Configuring Policy for Remote Access VPN
-
Install the required Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members and configure their interfaces.
For more information, see the R81.20 Installation and Upgrade Guide.
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new object.
For more information, see the R81.20 Security Management Administration Guide > Managing Objects section.
-
Establish the Secure Internal Communication (SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.).
For more information, see the R81.20 Security Management Administration Guide > Secure Internal Communications (SIC) section.
-
Get the interfaces and configure their topology settings.
For more information, see the R81.20 Gaia Administration Guide > Network Management chapter > Network Interfaces topic
-
Create a Security Gateway network object.
-
On the General Properties page, select VPN.
-
Initialize a secure communication channel between the VPN module and the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. by clicking Communication
-
On the Topology page, define the interfaces and the VPN domain.
The ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. automatically creates a certificate for the Security Gateway.
For more information, see the R81.20 Security Management Administration Guide > Managing Objects section.
-
From the Objects Bar, click VPN Communities.
-
Double-click RemoteAccess.
The Remote Access window opens.
-
On the Participating Gateways page, click the Add button and select the Security Gateways that are in the Remote Access Community.
-
On the Participating User Groups page, click the Add button and select the group that contains the Remote Access users.
-
Click OK.
-
Publish the changes.
These rules apply to traffic from the Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. clients to internal resources behind the Security Gateway.
For more information, see the > R81.20 Security Management Administration Guide > Chapter "Creating an Access Control Policy".
Column |
Description |
---|---|
Source |
Select the applicable Host, Network, Group, User, and Access Role objects. |
Destination |
Select the applicable Host, Network, and Group objects. |
VPN |
Select the Remote Access VPN Community object |
Services & Applications |
Select only the specific service objects to make the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. as restrictive as possible. |
Action |
Select the applicable action. |
Example:
Source |
Destination |
VPN |
Services & Applications |
Action |
---|---|---|---|---|
Office_Mode_Network |
MyWebServer |
RemoteAccess |
http |
Accept |
In SmartConsole, install the Access Control Policy on the Security Gateway/Cluster object.
The encryption properties of the users participating in a Remote Access community are set by default. If you must modify the encryption algorithm, the data integrity method and/or the Diffie-Hellman group, you can either do this globally for all users or configure the properties per user.
To modify the user encryption properties globally:
-
From Global Properties.
, click -
From the navigation tree, click Remote Access > VPN- Authentication and Encryption.
-
From the Encryption algorithms section, click Edit.
The Encryption Properties window opens.
-
In the IKE Security Association (Phase 1) tab, configure the applicable settings:
-
Support encryption algorithms - Select the encryption algorithms that will be supported with remote hosts.
-
Use encryption algorithms - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more than one encryption algorithm to use, the algorithm selected in this field will be used.
-
Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
-
Use Data Integrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
-
Support Diffie-Hellman groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
-
Use Diffie-Hellman group - Client users utilize the Diffie-Hellman group selected in this field.
-
-
Click OK.
-
Install policy.
To configure encryption policies for specified users:
-
Open Global Properties, and click Remote Access > Authentication and Encryption.
-
From the Encryption algorithms section, click Edit.
-
In the Encryption Properties window, click the IPSEC Security Association (Phase 2) tab.
-
Clear Enforce Encryption Algorithm and Data Integrity on all users.
-
Click OK and close the Global Properties window.
-
For each user:
-
From the Objects Bar, double-click the user.
-
From the navigation tree, click Encryption.
-
Click Edit.
The IKE Phase 2 Properties window is displayed.
-
Click the Encryption tab.
-
Click Defined below.
-
Configure the Encryption Algorithm and Data Integrity.
-
Click OK and close the User Properties window.
-
-
Install policy.