This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cdooer
Participant
‎2023-04-20 07:51 AM

Checkpoint Mobile Access Compliance vs SVC

Hello everyone. Apologies if this is a stupid question, but we've got a requirement to lock down our Remote Access VPN solution a little more than it currently is, by checking that a users machine is a domain member, and maybe looking for an embedded file. I was originally looking at using SVC for this, but ran across the compliance piece of the Mobile Access blade while doing some reading. Are there any advantages/disadvantages from one to the other?

 

0 Kudos
9 Replies
G_W_Albrecht
Legend
Legend
‎2023-04-20 08:05 AM

These are two different technologies, see sk67820:

- SCV is the legacy method for Win RA clients (Endpoint / VPN, SNX a.o.)

- Clientless Mobile Acces Portal has its own Endpoint Security on Demand (ESOD)

To compare the configurable options you should consult the relevant admin guides.

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-21 01:27 PM

There's also a third option: Endpoint Compliance.
However, this requires Harmony Endpoint licenses OR legacy CPEP-ACCESS licenses.
SCV will work with your existing Mobile Access license. 

Keep in mind that using MAB for this purpose will require logging in via the MAB portal and require the deployment of Java on client machines.
Unless you're already doing this, it's probably better to stick with SCV or Endpoint Compliance.

0 Kudos
cdooer
Participant
‎2023-04-25 07:58 AM
In response to PhoneBoy

I didn't realize that using the Mobile Access Blade for this posturing piece would require java to be installed on client machines...this is a show stopper, since java has recently been removed from all client machines due to security/licensing concerns. 

When I look under my support portal on the Checkpoint site, I see that I've got enough Endpoint Total Security Package licenses to cover off all 2000 of my users. Would this license include the compliance piece I'm looking for?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-25 12:06 PM
In response to cdooer

Compliance Blade on Endpoint is included with all the modern Endpoint SKUs (even basic level).

0 Kudos
cdooer
Participant
‎2023-07-10 02:46 PM
In response to PhoneBoy

Hey folks. Struggling to get this working. We've got an open call with TAC, but they also seem to be confused on exactly how it works. Compliance will report the machine as not being compliant, but won't take any action. Our Endpoint server is different than our firewall management server (that manages the VPN gateways), and I'll admit, I'm confused on exactly how these two talk to each other. Any real world guides on how these integrate?

All clients are running Endpoint Security, no need for any other method of connecting.  

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-10 03:55 PM
In response to cdooer

The only real "integration" relates to licenses (some of which needs to occur on the gateway) and Remote Access VPN.
If you expect actions to be taken based on compliance results, you need to configure remediation actions and/or a Restricted policy.
Refer to: https://support.checkpoint.com/results/sk/sk162635 

0 Kudos
cdooer
Participant
‎2023-07-18 09:25 AM
In response to PhoneBoy

Does there need to be a remediation action? Currently the client is showing as out of compliance, but they've got full access to the network, and the action is set to Restrict. Is there a way to cut off access if the client isn't compliant?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-18 01:55 PM
In response to cdooer

Did you configure a Restricted State policy at all?
This is described under the "Configuring Compliance States Enforcement" heading of the SK I previously linked.

0 Kudos
cdooer
Participant
‎2023-07-18 02:28 PM
In response to PhoneBoy

The Compliance blade doesn't seem to have the option to be Restricted...only Connected or Disconnected. This seems to be confirmed when I attempt to create the rule;

The following Policies can have different configurations for Restricted state:

  • Firewall
  • Access Zones
  • Application Control
  • Media Encryption & Port Protection 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events