Re: Checkpoint Mobile Access Compliance vs SVC

cdooer · ‎2023-04-20

Hello everyone. Apologies if this is a stupid question, but we've got a requirement to lock down our Remote Access VPN solution a little more than it currently is, by checking that a users machine is a domain member, and maybe looking for an embedded file. I was originally looking at using SVC for this, but ran across the compliance piece of the Mobile Access blade while doing some reading. Are there any advantages/disadvantages from one to the other?

G_W_Albrecht · ‎2023-04-20

These are two different technologies, see sk67820:

- SCV is the legacy method for Win RA clients (Endpoint / VPN, SNX a.o.)

- Clientless Mobile Acces Portal has its own Endpoint Security on Demand (ESOD)

To compare the configurable options you should consult the relevant admin guides.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2023-04-21

There's also a third option: Endpoint Compliance.
However, this requires Harmony Endpoint licenses OR legacy CPEP-ACCESS licenses.
SCV will work with your existing Mobile Access license.

Keep in mind that using MAB for this purpose will require logging in via the MAB portal and require the deployment of Java on client machines.
Unless you're already doing this, it's probably better to stick with SCV or Endpoint Compliance.

cdooer · ‎2023-04-25

I didn't realize that using the Mobile Access Blade for this posturing piece would require java to be installed on client machines...this is a show stopper, since java has recently been removed from all client machines due to security/licensing concerns.

When I look under my support portal on the Checkpoint site, I see that I've got enough Endpoint Total Security Package licenses to cover off all 2000 of my users. Would this license include the compliance piece I'm looking for?

PhoneBoy · ‎2023-04-25

Compliance Blade on Endpoint is included with all the modern Endpoint SKUs (even basic level).

cdooer · ‎2023-07-10

Hey folks. Struggling to get this working. We've got an open call with TAC, but they also seem to be confused on exactly how it works. Compliance will report the machine as not being compliant, but won't take any action. Our Endpoint server is different than our firewall management server (that manages the VPN gateways), and I'll admit, I'm confused on exactly how these two talk to each other. Any real world guides on how these integrate?

All clients are running Endpoint Security, no need for any other method of connecting.

PhoneBoy · ‎2023-07-10

The only real "integration" relates to licenses (some of which needs to occur on the gateway) and Remote Access VPN.
If you expect actions to be taken based on compliance results, you need to configure remediation actions and/or a Restricted policy.
Refer to: https://support.checkpoint.com/results/sk/sk162635

cdooer · ‎2023-07-18

Does there need to be a remediation action? Currently the client is showing as out of compliance, but they've got full access to the network, and the action is set to Restrict. Is there a way to cut off access if the client isn't compliant?

PhoneBoy · ‎2023-07-18

Did you configure a Restricted State policy at all?
This is described under the "Configuring Compliance States Enforcement" heading of the SK I previously linked.

cdooer · ‎2023-07-18

The Compliance blade doesn't seem to have the option to be Restricted...only Connected or Disconnected. This seems to be confirmed when I attempt to create the rule;

The following Policies can have different configurations for Restricted state:

Firewall
Access Zones
Application Control
Media Encryption & Port Protection

Are you a member of CheckMates?

Checkpoint Mobile Access Compliance vs SVC