Mobile Access and the Unified Access Policy
Overview of Mobile Access in the Unified Policy
When you include Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. in the Unified Policy, you configure all rules related to the Mobile Access Portal, Capsule Workspace, and on-demand clients in the Access Control Policy.
In the Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., you can configure rules that:
-
Apply to all Mobile Access Security Gateways, or some of them.
-
Apply to one or more Mobile Access clients, such as the Mobile Access Portal or Capsule Workspace.
Mobile Access features such as Protection Levels, Secure Workspace, and Endpoint Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. also apply.
Note that when you use the Unified Access Policy, some Mobile Access features and settings are still configured in the SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > Mobile Access tab.
Configuring Mobile Access in the Unified Policy
-
You can include Mobile Access rules in Policy Layers and . You must enable Mobile Access on each Layer that contains rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. with Mobile Access applications.
See the R81.20 Security Management Administration Guide for more about layers.
-
To make a Mobile Access application show in the Mobile Access Portal or in Capsule Workspace, you must put the application in the Services & Applications column.
-
If you put Any in the Services & Applications column, the application does not show in the portal but it is allowed. You can open it from the Mobile Access Portal if you manually enter the URL, but not from Capsule Workspace. You can change this behavior. See sk112576 for details.
-
If you put an application's service, such as HTTPS, in the Services & Applications column, it does not match Mobile Access https applications.
-
-
In the Services & Applications column, you must use Mobile Access Application objects in rules to match Mobile Access traffic. You can define these applications in:
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.: CustomApplications/Sites > Mobile Access and the Unified Access Policy
-
In SmartDashboard > Mobile Access tab > define an application
Application objects defined for Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI., for example, are not supported in Mobile Access rules.
-
-
When you enable Mobile Access on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the Security Gateway is automatically added to the RemoteAccess VPN Community. Include that Community in the VPN column of the rule or use Any to make the rule apply to Mobile Access Security Gateways. If the Security Gateway was removed from the VPN Community, the VPN column must contain Any.
-
Use Access Roles as the Source or Destination for a rule to make the rule apply to specified users or networks. You can also use an Access Role to represent Mobile Access or other remote access.
You must enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on each Security Gateway that is an installation target for rules with Access Roles.
Creating Mobile Access Rules in the Unified Access Policy
Create Mobile Access rules in the Access Control Policy with these requirements:
Column |
Value |
Explanation |
---|---|---|
No |
Make sure that the rule position is logical. |
The order of rules in the Rule Base is important. The first rule that matches the traffic is enforced. |
Name |
All |
We recommend that you use a descriptive name. |
Source |
Access Role |
Create an Access Role that includes the Users, User Groups, or Mobile/Remote Access Client that the rule applies to. See the "Mobile Access and the Unified Access Policy" section. |
Destination |
The internal server on which the Mobile Access application is set. |
Mobile Access Applications are defined in the Services & Applications column. |
VPN |
Any or a Remote Access Community that includes the Mobile Access Security Gateway |
When you enable the Mobile Access or IPsec Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. on a Security Gateway, the Security Gateway is automatically added to the default RemoteAccess VPN Community. By default the community also contains a user group that contains all users. If you remove the Security Gateway from the VPN Community, you must select Any. |
Services & Applications |
Mobile Applications Do not include applications or service objects that are not specified as Mobile Access. |
To create a Mobile Application: Click > click > Mobile Applications > select an application type and define it. To select an existing Mobile Application: Click > *All > Mobile Applications and select one. Mobile Applications only show in the list if Mobile Access is enabled on the Layer |
Content |
Any |
Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT. is not relevant for Mobile Access rules. |
Action |
Accept or Drop |
Only Accept and Drop are supported. Reject is also supported but acts the same as Drop. You can also select to send all traffic that matches the rule to a "Mobile Access and the Unified Access Policy". |
Track |
All log options |
Right-click in the cell and select More > Extended log |
Install On |
One or more Security Gateways |
Each Security Gateway must have Mobile Access and Identity Awareness enabled and have Unified Access Policy selected as the Policy Source. |
Mobile Access Applications in the Unified Access Policy
To use a Mobile Access application in the Unified Access Policy, you must define it as a Mobile Application from the SmartConsole or define it in the in SmartDashboard > Mobile Access tab.
Other application objects, such as URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. applications, are not relevant for Mobile Access. For example: To authorize Facebook as a web application in Mobile Access, you must create a new Web Application and specify Facebook's URL. You cannot use the URL Filtering Facebook application, because it is not for Mobile Access.
Creating Mobile Applications for the Access Control Policy
To create a Mobile Application object to use in the Access Control Policy:
-
In SmartConsole, expand the Objects pane.
-
Select New > More > Custom Application/Site > Mobile Application.
-
Select a type of Mobile Application.
-
Define the General Properties and Authorized Locations.
-
Optional: Define more settings for the Application.
-
Click OK.
Access Roles for Remote Access
Create a rule in the Access Control Rule Base that handles remote access connections.
-
Go to Security Policies and right-click the cell in the VPN column.
-
Select Specific VPN Communities.
-
Choose the community and click .
-
Close the VPN community window.
-
Define Services & Applications and Actions columns.
-
Install the policy.
Example:
To allow remote access users to access the organization's SMTP server, called SMTP_SRV, create the following rule:
Source |
Destination |
VPN |
Service |
Action |
Track |
---|---|---|---|---|---|
Any |
SMTP_SRV |
Remote_Access_Community |
SMTP |
Accept |
Log |
Including Mobile Access in the Unified Policy
After you configure rules for Mobile Access in the Unified Access Policy, configure the Security Gateway to use the Unified Access Policy.
To make a Mobile Access Security Gateway use the Unified Access Policy:
-
In SmartConsole, click Gateways & Servers and double-click the Mobile Access Security Gateway object.
-
From the tree, select Mobile Access.
-
In the Policy Source area, select Unified Access Policy.
-
Click OK.
-
Install policy.
Enabling Access Control Features on a Layer
To enable Mobile Access on an Ordered Layer:
-
In SmartConsole, click Security Policies.
-
Under Access Control, right-click Policy and select Edit Policy.
-
Click options for the Layer.
-
Click Edit Layer.
The Layer Editor window opens and shows the General view.
-
Select Mobile Access.
-
Click OK.
To enable Mobile Access on an :
-
In SmartConsole, click Security Policies.
-
Select the Ordered Layer.
-
In the parent rule of the Action column, and select > Edit Layer.
, right-click the -
Select Mobile Access.
-
Click OK.
Best Practices for Mobile Access in the Unified Policy
When you include Mobile Access in the Unified Access Policy, these are some factors that you need to be aware of:
-
How to use layers
-
How the content of rules affects your policy
-
How rule order can affect your policy
Best Practices with Layers
We recommend that you make an Mobile Access rules, to easily manage the Mobile Access policy.
forTo use an Mobile Access traffic and sends the traffic to the . It requires an Access Role that includes all Mobile Access client types or traffic in the Source column.
effectively, define a parent rule in the main layer. The parent rule matches allWhen a rule contains in the Action column, an is automatically created below it and it becomes a parent rule.
To make a rule that sends all Mobile Access traffic to a Mobile Access :
-
From the Source column of a rule in the Access Control Policy, create a new Access Role that includes all Mobile Access client types:
-
In the New Access Role window, click Remote Access Clients.
-
Select Specific Client and create a New > Allowed Client for all Mobile Access Portals or clients that are used in your environment. These can include: Capsule Workspace, Mobile Access Portal, ActiveSync, and SSL Network Extender.
-
-
Make sure the VPN column contains Any or the RemoteAccess VPN Community that contains your Mobile Access Security Gateways.
-
In the Action column, select > New Layer.
-
In the Layer Editor:
-
Enter a name for the layer, such as Mobile Access .
-
In the Blades area, select Mobile Access.
-
Optional: To use this Mobile Access in multiple policies, in the Sharing area, click Multiple policies and rules can use this layer.
-
To configure rules in the
:-
Click the Cleanup rule in the that was created automatically and the click the Add Rule Above icon.
-
Configure rules for the Mobile Access policy as required. See the "Mobile Access and the Unified Access Policy" section.
-
Make sure that the Cleanup rule stays at the end of the layer and that the Action is Drop.
-
Right-click in the Track cell and select More > Extended log.
Mobile Access with Ordered Layers
If you work with Ordered Layers, you can configure a Mobile Access in any Ordered Layer.
Make sure to create a bypass rule for Mobile Access traffic in all layers that come before the Mobile Access layer. For example, if your Mobile Access is in the third layer, you must create a bypass rule in the first and second Ordered Layers.
The bypass rule matches the Mobile Access traffic in the layer and allows the traffic. The traffic then moves to the next layer, until it gets to the Mobile Access .
To create a bypass rule, use the Access Role for all Mobile Access users in the Source column and Accept in the Action column.
Best Practices for Rules
-
Do not use a Security Gateway as the Destination in a Mobile Access rule. The rules authorize a user's access to an internal resource. Use Any or the internal hosts of relevant applications in the Destination column.
-
Do not use Any in the Services & Applications column. To make an application show in the Mobile Access Portal or Capsule Workspace, it must be Mobile Access application object that is used explicitly in the Rule Base.
If you do use Any to represent all Mobile Access applications, configured Mobile Access applications are authorized, but they do not show in the portal or Capsule Workspace. Users can enter the URL of the App in the Address field of the Mobile Access Portal.
To change the behavior when Any is used to represent Mobile Access applications, see sk112576.
Best Practices for Rule Order
In the Unified Access Policy, put Mobile Access rules that authorize applications above rules that contain a related service. For example, put a rule to allow a web application above a rule that allows or blocks HTTP/HTTPS. If the HTTP/HTTPS rule is first, the user will not see the Mobile Access Web application in the portal or in Capsule Workspace and will not be able to access it.
For example, this Rule Base allows Outlook Web Access (OWA), a web-based Mobile Access application. It also allows HTTPS traffic:
Correct way to allow the HTTPS service and also Mobile Access HTTPS applications:
Rule 2.1, that allows access to Mobile Access applications, including Outlook Web Access (OWA) on HTTPS, is above rule 3, which allows all HTTPS traffic.
If you put rule 3 to allow HTTPS above the Mobile Access rules, the user will not see the OWA Web application in the portal or in Capsule Workspace and will not be able to access it. To authorize a Mobile Access application, you must use a Mobile Access application in the Services & Applications column.
You can use HTTPS in the parent rule of the Mobile Access , but specify the Mobile Access application inside the . That way, the HTTPS traffic for OWA, for example, will match on the HTTPS rule, and will also match on the OWA App inside the .
Native Applications
In this scenario with a Native application:
-
The Native application is in an
in the rule base. -
And the Native application configuration includes Any in the Authorized Locations tab.
Then the parent rule of the Services & Applications column:
must include one of these in the-
Any service
-
HTTPS service
-
The Native Application
Mobile Access Behavior in the Rule Base
-
In a policy with Policy Layers, for the traffic to be approved, it needs to be accepted in all layers. It is only authorized when accepted in the last layer. The policy keeps going to the next layer until the Mobile Access traffic is matched with a Drop rule or it is accepted in all layers.
-
In Mobile Access is matched on the parent rule and then on the inner rule inside the . The matched application for Mobile Access is taken from the last rule matched with a Mobile Access application. If the matched rule inside the has no Mobile Access application, the policy looks for a Mobile Access application in the parent rule of the .
, like in multi-layered policies:
Limitations for Mobile Access in the Unified Policy
-
Mobile Access cannot work with Content Awareness or URL Filtering. Do not use Content Awareness or URL Filtering objects in rules with Mobile Access.
-
These limitation apply for Access Roles in Mobile Access rules in the Unified Access Policy:
-
In the Source column - Access Roles can include Networks, Users, and Remote Access Clients.
-
In the Destination column - Access Roles can include Networks and Users.
-
-
The Native Applications Connect button always shows in the Mobile Access Portal when SSL Network Extender is enabled.
-
If users do not meet the defined Protection Level requirements for an application, the application does not show for them. This is true in the Mobile Access Portal and Capsule Workspace. (In the Legacy Mobile Access policy, the applications show but are disabled).
-
If the Mobile Access Security Gateway was removed from the RemoteAccess VPN Community, the VPN column must contain Any.
-
If you configure Unified Policy, you must include the authorized location (the range of IP addresses) for each application inside the encryption domain for remote access.
Note - The range of IP addresses for an application must not overlap with the range for another application. Users with access to the first application have access to other applications within the same range.