Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MiniNinja
Collaborator

compliance check for Remote access vpn client

Good afternoon.
I have a cluster of 6700 with R81.20 and a virtual SMS.
An unlimited Mobile Access license has been purchased for remote access and a blade is enabled.
In addition, the IPsec blade is enabled.
Using E87.50_Check Point VPN.msi, I performed the installation of Remote Endpoint VPN on Windows 10.
I would like to set up a policy compliance check before connecting, for example: antivirus is installed and enabled, Windows updates are installed, etc.


In the cluster properties, I followed the path of Mobile Access - Endpoint Compliance Settings and selected a policy for the test.
As far as I can see, you can set up a policy through SmartDashboard.
But it worked, when I connect in the client, I see that Copmliance is disabled.


After reading, I could not find the answer, but I found the SCV, while:
1) in Global Properties - Remote access, you must enable the Apply Secure Configuration Verification on Simplified mode Firewall Policies option;
2) Add at least 1 policy with the Remote Access community;
3) Add a policy for Desktop.
It is clear that you can manually create a large configuration file for yourself, but then why Endpoint Compliance Settings and at what point (under what conditions) Do they apply? after all, it is much more convenient for Endpoint Compliance Settings to create a policy.

I have not worked in this direction before, so I ask for help.

0 Kudos
9 Replies
the_rock
Legend
Legend

SCV is your answer, but Im sure that will go away with all the posture features in Perimeter81.

Andy

0 Kudos
MiniNinja
Collaborator

I do not understand how and under what conditions does the Endpoint Compliance Settings work?

Do I need another VPN client?

 

0 Kudos
cassiomaciel
Contributor
Contributor

Hi @MiniNinja

 

Endpoint Security On Demand (ESOD) is applied to mobile portal (ssl portal)

For endpoint security vpn  you can use scv or use endpoint compliance rules, the last one you need to enable some blades and require specific licenses. 

 

Cassio

 

0 Kudos
MiniNinja
Collaborator

That's why I can't figure out what the conditions are? there is not enough description in the documentation or it is not explicitly specified.

Well, or I'm too inexperienced 😞
I do not want to go the way of manual work with legacy scv functionality.

Do I just need to turn on the Policy Server blade or something else besides the license?
Do I need a Harmony Endpoint license?

0 Kudos
the_rock
Legend
Legend

I would work with TAC on it. SCV can get a bit complicated, for sure.

Best,

Andy

0 Kudos
cassiomaciel
Contributor
Contributor

Hi,

This SK https://support.checkpoint.com/results/sk/sk67820 explain all types of remote access solutions.

I've never used this endpoint security compliance blade, maybe I'm wrong, but I think that you must enable "Endpoint Policy Management" on Security Manager and you need to create the rules using the SmartEndpoint (EndpointManager.exe).

This sk https://support.checkpoint.com/results/sk/sk162635 has all details about Endpoint Security Compliance Blade.

 

Also you can read more about smartendpoint here:

https://sc1.checkpoint.com/documents/R81.10/SmartEndpoint_OLH/EN/Topics-EPSG-R81.10/Intro-to-Endpoin...

And about scv here:

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

 

Cassio

the_rock
Legend
Legend

What do you mean another vpn client? Its simply a feature, if you will, no need for additional cluents.

Andy

0 Kudos
MiniNinja
Collaborator

If you open the page https://support.checkpoint.com/results/sk/sk181658 the recommended version for Windows, then you will see:
1) VPN Standalone Client E87.50 Remote Access VPN Clients for Windows
and
2) Managed Client: E87.52 Endpoint Security Client for Windows OS - Dynamic package/E87.52 Endpoint Security Client for Windows OS - Initial Client

the second one is EPS, it has a different menu and as far as I understand the functionality, I installed the first one.

I can't figure out the setup steps, the documentation is extremely specific.

 

0 Kudos
MiniNinja
Collaborator

As a result:
According to the article https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... I have configured certificate authorization (When available).

I had to correct the machine certificate template so that the subject field was filled in correctly (as described in the documentation above), since the built-in template did not fit.
We must not forget about the IPsec repository and access to it from Checkpoint.
In addition, you need to add the subordinate certification authority as a subordinate, and the root one for the subordinate as a trusted one.
The certificate has a CRL distribution point for both LDAP and http.
Probably due to the fact that we have disabled AD Query or for other reasons (there was no way to figure it out) a CRL error occurred, we had to disable the CRL request via LDAP.

As for the policies:

It is important to emphasize that for office mode we use an LDAP group based on the Checkpoint remote access domain group.

3 roles have been created:
1) a range VPN network is selected, a Linux user group is specified (the range of users is limited and known), an SNX client and a connection from any machine.
2) a range VPN network is selected, a group of remote access users is specified, and a group of domain machines is specified.
3) A range VPN network is selected, a group of remote access users is specified and a connection from any machine is specified.

An example is in the attachment for a better understanding.
It remains to understand how to unambiguously distinguish Linux machines issued by the company from the Linux machine that the user or hacker brought with him.

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events