Mobile Access Blade Configuration and Settings

In This Section:

Interoperability with Other Software Blades

The Mobile Access Software Blade is fully integrated with the other Software Blades. Any Security Gateway running on SecurePlatform or Gaia with the Firewall blade enabled can also have the Mobile Access blade enabled.

Most Network objects, Resources, and Users created in SmartDashboard also apply to Mobile Access and can be used when configuring Access to Applications. Similarly, any Network objects, Users and User Groups that you create or modify in Mobile Access appear in the SmartDashboard navigation tree and are usable in all of the SmartDashboard applications.

IPS Blade

When you enable Mobile Access on a Security Gateway certain IPS Web Intelligence protections are activated. The settings of these protections are taken from a local file and are not connected to the IPS profile. These IPS protections always apply to Mobile Access traffic only, even if the Security Gateway does not have the IPS blade enabled.

Disabling Protections for Advanced Troubleshooting

You should only disable the Mobile Access Web Intelligence protections for advanced troubleshooting.

Important - We do not recommend that you deactivate these protections because of potential security risks to the Security Gateway while the protections are off.

To disable the local Web Intelligence protections:

Backup the $CVPNDIR/conf/httpd.conf configuration file.
Edit $CVPNDIR/conf/httpd.conf by deleting or commenting out this line:
LoadModule wi_module /opt/CPcvpn-<current version>/lib/libModWI.so
Where <current version> is the Check Point version installed. For example, R77.20.

Changing to an IPS Profile Configuration for Mobile Access

We recommend using the local IPS Web Intelligence protections that are automatically configured and activated when you enable the Mobile Access blade. If you want to use the IPS profile that you assign to the Security Gateway instead of the local file, make sure that certain crucial protections are active so that your Security Gateway stays secure.

To change to a Security Gateway IPS profile configuration for Mobile Access instead of the local configuration:

Edit the IPS profile assigned to the Security Gateway to include all of the protections listed in IPS Protections Crucial for Mobile Access.
From the CLI, run:

cvpnd_settings set use_ws_local_configuration false
When prompted, backup $CVPNDIR/conf/cvpnd.C

Restart the Check Point processes by running cvpnstop, cvpnstart.

Note - If IPS is disabled, Mobile Access will use the local IPS configuration to ensure that the Security Gateway is protected. This is true regardless of the use_ws_local_configuration flag settings.

To switch back to the local, automatic IPS settings for Mobile Access:

From the CLI, run:

cvpnd_settings set use_ws_local_configuration true
Restart the Check Point processes by running cvpnstop, cvpnstart.

IPS Protections Crucial for Mobile Access

The protections listed below should always be active on Mobile Access traffic. They are included in the local IPS settings that are automatically activated when Mobile Access is enabled on a Security Gateway. See that most but not all are included in the Recommended_Protection IPS Profile.

Protection Name	In Recommended_Protection Profile?
HTTP Format Sizes	yes
HTTP Methods	yes
ASCII Only Request	yes
General HTTP Worm Catcher	yes
Directory Traversal	yes
Cross-Site Scripting	no
Command Injection	yes
Header Rejection	yes
Malicious Code Protector	no
Non Compliant HTTP	yes

Anti-Virus and Anti-Malware Blade

Certain Anti-Virus settings configured for a Security Gateway in the Traditional Anti-Virus > Security Gateway > HTTP page of the Threat Prevention tab also apply to Mobile Access traffic. To activate traditional Anti-Virus protection, enable the Traditional Anti-Virus on the Security Gateway.

These settings apply to Mobile Access traffic when Traditional Anti-Virus is configured to scan traffic By File Direction:

Incoming files arriving to - Inspects traffic that Mobile Access users upload to Mobile Access. (The drop-down menu is not relevant.)
Outgoing files leaving - Inspects the traffic that Mobile Access users download from Mobile Access. (The drop-down menu is not relevant.)
The Internal Files field is not relevant since Mobile Access uses an external interface.
Exceptions are not supported.

If Traditional Anti-Virus is configured to scan traffic By IPs, all portal traffic is scanned according to the settings defined for the Mail, FTP and HTTP protocols in SmartDashboard.

Mobile Access Anti-Virus protections always work in proactive mode regardless of which option you select.

Note - After SSL Network Extender traffic is rerouted to the Security Gateway, Anti-Virus inspects the traffic as it does to any other unencrypted traffic.

Enabling Traditional Anti-Virus

The Anti-Virus blade and Traditional Anti-Virus can be activated on Security Gateways in your system.

Note - You cannot activate the Anti-Virus blade and Traditional Anti-Virus on the same Security Gateway.

To configure traditional Anti-Virus:

In <con>, click Gateways & Servers and double-click the Security Gateway.
The gateway window opens and shows the General Properties page.
From the navigation tree, click Other > More Settings > Enable Traditional Anti-Virus.
Click OK.
Define rules in the Access Control Policy to allow the specified services. Anti-Virus scans only accepted traffic.
From Anti-Bot and Anti-Virus tab > Traditional Anti-Virus, select the services to scan using these options:
1. From the Database Update page, configure when to perform automatic signature updates or initiate a manual signature update.
2. From the Security Gateway > Mail Protocol page, configure Anti-Virus scanning options for Mail Anti-Virus, Zero Hour Malware, SMTP, and POP3 services.
3. From the Security Gateway > FTP page, configure FTP traffic scanning options.
4. From the Security Gateway > HTTP page, configure HTTP traffic scanning options.
5. From the Security Gateway > File Types page, configure the options to scan, block or pass traffic according to the file type and configure continuous download options.
6. From the Security Gateway > Settings page, configure options for file handling and scan failures.

IPsec VPN Blade

The IPsec VPN blade and Mobile Access blade can be enabled on the same gateways. They can be used in parallel to enable optimal site to site and remote access VPN connectivity for your environment.

Certain VPN Clients that worked with Mobile Access in previous versions do not work with the Mobile Access blade on R71 and higher gateways. They only work with the IPsec VPN blade. These are:

Endpoint Connect
SecureClient Mobile

SSL Network Extender works either with Mobile Access or with IPsec VPN, however, if the Mobile Access blade is enabled on a gateway, SSL Network Extender must be configured through Mobile Access. If you had SSL Network Extender configured through IPsec VPN and now you enabled the Mobile Access blade on the gateway, you must reconfigure SSL Network Extender policy in the Mobile Access tab of SmartDashboard. Rules regarding SSL Network Extender in the main security rule base are not active if the Mobile Access tab is enabled.

Office mode can be configured either with Mobile Access or with IPsec VPN.

Concurrent Connections to the Gateway

In the Gateway Properties > Optimization > Capacity Optimization section you can configure the maximum limit for concurrent connections.

When users connect to corporate resources through the Mobile Access blade, it creates multiple connections. For example, from the user to the gateway, and from the gateway to the internal server. Therefore, in an environment with over 1000 remote users, we recommend that you increase the maximum concurrent connections.

For example: The default maximum is 25,000. If you have 2000 mobile access users, increase the maximum to 29,000 (2 times 2000).