- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Compliance blade Endpoint security client
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compliance blade Endpoint security client
Hi all!
I try to configure Compliance Policy for remote access VPN clients (endpoint security) in my LAB network, and have some troubles with this. My lab: Checkpoint Cluster 81.10 , JHF take 170
I create Compliance policy, where define, for what users this policy must work. In this policy i check Antivirus (McAffee for test), and set Action "Restrict" , if client machine don't have Antivirus McAffee.
Ok, after that i create endpoint client package, deploy it to client machine, install, and try to check, how it's work.
But.. It's not work..
What i have now:
Endpoint Client connect to CP by VPN (it's work!)
Client had check for compliance (for enabled blades). After i see, that client not compliante, because don't have McAffee AV. And after 5 minutes (5 heartbeat * 60 seconds), client change state to Restricted.
But!
Client still has access to internal network!! And after 5 minutes and after 10 minutes and so on
Nobody change, the internal network remains available.
What i did incorrectly?
I check documectation , and found that (in Harmony Endpoint Administration guide https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...)
Restricted state rule is enforced when an endpoint computer is not in compliance with the enterprise security requirements. In this state, you usually choose to prevent users from accessing some, if not all, network resources. You can define a Restricted policy for only some of the Endpoint Security components
Where Compliance don't have Restricted actions.
Is this mean, that Restricted Action don't work for Compliance Rules??
I hope somebody can explain me, how it work..
- Labels:
-
Mobile Access Blade
-
Windows
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd start here to understand how this works: https://support.checkpoint.com/results/sk/sk162635
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for answer!
But, i read this sk, and still don't understand, why this function don't work?
My VPN-client now Restricted by compliance blade, but anyway has access to internal network through VPN (icmp and rdp as minimum). Why this access not blocked?!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you configured any of the settings here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Option "Apply Secure Configuration Verification" is not enabled.
In my Compliance config , i use "VPN client verification process will use Endpoint Security Compliance" (not VPN SCV compliance), therefore i think that "Apply Secure Configuration Verification" don't needed.
Or needed?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, that might not be the right place.
What policy do you have for Restricted?
This is where you define what your clients can do when they are in a Restricted state.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, i don't have Harmony Endpoint Server 😕
I have just CheckPoint 81.10 (JHF take 170) with Evaluate License and enabled blades:
On SMS:
Endpoint Policy Management
Compliance
On SG:
IPSEC VPN (with Policy Server)
Mobile Access
And i thoght this blades enough for deploying Harmony Endpoint Client to remote users and Compliance check..
I need Harmony Endpoint Server product additionally? Without him it's can't work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because you are using an eval license AND enabled Endpoint Policy Management, you do, in fact, have Endpoint Management. 😉
Endpoint is managed with SmartEndpoint and/or a separate WebUI.
The screenshot I showed was from Infinity Portal, but I believe it's similar on the local WebUI.
Compliance checks can be done with one of two methods:
- Endpoint Compliance (requires Harmony Endpoint management, which must be licensed).
- SCV (does not require Harmony Endpoint, but requires crafting a local.csv file). See: https://support.checkpoint.com/results/sk/sk38702
Compliance (as configured on the Management object) has nothing to do with Endpoint or VPN.
See: https://support.checkpoint.com/results/sk/sk120256
If your intention is not to have Harmony Endpoint management, then you should work with SCV, and the screenshot I provided above definitely applies.