This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bsorgi
Explorer
‎2020-02-25 02:41 PM

Restrict laptop access on site to site vpn

Hi All-

I’m wondering if any of you could help me with the following. I’ve set up a site to site vpn between a checkpoint 14xx to a checkpoint 15xx located at the business owners home. He doesn’t want to have to go through the process of using endpoint protection software on his work laptop to connect into the corporate network. From his home location, I only want his work laptop to be able to traverse the site to site vpn for obvious security  reasons. I’ve tried tinkering around with the GUI options and can’t seem to figure out how to get this to work.

My thought process / what I tried was assigning the laptop a static IP or dhcp reservation and basing a rule on that, but couldn’t seem to get a rule to work properly on either side. 

Any suggestions/ guidance would be most appreciated. I feel like I’m missing something obvious or maybe some simple tweaking in the cli could sort this out. 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-02-25 03:14 PM

Redacted screenshots of exactly what you tried to configure would be helpful.
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-02-25 08:32 PM
In response to PhoneBoy

I believe you need to use VTI for this. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-02-26 07:55 AM

This does only work if the main GW (or both) is (are) centrally managed - see sk107641: Configure "Route All Traffic" from locally managed SMB appliances to a centrally managed g... for details!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
John_Fleming
Advisor
‎2020-02-26 11:30 AM

This is a good case for captive portal if you're using a management server. It wouldn't limit access to just a laptop per say but what it would do is make it so anyone on the remote network would have to authenticate to the firewall in order to gain access to the corp network. Captival portal with Access Roles are pretty granular. You can say allow access to this without auth but require for that.

This way the door isn't always open, but if the right user requests access then they are allowed through.

 

Now if you aren't using a management server there is something called User Awareness which is kind of similar. You basically say in order to access some remote resource you have to auth to the firewall. Only problem is all access to that destination will require auth meaning you CAN'T (type-o fixed) pick and chose what does and doesn't require auth.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events