Hi - It was just a new R80.30 install we did recently allowed me to download the site information into Endpoint Security client purely by pointing at the gateway address - no auth or anything. I used to be very familiar with Check Point from 3.0b through to R65 (CCSE) but I've had a few years away before re-joining the fold at R80 - this is the first time I have come across this since coming back.
In the past, once you had site information downloaded, it was then very simple to determine the partial internal network topology from the client's userc.c file (or whatever it was). I remember you also had the option of encrypting the users.c file to provide a degree of protection, but you also had the ability to provide authentication before topology download and hence taking away the potential of unauthorised/unauthenticated discovery in the first place.
I'm guessing things in local config files are a little more protected since the days of 4.0 but the fact that VPN site information can be set up without auth potentially gives an attacker the additional opportunity to try (for instance) brute force? Not sure if I'm thinking along the right lines here but it seemed to me having the ability to switch off "Respond to unauthenticated topology requests" was a good idea. Maybe it's mitigated in a different way now - what do you think?