Hey guys.  

Question.

We are going to undergo an external vuln scan & pen test in the next month and I'd like to make sure my gateway is as "clean" as can be.

I've recently turned off the SSL VPN  portal by simply unticking the options under "VPN Clients" (Other) and Mobile Access (Web).  

We are only using the Check Point Mobile IPsec client.

So now in my testing when I go to https://ipaddress of gateway/sslvpn or /admin or /dlp, I receive an error page that basically says:

Error (in red) - the service is no longer offered...With my old SSL VPN site banner on top of the page. 

No big deal I suppose but I'd like the user to just receive a "Not Found" page.

I found the option under "Mobile Access"  / "Portal Settings" that allows you to specify how the portal is accessible:

"Accessibility" / "The portal is accessible only through internal interfaces" - changed from "Through all interfaces"

Once I specify that the portal is only accessible through internal interfaces, now in my testing I see a "Not Found" page.

Of course this does not solve the issue if someone does an internal scan, then they'll see that error page again - again, not sure If I'm making a bigger deal out of this than is warranted.  There is no input allowed on the warning page.  There are no services offered in the portal.

FYI - I tried creating a SAM rule that blocks all external traffic to port 443 on the gateway but that broke my ability to create sites to the gateway via my Check Point Mobile client.  Existing sites worked fine - I just could not create new sites until the SAM rule was disabled.

Thoughts?