This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NhatKha
Contributor
‎2024-10-01 05:41 AM

How to Block all Remote Access from outside | Only allow a few IP-Public of device

Hello everyone,

 

Is it possible to block *any source to access/create a site in Remote Access VPN? I'm only wanting to allow some source/device from outside (src: IP-Public) can remote access.

I'm create a stealth rule, block all source access to external ip of Gateway:

Screenshot 2024-10-01 192347.png

now from my computer I can't ping/ssh to gateway, but still access webUI (443) and remote access to Gateway successfully.

Screenshot 2024-10-01 193815.png

Is there other rule that I miss? Please help me.

Purpose: only allow some devices to connect to remote access vpn (whitelist using IP-Public of device)

 

Thank you so much and have a great day!

Best regards,

Kha

 

 
0 Kudos
5 Replies
Madmaks
Contributor
‎2024-10-01 06:39 AM

I'm curious about this too. You can specify this on a country basis on one of other firewall vendor. For example, you can tell me to only connect via VPN from China.

I think it is related Implied Rules

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-01 07:04 AM

There are two elements of Implied Rules here:

0 Kudos
NhatKha
Contributor
‎2024-10-02 09:57 PM
In response to PhoneBoy

Hello PhoneBoy,

I'm follow the sk105740: set according to the Firewall policy (SmartConsole > Platform Portal > Accessibility > Edit), now I can control access WebUI on port 443 with Access Rule.

But for the Remote Access VPN, it didn't affect, I tried with rule: block *any source to external IP -> still remote access successfully.

For The actual VPN connection (starts with IKE on UDP 500). Short of hacking .def files: I didn't find any sk, document related, can you explain more about it, please?

Thanks & Best regards,

Kha

 
0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-03 06:08 AM
In response to NhatKha

I had copy/pasted the wrong link above.
Should be: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396
Now fixed in the original post also.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-10-03 01:39 AM

Three ways to achive this:

- Why not define RA VPN using certificates only ?

- use IA Roles in Access Rule so only a few can connect to the network

- use Legacy SecuRemote client without Office Mode that needs the source IP used in the rule base

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events