This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
Authority
Authority
‎2024-10-08 05:04 AM

temporary disable remote access

For a migration test we are looking for a way to disable quick and temporary remote access on a gateway and get it back enable as fast as possible.

We are using the Endpoint VPN client only to connect to the gateway, no SNX. 

Blocking access to the gateway for NAT-T and HTTPs with a firewall in front of the gateway does work. But we have some site2site VPNs using NAT-T and they are blocked, which we not want.

Removing the gateway from the remote access community is a solutions but this has to much impact of the configuration, we don't want.

Any other ways to disable or block or anything else like stopping a service to disable the remote access temporary?

 

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-10-08 05:23 AM

I do not think so - looking through https://support.checkpoint.com/results/sk/sk97638 all possibilities to stop processes for RA VPN will also affect S2S VPN...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Alex-
Leader Leader
Leader
‎2024-10-08 05:27 AM

You could add a top layer with the office mode network allowed by default and blocked when you need it, followed by any/any/accept to your main layer.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-08 12:51 PM

HTTPS isn't needed for S2S VPN so it can be safely blocked.
If you have remote VPN peers with fixed IPs, you can block NAT-T from other hosts (temporarily) to effectively "disable" Remote Access using fwaccel dos commands.

0 Kudos
Wolfgang
Authority
Authority
‎2024-10-10 12:19 AM
In response to PhoneBoy

Just to inform....blocking HTTPS from any to our RemoteAccess-gateway via the firewall-gateway in front does the job. No need to block NAT-T.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events