This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
akurtasanov
Participant
2 weeks ago

Desktop Security firewall policy in active state after Endpoint Client disconnected from server

Good day.

According to R81.20 Remote Access manual created SVC check with additional test desktop security firewall policy (just simple block outgoing traffic to 8.8.8.8).

SCV works perfectly but firewall policy always in active state even when there is no connection to VPN server.

How to enforce Endpoint client to disable firewall in disconnected state? I would not like to allow remote clients to decide for themselves when to turn off the firewall.

I know that Harmony has such functionality, but we use simple SCV.

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
2 weeks ago

You can configure a different policy for connected and disconnected using the Desktop Security features (not as part of SCV).
I don't believe you can disable the firewall entirely, but you can make the policy "any any" if you'd like: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

0 Kudos
akurtasanov
Participant
a week ago
In response to PhoneBoy

Added next:

:allow_ipv6 (
:gateway (allow_ipv6
:default (false)
)
)
:disconnected_in_house_fw_policy_enabled (
:gateway (disconnected_in_house_fw_policy_enabled
:default (true)
)
)
:disconnected_in_house_fw_policy_mode (
:gateway (disconnected_in_house_fw_policy_mode
:default (any_any_allow)
)
)

Installed policy

Nothing on client. After several tries Any Any Deny in Desktop Security rule still in active state after VPN disconnection.

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to akurtasanov

Where did you put this configuration exactly?
These look like ttm settings, just want to confirm.

0 Kudos
akurtasanov
Participant
a week ago
In response to PhoneBoy

Yes in trac_client_1.ttm.

0 Kudos
akurtasanov
Participant
a week ago
In response to PhoneBoy

There are errors in the official documentation:

1) any_any_allow - is wrong. In sk75221 there is no  any_any_allow  in disconnected_in_house_fw_policy_mode section. Only all_allow instead off  any_any_allow

2) Even with enabled right all_allow option "Any - Any - Allow" will not be enforced. Enforced will be first "Any User@Any" with block or allow action.

3) With enabled Location Awareness for desktop firewall is much better to use "Any - Any - Encrypt" default implied rules for inbound and outbound connections + encrypt_to_allow in disconnected_in_house_fw_policy_mode section in ttm file.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events