- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- temporary disable remote access
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
temporary disable remote access
For a migration test we are looking for a way to disable quick and temporary remote access on a gateway and get it back enable as fast as possible.
We are using the Endpoint VPN client only to connect to the gateway, no SNX.
Blocking access to the gateway for NAT-T and HTTPs with a firewall in front of the gateway does work. But we have some site2site VPNs using NAT-T and they are blocked, which we not want.
Removing the gateway from the remote access community is a solutions but this has to much impact of the configuration, we don't want.
Any other ways to disable or block or anything else like stopping a service to disable the remote access temporary?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not think so - looking through https://support.checkpoint.com/results/sk/sk97638 all possibilities to stop processes for RA VPN will also affect S2S VPN...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could add a top layer with the office mode network allowed by default and blocked when you need it, followed by any/any/accept to your main layer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTPS isn't needed for S2S VPN so it can be safely blocked.
If you have remote VPN peers with fixed IPs, you can block NAT-T from other hosts (temporarily) to effectively "disable" Remote Access using fwaccel dos commands.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to inform....blocking HTTPS from any to our RemoteAccess-gateway via the firewall-gateway in front does the job. No need to block NAT-T.