This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jamesdean-1
Participant
‎2025-06-10 07:13 PM
Jump to solution

SASE determine user location

Hi guys, this is a 101 question - how does SASE determine of the user is in the office or elsewhere?

We are having repeated issues of users getting a message "no internet connection" whilst in the office, the wireless logs say they are still connected, I suspect SASE is failing the in the office test maybe due to latency/loss or wifi roaming,  then connecting itself, which is not going to work in the office and break their Internet.

 

Is there any way I can confirm this? I presume it tries to access the local DNS server. When the users are in the office I see constant attempts to an unknown DNS server which is blocked, is the check a reverse check perhaps, ie if I can see this Ip then they are not in the office?

 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-06-11 12:44 PM
In response to the_rock
Jump to solution

That's the end user side.
The Infinity Portal side is where you can configure when the "Always-on VPN" terminates because it is in a trusted environment.
It is looking for (and you can configure):

  • A trusted web server only accessible when on-premise (specify the CA of this server)
  • Router MAC address

image.png

View solution in original post

the_rock
MVP Gold
MVP Gold
‎2025-06-11 02:07 PM
In response to the_rock
Jump to solution

Nm, got it. Went to chat and guy was super helpful, told me right away 🙂

Under users -> user profiles

Andy

Best,
Andy

View solution in original post

Preview file
115 KB
0 Kudos
12 Replies
the_rock
MVP Gold
MVP Gold
‎2025-06-10 07:31 PM
Jump to solution

I can check in our lab tomorrow, but Im fairly sure it goes with combination of posture check/ZTNA and there is also setting on the agent for wi-fi, but cant recall exactly what...will check on the agent. It might be also related to geolocation setting as well.

Andy

Best,
Andy
0 Kudos
jamesdean-1
Participant
‎2025-06-10 07:58 PM
In response to the_rock
Jump to solution

Appreciated thanks!

the_rock
MVP Gold
MVP Gold
‎2025-06-10 08:10 PM
In response to jamesdean-1
Jump to solution

Of course!

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-11 08:03 AM
In response to jamesdean-1
Jump to solution

How is attached set up?

Andy

 

Best,
Andy
Preview file
45 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-11 12:44 PM
In response to the_rock
Jump to solution

That's the end user side.
The Infinity Portal side is where you can configure when the "Always-on VPN" terminates because it is in a trusted environment.
It is looking for (and you can configure):

  • A trusted web server only accessible when on-premise (specify the CA of this server)
  • Router MAC address

image.png

the_rock
MVP Gold
MVP Gold
‎2025-06-11 12:50 PM
In response to PhoneBoy
Jump to solution

Ah, since I dont have access to that, I was trying to find it on perimeter81.com site portal, but dont see where : - (

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-11 02:07 PM
In response to the_rock
Jump to solution

Nm, got it. Went to chat and guy was super helpful, told me right away 🙂

Under users -> user profiles

Andy

Best,
Andy
Preview file
115 KB
0 Kudos
jamesdean-1
Participant
‎2025-06-12 05:07 PM
In response to PhoneBoy
Jump to solution

that's great thank you both,

 

Confirmed we have trusted environment enable and the router mac address is correctly specified.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-12 05:15 PM
In response to jamesdean-1
Jump to solution

Sounds like you are all set. If you need anything else tested, let us know. I have access to our company lab environment, but can check any other settings in live client's environment as well.

If it helps, below is some info I gathered from the lab my colleague and I did recently.

https://community.checkpoint.com/t5/SASE/Harmony-SASE-lab-doc/m-p/244114

Andy

Best,
Andy
0 Kudos
Gustavo_Ferreir
Contributor
‎2025-06-13 10:56 AM
In response to jamesdean-1
Jump to solution

Here, the option to use the router's MAC address didn't work very well. On the other hand, the Trusted Web Server option is working perfectly. However, I had to open a support ticket, and they sent me a version (11.6) of the agent that isn't available for download on the portal — at least not in my workspace.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-13 11:00 AM
In response to Gustavo_Ferreir
Jump to solution

Are you referring to what I attached?

Andy

Best,
Andy
Preview file
85 KB
PhoneBoy
Admin
Admin
‎2025-06-13 01:27 PM
In response to Gustavo_Ferreir
Jump to solution

I believe the Router MAC can only be detected if it's on the same L2 network as the end user.
A Trusted Web Server seems more likely to work in more situations.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events