Compliance Check

The Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. lets you use the Endpoint Security on Demand feature to create compliance policies and add more security to the network. Mobile devices and computers are scanned one time to make sure that they are compliant before they can connect to the network.

The compliance scanner is installed on mobile devices and computers with ActiveX (for Internet Explorer on Windows) or Java. The scan starts when the Internet browser tries to open the Mobile Access Portal.

Compliance Policy Rules

The compliance policy is composed of different types of rules. You can configure the security and compliance settings for each rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. or use the default settings.

These are the rules for a compliance policy:

• Windows security - Microsoft Windows hotfixes, patches and Service Packs.

• Anti-Spyware protection - Anti-Spyware software.

• Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. protection - Anti-Virus software version and virus signature files.

• Firewall - Personal Firewall software.

• Spyware scan - Action that is done for different types of spyware.

• Custom - Compliance Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. rules for your organization, for example: applications, files, and registry keys.

• OR group - A group of the above rules. An endpoint computer is compliant if it meets one of the rules in the group.

Creating a Compliance Policy

By default, Endpoint Security on Demand only allows endpoint computers that are compliant with the compliance policy log in to the Mobile Access Portal.

To create a compliance policy:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Manage & Settings > Blades.

2. In the Mobile Access section, click Configure in SmartDashboard.

3. On the Mobile Access tab, select Endpoint Security on Demand > Endpoint Compliance.

4. Click Edit policies.

   The Policies window opens.

5. Click New Policy.

   The Policies > New Policy window opens.

6. Enter the Name and Description for the policy.

7. Click Add.

   The Add Enforcement Rules window opens.

8. Select rules for the policy.

   You can also create new rules - click New Rule, and configure the rule settings.

9. Click OK.

   The Policies > New Policy window shows the rules for the policy.

10. Select Bypass spyware scan if necessary.

    When selected, the scan for endpoint computers that are compliant with the Anti-Virus or Anti-Spyware settings is changed. These computers do not scan for spyware when they connect to a Mobile Access Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

11. Click OK.

    The Policies window opens.

12. Click OK.

Configuring Compliance Settings for a Security Gateway

The Firewall on a Mobile Access Security Gateway only allows access to endpoint computers that are compliant with the compliance policy.

This procedure shows how to configure the Laptop Computer policy for a Security Gateway (see Compliance Policy Rules).

To configure the compliance settings:

1. In SmartConsole, go to Manage & Settings > Blades.

2. In the Mobile Access section, click Configure in SmartDashboard.

1. In the Mobile Access tab, select Endpoint Security on Demand > Endpoint Compliance.

2. Select the Security and click Edit.

   The Endpoint Compliance page of the Security Gateway properties window opens.

3. Select Scan endpoint machine when user connects.

4. Select Threshold policy and from the drop-down menu select Laptop Computer.

5. Click OK.

6. Install the policy on the Mobile Access Security Gateway.

Secure Workspace

Secure Workspace is a security solution that allows remote users to connect to enterprise network resources safely and securely. The Secure Workspace virtual workspace provides a secure environment on endpoint computers that is segregated from the "real" workspace. Users can only send data from this secure environment through the Mobile Access Portal. Secure Workspace users can only access permitted applications, files, and other resources from the virtual workspace.

Secure Workspace creates an encrypted folder on the computer called My Secured Documents and can be accessed from the virtual desktop. This folder contains temporary user files. When the session terminates, Secure Workspace deletes this folder and all other session data.

For more about configuring Secure Workspace and Mobile Access VPN, see the R81.20 Mobile Access Administration Guide.