the 3200 firewall and configure Active Directory as an Identity source it can control the vpn traffic that is initiated from a domain-joined computer in the remote office?
I thought it only could control traffic initiated from behind the 3200 firewall.
If it is correct then it is a simple good solution.

Do I need Identity Agens on every remote computers or will it work with clientless Activie Directory queries? 

Thanks

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-16 05:34 AM
In response to Oskar_Svedman

Oskar,

The VPN should not have the box 'allow all traffic' ticked (Wire Mode)
The 3200 needs to be looking at all traffic passing through it. When this is correctly set the 3200 will check all traffic and you should be ok.
Regards, Maarten
0 Kudos
mdjmcnally
Advisor
‎2020-01-16 06:30 AM
In response to Maarten_Sjouw

Just to expand on this then as you are looking at using Active Directory joined machines then after  setting up the IA Collectors then make sure that in the Access Roles that you create that not only do you specify Users but also specify Machines.

The Default Machines setting is Any Machine.  If want to enforce AD joined machines then make sure that use the

Specific machines/groups 

rather then

Any Machine.

That way the machine must be part of the group(s) that add so would have to be AD joined.

So would be controlling to users over the VPN to specific resources and would have to be from specific machines.

 

0 Kudos
Oskar_Svedman
Participant
‎2020-01-16 08:05 AM
In response to mdjmcnally

Thanks

But do I need to deploy the Identity Agent och every computer?

0 Kudos