This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2024-05-13 07:52 AM

Geo VPN blocking

Hey boys and girls,

Happy Monday 🙂

Figured would share this, though Im sure some of you may already know, but since there were lots of posts about it and even TAC guy told me people constantly ask, here is way to actually do geo VPN remote access blocking.

What you need to do is below.

First, change kernel parameter to 1 on the fw itself as per below sk:

HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in Logs & Monitor (chec...

You can leave portal setting per all interfaces or according to policy (custom port can be there for web UI)

Screenshot_1.png

 

 Then, you create a rule. In my case, since it hated me to test using NORDvpn service on my home laptop to connect from another country, I simply created a rule for Canada (which is where I live) to block access to fw on port 80 and 443. This stopped me from even creating the vpn site when policy was pushed.

Screenshot_2.png

If any questions, let me know, happy to test. Once you disable/delete the rule I pointed out, and apply policy, site creation will work as normal. Just to point out, in case anyone might be wondering, port 443 is key here, as thats what is needed for clients to connect, see below post about it.

https://community.checkpoint.com/t5/Remote-Access-VPN/Remote-access-without-visitor-mode-enabled/td-...

Best,

Andy

(2)
5 Replies
PhoneBoy
Admin
Admin
‎2024-06-07 02:19 PM

The question is if it will work AFTER the VPN site is created...

0 Kudos
the_rock
Legend
Legend
‎2024-06-07 02:31 PM
In response to PhoneBoy

It did, I tested that too 🙂

PointOfChecking
Collaborator
3 weeks ago

Hi,

Does the sk105740 apply for remote access clients via the client application as well, or just for the MAB / browser VPN?

 

Thanks.

 

 

 

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to PointOfChecking

Yes, it applies to RA clients.

Andy

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to PointOfChecking

I also tested this in R82 lab, works the same way, no issues.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events