Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ob1lan
Contributor

Enable device posture assessment to connect RA VPN

Jump to solution

Hi,

Our management came with a new requirement : to be able to do device posture assessment/healthcheck before allowing to connect our Remote VPN gateways.

I'm a bit confused about the licenses needed for this, what needs to be configured on the gateways, and what client software is needed.

Currently, we use Endpoint Security VPN Standalone, and our VPN gateways are installed with R80.30. 

Here is what I see on the licenses details for one of our gateway:

Screenshot 2021-06-01 at 13.50.59.png

Basically we would like to avoid devices without certain OS patches, certificate installed, etc... to connect our network. Also, would be great to allow policies to be applied to AD groups.

Could someone advise on that, is there a guide somewhere ?

Thanks in advance !

EDIT : we have both Windows and MacOS clients, and would like to have the same kind of security checks features for both OS.

 
 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

SCV currently does not support Mac, correct.
This will require the use of Endpoint Compliance (and Endpoint Management).

Endpoint Management can be acquired a couple different ways:

  • It's included in modern management SKUs (just needs to be enabled)
  • If you want to run on a separate system from your network management, it requires a separate license
  • If you purchase(d) SBA or Harmony SKUs, Cloud-based management is included

View solution in original post

7 Replies
Ruan_Kotze
Advisor

Check Point calls this Secure Configuration Verification (SCV).

The whitepaper linked here is a pretty good starting point.  There is also sk147416 which contains a wealth of information and examples.

Lastly - I wrote a blog post with step-by-step examples on how to do simple SCV (domain membership check) using only the standalone VPN client and a Check Point gateway.

Hope it helps,
Ruan

Ob1lan
Contributor

Thanks, I'll consider those ressources carefully. Something I missed in my original request is we have both Windows clients and MacOS clients. I believe SCV only works for Windows ? How to handle same level of security checks for MacOS clients ?

0 Kudos
PhoneBoy
Admin
Admin

SCV as described by @Ruan_Kotze is one option, which is supported with Mobile Access licenses.
The other option is Endpoint Compliance, which requires either an ACCESS license or one of the Harmony Endpoint/SBA SKUs.
This offers a bit more granularity and also supports Mac clients.
It requires using Endpoint Management

Ob1lan
Contributor

Thanks a lot. So SCV doesn't support MacOS at all ? Also, Endpoint Management is something I need to install in the CMA or a standalone instance ? I'll check what license level we have and what can be done. 

0 Kudos
PhoneBoy
Admin
Admin

SCV currently does not support Mac, correct.
This will require the use of Endpoint Compliance (and Endpoint Management).

Endpoint Management can be acquired a couple different ways:

  • It's included in modern management SKUs (just needs to be enabled)
  • If you want to run on a separate system from your network management, it requires a separate license
  • If you purchase(d) SBA or Harmony SKUs, Cloud-based management is included

View solution in original post

Ob1lan
Contributor

Ok got it. Then I'll have a look at Endpoint Compliance.

So for the licensing model, does that mean we can enable that on our SMS recently upgraded to R81 ? Or does the sentence 'modern management SKU' refers to something else. 

If it can be enabled on our Management appliance, is that recommended ? Or is it preferable to have it separated ? Do you have any requirement that would allow us to determine if our appliance is sized appropriately to host Endpoint Management ?

Thanks !

0 Kudos
PhoneBoy
Admin
Admin

The output of cplic print on your management can determine if you're licensed for Endpoint Management or not.
In terms of sizing, it will obviously require more memory to also run Endpoint Management.
However, given you'd be using it only for Endpoint Compliance, the overall impact should be minimal.
If you're using other Endpoint Management features, I'd separate them. 

Your Check Point SE should be able to provide more specific guidance for your situation.