This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ob1lan
Collaborator
‎2021-06-01 04:53 AM
Jump to solution

Enable device posture assessment to connect RA VPN

Hi,

Our management came with a new requirement : to be able to do device posture assessment/healthcheck before allowing to connect our Remote VPN gateways.

I'm a bit confused about the licenses needed for this, what needs to be configured on the gateways, and what client software is needed.

Currently, we use Endpoint Security VPN Standalone, and our VPN gateways are installed with R80.30. 

Here is what I see on the licenses details for one of our gateway:

Screenshot 2021-06-01 at 13.50.59.png

Basically we would like to avoid devices without certain OS patches, certificate installed, etc... to connect our network. Also, would be great to allow policies to be applied to AD groups.

Could someone advise on that, is there a guide somewhere ?

Thanks in advance !

EDIT : we have both Windows and MacOS clients, and would like to have the same kind of security checks features for both OS.

 
 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-06-01 07:59 AM
In response to Ob1lan
Jump to solution

SCV currently does not support Mac, correct.
This will require the use of Endpoint Compliance (and Endpoint Management).

Endpoint Management can be acquired a couple different ways:

  • It's included in modern management SKUs (just needs to be enabled)
  • If you want to run on a separate system from your network management, it requires a separate license
  • If you purchase(d) SBA or Harmony SKUs, Cloud-based management is included

View solution in original post

7 Replies
Ruan_Kotze
Advisor
‎2021-06-01 05:41 AM
Jump to solution

Check Point calls this Secure Configuration Verification (SCV).

The whitepaper linked here is a pretty good starting point.  There is also sk147416 which contains a wealth of information and examples.

Lastly - I wrote a blog post with step-by-step examples on how to do simple SCV (domain membership check) using only the standalone VPN client and a Check Point gateway.

Hope it helps,
Ruan

Ob1lan
Collaborator
‎2021-06-01 07:12 AM
In response to Ruan_Kotze
Jump to solution

Thanks, I'll consider those ressources carefully. Something I missed in my original request is we have both Windows clients and MacOS clients. I believe SCV only works for Windows ? How to handle same level of security checks for MacOS clients ?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-01 06:49 AM
Jump to solution

SCV as described by @Ruan_Kotze is one option, which is supported with Mobile Access licenses.
The other option is Endpoint Compliance, which requires either an ACCESS license or one of the Harmony Endpoint/SBA SKUs.
This offers a bit more granularity and also supports Mac clients.
It requires using Endpoint Management

Ob1lan
Collaborator
‎2021-06-01 07:00 AM
In response to PhoneBoy
Jump to solution

Thanks a lot. So SCV doesn't support MacOS at all ? Also, Endpoint Management is something I need to install in the CMA or a standalone instance ? I'll check what license level we have and what can be done. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-01 07:59 AM
In response to Ob1lan
Jump to solution

SCV currently does not support Mac, correct.
This will require the use of Endpoint Compliance (and Endpoint Management).

Endpoint Management can be acquired a couple different ways:

  • It's included in modern management SKUs (just needs to be enabled)
  • If you want to run on a separate system from your network management, it requires a separate license
  • If you purchase(d) SBA or Harmony SKUs, Cloud-based management is included
Ob1lan
Collaborator
‎2021-06-01 08:03 AM
In response to PhoneBoy
Jump to solution

Ok got it. Then I'll have a look at Endpoint Compliance.

So for the licensing model, does that mean we can enable that on our SMS recently upgraded to R81 ? Or does the sentence 'modern management SKU' refers to something else. 

If it can be enabled on our Management appliance, is that recommended ? Or is it preferable to have it separated ? Do you have any requirement that would allow us to determine if our appliance is sized appropriately to host Endpoint Management ?

Thanks !

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-01 08:14 AM
In response to Ob1lan
Jump to solution

The output of cplic print on your management can determine if you're licensed for Endpoint Management or not.
In terms of sizing, it will obviously require more memory to also run Endpoint Management.
However, given you'd be using it only for Endpoint Compliance, the overall impact should be minimal.
If you're using other Endpoint Management features, I'd separate them. 

Your Check Point SE should be able to provide more specific guidance for your situation.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events