This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2024-12-05 11:55 AM
Jump to solution

Preventing older vpn clients from connecting to CP gateway

Hey guys,

Just wondering about this and wanted to clarify something. Customer was asking about option on the gateway, vpn clients -> authentication -> allow older clients to connect to this gateway.

Now, when we check it, it shows its referring to actual legacy VPN (standalone clients) and NOT harmony endpoint. Their only auth option currently is user+password. 

Is there any confirmation anywhere what is LOWEST vpn client version that could connect if say this option was indeed enabled?

Also, is there any way to disable any legacy vpn client from actually connecting and ONLY allow harmony endpoint?

Thanks!

Andy

0 Kudos
3 Solutions

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2024-12-05 02:33 PM
In response to the_rock
Jump to solution

The version element is outlined in the SK I commented above, context is these settings / options

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/T...

CCSM R77/R80/ELITE

View solution in original post

(1)
Chris_Atkinson
Employee Employee
Employee
‎2024-12-05 04:38 PM
In response to the_rock
Jump to solution

There are different options available for this requirement:

1. VPN Clients option - Allows restricting some client types

RA Clients.jpg

2. Using SCV / Compliance Policies in particular the method enforceable via HEP.

(Note here their is a reliance on the Desktop Firewall / Desktop Policy allowing necessary comms to allow clients checks to occur per sk164861) 

3.  sk108892 - How to verify the integrity of Endpoint Remote Access VPN clients (Appendix 5)

4. Machine Cert Auth for further enhanced security.

CCSM R77/R80/ELITE

View solution in original post

Wolfgang
Authority
Authority
‎2024-12-06 12:26 AM
Jump to solution

@the_rock maybe you can try with restrictions via the access-role....

RemoteAccess_Clients.png

View solution in original post

9 Replies
the_rock
Legend
Legend
‎2024-12-05 12:15 PM
Jump to solution

For what its worth, this is an explanation from smart console about it.

Andy

 

Screenshot_1.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-12-05 01:28 PM
Jump to solution

If I remember correctly the setting is relevant to the client versions specified in sk111583.

With R82 forcing IKEv2 for remote access would have a similar effect for older client versions earlier than E88.40 aswell.

Similarity not all client types support SAML, so even without specific options you could achieve an outcome through these choices perhaps.

See also: Gateway Properties > Mobile Access > Allowed Clients 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2024-12-05 02:23 PM
In response to Chris_Atkinson
Jump to solution

Hey Chris,

Thanks for the response. I think customer is simply wondering what is the LOWEST client version that could connect say if that option was enabled and 2nd, is there any way to prevent anyone who is NOT using harmony endpoint client to conect to the gateway?

 

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-12-05 02:33 PM
In response to the_rock
Jump to solution

The version element is outlined in the SK I commented above, context is these settings / options

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/T...

CCSM R77/R80/ELITE
(1)
the_rock
Legend
Legend
‎2024-12-05 02:36 PM
In response to Chris_Atkinson
Jump to solution

K thank you, I think that answers my 1st question. Now, for the 2nd one, any way to prevent anyone NOT using harmony endpoint client to connect?

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-12-05 04:38 PM
In response to the_rock
Jump to solution

There are different options available for this requirement:

1. VPN Clients option - Allows restricting some client types

RA Clients.jpg

2. Using SCV / Compliance Policies in particular the method enforceable via HEP.

(Note here their is a reliance on the Desktop Firewall / Desktop Policy allowing necessary comms to allow clients checks to occur per sk164861) 

3.  sk108892 - How to verify the integrity of Endpoint Remote Access VPN clients (Appendix 5)

4. Machine Cert Auth for further enhanced security.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2024-12-05 06:12 PM
In response to Chris_Atkinson
Jump to solution

Thanks Chris. So I know for option 1, I was thinking if that may actually work. Would that technically prevent anyone using legacy endpoint vpn from connecting and still allow people using harmony endpoint to connect?

Best,

Andy

0 Kudos
Wolfgang
Authority
Authority
‎2024-12-06 12:26 AM
Jump to solution

@the_rock maybe you can try with restrictions via the access-role....

RemoteAccess_Clients.png

the_rock
Legend
Legend
‎2024-12-06 04:31 AM
In response to Wolfgang
Jump to solution

Thanks @Wolfgang ! I just want to be sure that option you gave and option 1 @Chris_Atkinson provided would ineed stop ONLY legacu endpoint vpn from connecting and allow harmony endpoint. Let me see if my colleague I had been working with on this and I can test this in the lab to confirm.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events