Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NhatKha
Contributor

How to Block all Remote Access from outside | Only allow a few IP-Public of device

Hello everyone,

 

Is it possible to block *any source to access/create a site in Remote Access VPN? I'm only wanting to allow some source/device from outside (src: IP-Public) can remote access.

I'm create a stealth rule, block all source access to external ip of Gateway:

Screenshot 2024-10-01 192347.png

now from my computer I can't ping/ssh to gateway, but still access webUI (443) and remote access to Gateway successfully.

Screenshot 2024-10-01 193815.png

Is there other rule that I miss? Please help me.

Purpose: only allow some devices to connect to remote access vpn (whitelist using IP-Public of device)

 

Thank you so much and have a great day!

Best regards,

Kha

 

 
0 Kudos
5 Replies
Madmaks
Contributor

I'm curious about this too. You can specify this on a country basis on one of other firewall vendor. For example, you can tell me to only connect via VPN from China.

I think it is related Implied Rules

0 Kudos
PhoneBoy
Admin
Admin

There are two elements of Implied Rules here:

0 Kudos
NhatKha
Contributor

Hello PhoneBoy,

I'm follow the sk105740: set according to the Firewall policy (SmartConsole > Platform Portal > Accessibility > Edit), now I can control access WebUI on port 443 with Access Rule.

But for the Remote Access VPN, it didn't affect, I tried with rule: block *any source to external IP -> still remote access successfully.

For The actual VPN connection (starts with IKE on UDP 500). Short of hacking .def files: I didn't find any sk, document related, can you explain more about it, please?

Thanks & Best regards,

Kha

 
0 Kudos
PhoneBoy
Admin
Admin

I had copy/pasted the wrong link above.
Should be: https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396
Now fixed in the original post also.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Three ways to achive this:

- Why not define RA VPN using certificates only ?

- use IA Roles in Access Rule so only a few can connect to the network

- use Legacy SecuRemote client without Office Mode that needs the source IP used in the rule base

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events