This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ajax
Explorer
‎2024-12-17 09:13 AM

Compliance blade Endpoint security client

Hi all!

I try to configure Compliance Policy for remote access VPN clients (endpoint security) in my LAB network, and have some troubles with this. My lab: Checkpoint Cluster 81.10 , JHF take 170

I create Compliance policy, where define, for what users this policy must work. In this policy i check Antivirus (McAffee for test), and set Action "Restrict" , if client machine don't have Antivirus McAffee.

Ok, after that i create endpoint client package, deploy it to client machine, install, and try to check, how it's work.

But.. It's not work..

What i have now:

Endpoint Client connect to CP by VPN (it's work!)

Client had check for compliance (for enabled blades). After i see, that client not compliante, because don't have McAffee AV. And after 5 minutes (5 heartbeat * 60 seconds), client change state to Restricted.

But!

Client still has access to internal network!! And after 5 minutes and after 10 minutes and so on

Nobody change, the internal network remains available.

 

What i did incorrectly?

I check documectation , and found that (in Harmony Endpoint Administration guide https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...)

  • Restricted state rule is enforced when an endpoint computer is not in compliance with the enterprise security requirements. In this state, you usually choose to prevent users from accessing some, if not all, network resources. You can define a Restricted policy for only some of the Endpoint Security components

Where Compliance don't have Restricted actions.

Is this mean, that Restricted Action don't work for Compliance Rules??

I hope somebody can explain me, how it work..

Labels
Preview file
20 KB
Preview file
127 KB
Preview file
215 KB
Preview file
260 KB
Preview file
332 KB
0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2024-12-17 05:05 PM

I'd start here to understand how this works: https://support.checkpoint.com/results/sk/sk162635 

0 Kudos
ajax
Explorer
‎2024-12-19 03:33 AM
In response to PhoneBoy

Thank you for answer!

But, i read this sk, and still don't understand, why this function don't work?

My VPN-client now Restricted by compliance blade, but anyway has access to internal network through VPN (icmp and rdp as minimum). Why this access not blocked?!

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-19 01:15 PM
In response to ajax

Have you configured any of the settings here?

image.png

0 Kudos
ajax
Explorer
‎2024-12-20 12:59 AM
In response to PhoneBoy

Option "Apply Secure Configuration Verification" is not enabled.

In my Compliance config , i use "VPN client verification process will use Endpoint Security Compliance" (not VPN SCV compliance), therefore i think that "Apply Secure Configuration Verification" don't needed. 

Or needed?

Preview file
18 KB
Preview file
37 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-20 01:29 PM
In response to ajax

I agree, that might not be the right place.
What policy do you have for Restricted?
This is where you define what your clients can do when they are in a Restricted state.

image.png

0 Kudos
ajax
Explorer
‎2024-12-20 02:30 PM
In response to PhoneBoy

Wow, i don't have Harmony Endpoint Server 😕

I have just CheckPoint 81.10 (JHF take 170) with Evaluate License and enabled blades:

On SMS:

Endpoint Policy Management

Compliance

On SG:

IPSEC VPN (with Policy Server)

Mobile Access

And i thoght this blades enough for deploying Harmony Endpoint Client to remote users and Compliance check..

I need Harmony Endpoint Server product additionally? Without him it's can't work?

Preview file
56 KB
Preview file
57 KB
Preview file
53 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-23 12:19 PM
In response to ajax

Because you are using an eval license AND enabled Endpoint Policy Management, you do, in fact, have Endpoint Management. 😉
Endpoint is managed with SmartEndpoint and/or a separate WebUI.
The screenshot I showed was from Infinity Portal, but I believe it's similar on the local WebUI.

Compliance checks can be done with one of two methods: 

Compliance (as configured on the Management object) has nothing to do with Endpoint or VPN.
See: https://support.checkpoint.com/results/sk/sk120256 

If your intention is not to have Harmony Endpoint management, then you should work with SCV, and the screenshot I provided above definitely applies.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events