This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cristian_Rosa
Participant
‎2022-04-18 07:32 AM
Jump to solution

Connecting to Internal Network VPN/SSL Client

Hello guys,

How to prevent the user on the LAN internal network from connecting to the SSL VPN/Client itself. We come across this case, where the user should only be able to access an SSL VPN/Client when they are internal, not when they are internal.

I wouldn't want users to access our own SSL/Client VPN from the internal network.


Congrats,

Cristian Rosa

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2022-04-19 01:46 AM
In response to the_rock
Jump to solution

Yep - it is rather old and called Location Awareness:

SmartDashboard - go to Policy menu - click on Global Properties... - expand Remote Access - click on Endpoint Connect - in the Connectivity Settings section, refer to Network Location Awareness field - select Yes - click on Configure... button - enjoy the options...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

13 Replies
the_rock
Legend
Legend
‎2022-04-18 08:28 AM
Jump to solution

Im not real sure what you are trying to achieve here. You dont want user thats internal to be able to access VPN client??

0 Kudos
Cristian_Rosa
Participant
‎2022-04-18 10:27 AM
In response to the_rock
Jump to solution

 
 
 
 
 
 
 

240 / 5,000

 
 

 

Yes When the user is inside the internal network, he connects to the SSL VPN as if he were externally. Should this happen? Does Checkpoint accept this connection, even the user within the internal network? I wish it weren't possible.
 
 

 

 

0 Kudos
the_rock
Legend
Legend
‎2022-04-18 10:59 AM
In response to Cristian_Rosa
Jump to solution

You can restrict it, but there is no need to do this from internal. 

0 Kudos
Cristian_Rosa
Participant
‎2022-04-18 11:14 AM
In response to the_rock
Jump to solution

And how would I do?

Can you help me ?

Congrats,

Cristian Rosa

0 Kudos
skandshus
Advisor
Advisor
‎2022-04-18 11:16 AM
In response to Cristian_Rosa
Jump to solution

Dont you have the ability to select the interface its accesible from?

i got that on several things if you open the gateway properties

0 Kudos
Cristian_Rosa
Participant
‎2022-04-18 11:23 AM
In response to skandshus
Jump to solution

I don't know how to inform. I searched but couldn't find where to configure it.

0 Kudos
the_rock
Legend
Legend
‎2022-04-18 11:46 AM
In response to Cristian_Rosa
Jump to solution

Honestly, I never heard of a way to do this specifically from the firewall object itself or even global properties. There might be some way possible via gw file trac_client_1.ttm, but not 100% sure how. Maybe someone else will chime in and confirm for you. Personally, there would need to be some sort of mechanism that would recognize user being internal that would prevent them from even being able to connect, unless they come from external source.

0 Kudos
Cristian_Rosa
Participant
‎2022-04-18 12:01 PM
In response to the_rock
Jump to solution

Yes Exactly. I think this is the way I hadn't seen that happen yet.
 
 
 
 
0 Kudos
the_rock
Legend
Legend
‎2022-04-18 12:03 PM
In response to Cristian_Rosa
Jump to solution

Lets see if someone else may have an idea, Im also interested to see the suggestions/advice or if its even possible.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-04-19 01:46 AM
In response to the_rock
Jump to solution

Yep - it is rather old and called Location Awareness:

SmartDashboard - go to Policy menu - click on Global Properties... - expand Remote Access - click on Endpoint Connect - in the Connectivity Settings section, refer to Network Location Awareness field - select Yes - click on Configure... button - enjoy the options...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
‎2022-04-19 05:55 AM
In response to G_W_Albrecht
Jump to solution

Ah, yes, good point, totally forgot about that.

0 Kudos
Cristian_Rosa
Participant
‎2022-04-19 12:30 PM
In response to G_W_Albrecht
Jump to solution

Hello Abrecht,

Your help resolved my case.

Thanks a lot...


Cristian Rosa

CCSA

0 Kudos
Wolfgang
Authority
Authority
‎2022-04-18 11:10 PM
Jump to solution

@Cristian_Rosa you can disable the implied rule for MOB access if you switch your gateway object configuration "Accessibility" to "According to the Firewall policy"

Screenshot 2022-04-19 075749.png

With these setting you have to define access rules for access to the MobileAccessPortal like this one

Screenshot 2022-04-19 080211.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top