This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ob1lan
Collaborator
‎2021-09-23 02:00 AM

Remote VPN to disconnect after 15 minutes

Hi,

We have this new requirement from the management : we need our VPN clients to disconnect after 15 minutes of inactivity. We have both Windows and MacOS clients, using the standalone VPN clients.

I search and found some sk106952, explaining that we could edit the $FWDIR/conf/trac_client_1.ttm file. However, the values I find on the files from my gateways are different from those explained in the SK and other documentation (sk75221).

What I have in my file:

:neo_disconnect_when_idle (
                        :gateway (endpoint_vpn_disconnect_when_idle
                                :default (client_decide)
                        )
                )
:neo_disconnect_when_idle_timeout (
                        :gateway (endpoint_vpn_disconnect_when_idle_timeout
                                :default (client_decide)
                        )
                )

 

So, which value shall I edit to make our management happy ? 🙂

Thanks in advance.

Regards.

0 Kudos
13 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-09-23 05:11 AM

This is for Endpoint Connect Version R71, R73 only - For higher versions refer to: sk75221 - Remote Access TTM Configuration

I would suggest to open a TAC ticket...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ob1lan
Collaborator
‎2021-09-23 05:17 AM
In response to G_W_Albrecht

Hi, thanks. That's the SK I refer too in my OP, but this doesn't contain the entries I have in my file, namely 

neo_disconnect_when_idle
and
neo_disconnect_when_idle_timeout

 

If possible I'd like to avoid going for a TAC, as it takes an awful lot of time for us to do so (we have to go first with our partner, and have them create a TAC for us). 

Thanks

G_W_Albrecht
Legend Legend
Legend
‎2021-09-23 05:34 AM
In response to Ob1lan

Opening a TAC case thru a CCSP takes around 20 minutes !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ob1lan
Collaborator
‎2021-09-23 05:36 AM
In response to G_W_Albrecht

🙂 As I said, I'm not entitled to do that, we have to go through our partner/reseller, as the account is under their management, not ours. 

the_rock
Legend
Legend
‎2021-09-23 05:48 AM

There is super easy solution to this, no need for TAC case brother : ). Just follow below link and look for section I pasted. I had 4 customers do this, never a problem. Dont even bother touching trac_client_1.ttm file, no need at all, just leave it as is.

https://dl3.checkpoint.com/paid/81/814f1e719db5a506a2fdd052dcc0eab9/CP_E80.50_RemoteAccessClients_fo...

 

To configure tunnel idleness:
1. Connect to the Security Management Server with GuiDBedit.
2. Open the Global Properties > properties > firewall_properties object.
3. Find disconnect_on_idle and these parameters:
 do_not_check_idleness_on_icmp_packets
 do_not_check_idleness_on_these_services - Enter the port numbers for the services that
you want to ignore when idleness is checked.
 enable_disconnect_on_idle - to enable the feature
 idle_timeout_in_minutes
4. Save and install the policy.

Ob1lan
Collaborator
‎2021-09-23 01:07 PM
In response to the_rock

Hi @the_rock , thanks a lot for your answer ! I'm going to test that tonight !

What would you recommend for those parameters ?

 do_not_check_idleness_on_icmp_packets
 do_not_check_idleness_on_these_services - Enter the port numbers for the services that
you want to ignore when idleness is checked.

Thanks a lot !

0 Kudos
the_rock
Legend
Legend
‎2021-09-23 01:18 PM
In response to Ob1lan

I never touched those...just leave them as is, though if user is tech savvy enough, they can just run continuous ping to google dns and keep the tunnel up for as long as its set in global properties. Just make sure you set to try where it says enable_disconnect_on_idle and then set minutes, push policy and thats it.

 

Keep us posted.

Andy

Ob1lan
Collaborator
‎2021-09-23 02:28 PM
In response to the_rock

So I've tested it, but after 30 minutes the client is still connected. In the FW logs I see usual traffic like DNS, AD, NTP, Kerberos, etc... This happened while the laptop had no use activity, no browser open, no Slack, Teams, everything closed but the VPN client...

So shall I fine-tune something ? Or is there an easiest solution to achieve my goal ?

Thanks.

0 Kudos
the_rock
Legend
Legend
‎2021-09-23 02:33 PM
In response to Ob1lan

Not 100% sure, but I never had to change anything to make this work. I will say though it was a bit flaky with 2 customers for the first 1-2 weeks, but after that it worked fine. Can you send screenshot of changes you made in guidbedit?

Andy

Ob1lan
Collaborator
‎2021-09-23 02:37 PM
In response to the_rock

Thanks, will keep testing. Here are the settings:

Screenshot 2021-09-23 at 23.36.08.png

0 Kudos
the_rock
Legend
Legend
‎2021-09-23 02:38 PM
In response to Ob1lan

That looks right. As long as you installed policy after this, thats all you really need.

Ob1lan
Collaborator
‎2021-09-23 02:45 PM
In response to the_rock

Yup, installed on both our VPN gateways. Let's hope this will end-up working.

Thanks anyway 🙂

Regards

0 Kudos
the_rock
Legend
Legend
‎2021-09-23 02:47 PM
In response to Ob1lan

Im positive it will...sadly, as you probably know, some things need time and this is one of them : - )

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top