Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

RFE: Security rule VPN column needs an option for "Cleartext only"

This is the sort of thing I'd normally formally submit as an RFE, but perhaps posting in the community is a better way to get input from peers and Check Point.

The new R80.40 feature supporting an encryption domain per site-to-site VPN community was long overdue (I think I did a RFE for this ages ago) - but it's nice to finally have what Cisco  VPN match ACLs have provided for years... However, there's still an issue: security rules do not have an option for "Cleartext only".

Despite the best intentions, organisations struggle to have very tighly restricted security policies. VPN access can have unintended consequences where rules do not have a "Cleartext only" option - and VPN configuration for third parties can end up matching rules intended for some other purpose. While this could be avoided by placing all VPN access near the top of the policy and putting a per-VPN block rule at the end of each section, "Cleartext only" could help avoid this by ensuring VPN traffic can never match the rules.

Taking it a little further, provide a policy option for the default behaviour - either the current "Any" (cleartext and any VPN community) or "Cleartext only". This would prohibit any VPN access on new rules unless the rule is specifically configured for it. This may have some advantages with internal performance optimisation - the gateway would know which rules were eligible for VPN matching in advance.

0 Kudos
1 Reply
Highlighted
Admin
Admin

While we definitely appreciate the feedback here, it is also a good idea to discuss this with your local Check Point office.
They can get our Solution Center involved to help advocate for this feature as they did for the Encryption Domain Per Peer feature.

0 Kudos