Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

Endpoint Connect VPN Compliance and scanning for Spyware

Hi there,

I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.

I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.

Or do I need to activate any other settings to make these settings enforce for the users?

Please confirm.

 

TIA

Blason R

0 Kudos
27 Replies
PhoneBoy
Admin
Admin

I believe that should suffice here.
However, that will only work if the endpoints have the full Endpoint client installed (as opposed to Check Point Mobile or SecuRemote).
0 Kudos
the_rock
Authority
Authority

@PhoneBoy ..just wondering, I dont see that global property option in R81 mgmt server. Was it removed by design and if so, is there another place where it can be configured?

 

0 Kudos
PhoneBoy
Admin
Admin

It's been removed, but likely for good reason.

What pops up when I click on the "Configure" button next to "Scan Endpoint for spyware and compliance" on R80.40 is Endpoint Security on Demand.
The documentation says ESOD is for SNX connections in particular, which makes sense since the other VPN clients have other ways to do posture checking (SCV or Endpoint Compliance).
And yes, if you want to use this compliance checking for SNX, you can configure it in Mobile Access.

SNX is tied to Mobile Access these days.
That said, we also support the use of SNX without Mobile Access and have a portal on the gateway where a client can activate SNX from.
I presume this has existed since the Connectra days. 

For both MAB and the classic SNX portal, deployment of SNX/ESOD requires a browser plugin (Java or ActiveX), both of which have been deprecated by the various browser makers. 
In Mobile Access, we created a new deployment agent that doesn't require plugins, but still requires Java on the client.
That's described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
This is integrated into the product from R80.40 onward.

The classic SNX portal still uses the old deployment methodology, and from what I can tell, there are no plans to update it.
Which basically means: that property is not terribly useful, which is likely why that particular Global Property was removed. 

Bottom line: if you want to do client posture checking, you have three options:

  • SCV (supported in Check Point Mobile and Endpoint Security VPN)
  • Endpoint Compliances (supported in Endpoint Security VPN)
  • Endpoint Security on Demand (supported with SNX and Mobile Access Blade)
0 Kudos
the_rock
Authority
Authority

Thanks D. What do you recommend in this case for sandblast/endpoint VPN? Global property for SCV? That would apply in this case? If so, I dont see any option there for scanning before connecting to vpn. Anyway, we opened official tac case to get an answer on it!

0 Kudos
PhoneBoy
Admin
Admin

The answer is "it depends."
Endpoint Compliance works on Windows and Mac but requires a full Endpoint license (SBA/Harmony/legacy ACCESS license).
SCV works on Windows clients only (I believe Mac is planned) but also works on Check Point Mobile.
In both cases, it will allow connection, but if you're not compliant, you can be blocked from accessing all but specific resources (i.e. for Remediation purposes).

0 Kudos
the_rock
Authority
Authority

So for SCV, can it be used for sandblast, as well as endpoint VPN clients?

0 Kudos
PhoneBoy
Admin
Admin

Yes, assuming that client includes Remote Access.
The actual SCV rules are stored on the gateway itself (local.scv).
Which means the SCV checks can't be executed until the client is actually connected to the gateway via Remote Access.

Endpoint Compliance can operate independently of being connected to the gateway via Remote Access.

0 Kudos
the_rock
Authority
Authority

I will have to look into it, as I cant recall now if that endpoint compliance is actual fw blade or just global property check.

0 Kudos
PhoneBoy
Admin
Admin

Endpoint Compliance is a separate Endpoint blade.

0 Kudos
the_rock
Authority
Authority

I guess thats probably enabled on endpoint side, as I dont see it anywhere on the fw...

0 Kudos
the_rock
Authority
Authority

Hey phoneboy,

Forgot to ask, does SCV apply at all to sandblast agents (harmony endpoint)?

 

0 Kudos
PhoneBoy
Admin
Admin

It can, yes.

0 Kudos
the_rock
Authority
Authority

Any idea if endpoint compliance blade is same as ESOD?

0 Kudos
PhoneBoy
Admin
Admin

ESOD is part of Mobile Access Blade.
It is different from Endpoint Compliance, though they serve similar functions.

0 Kudos
the_rock
Authority
Authority

Ok, so mobile access blade needs to be on for esod to function?

0 Kudos
PhoneBoy
Admin
Admin

Yes and you must connect via the MAB portal for it to be activated.
Java is also required.

0 Kudos
the_rock
Authority
Authority

K thank you. We will have to think if that might be right option for customer that wants compliance checks done (similar to SCV) on vpn clients who dont work for their company. Are you saying that MAB portal activation is one time thing or is connecting to it always needed once activated?

0 Kudos
PhoneBoy
Admin
Admin

I think you would need to log in via MAB each time.
This also implies using SNX.

Lesther_Reyes
Participant

To use mobile access compliance, you need to enter via web sslvpn only. In other words, you cannot apply a compliance policy or Secure WorkSpace with the VPN client for Windows.

0 Kudos
Lesther_Reyes
Participant

In you enter on global properties/Remote Access/Endpoint Connect:

This feature only apply for CheckPoint GO Clients.

I have tested it by activating it for EndPoint Security and Mobile Client for windows and it does not work.

0 Kudos
PhoneBoy
Admin
Admin

There is a separate Compliance framework for Endpoint VPN clients managed by an Endpoint Security Server.
That does require appropriate licensing
0 Kudos
Blason_R
Advisor

Hello,

So to clear the confusion - ESOD for mobile access blade will not work for Endpoint Client? And then there is a separate solution for Endpoint Client to maintain the compliance? Can I know what that solutions is? so that we can evaluate in our lab?

 

TIA 

Blason R

 

0 Kudos
PhoneBoy
Admin
Admin

Yes, ESOD is for Mobile Access Blade and NOT for Endpoint Client.
The Endpoint version of this is called Compliance Blade.
You can read about it here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Blason_R
Advisor

Oh! This is EPM, so to achieve we need to have EPM licenses as well for Endpoint VPN clients connecting from home using office mode?

 

0 Kudos
PhoneBoy
Admin
Admin

Correct.
The other option is to use SCV which can be distributed from the Security Gateway but uses a different mechanism.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Myx
Participant

What exactly is the difference between these two options and what would you recommend for which scenario?

0 Kudos
Lesther_Reyes
Participant

But ESOD Mobile is only for mobile ssl web not for client windows.

  • Client-based - Client application installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer. The client supplies access to most types of corporate resources according to the access privileges of the user.
  • Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.
  • On demand client - Users connect through a web browser and a client is installed when necessary. The client supplies access to most types of corporate resources according to the access privileges of the user.
0 Kudos