Mobile Access Blade Configuration and Settings

Interoperability with Other Software Blades

The Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is fully integrated with the other Software Blades. Any Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. running on SecurePlatform or GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. with the Firewall blade enabled can also have the Mobile Access blade enabled.

Most Network objects, Resources, and Users created in SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. also apply to Mobile Access and can be used when configuring Access to Applications. Similarly, any Network objects, Users and User Groups that you create or modify in Mobile Access appear in the SmartDashboard navigation tree and are usable in all of the SmartDashboard applications.

IPS Blade

When you enable Mobile Access on a Security Gateway certain IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Web Intelligence protections are activated. The settings of these protections are taken from a local file and are not connected to the IPS profile. These IPS protections always apply to Mobile Access traffic only, even if the Security Gateway does not have the IPS blade enabled.

Disabling Protections for Advanced Troubleshooting

You should only disable the Mobile Access Web Intelligence protections for advanced troubleshooting.

Important - We do not recommend that you deactivate these protections because of potential security risks to the Security Gateway while the protections are off.

To disable the local Web Intelligence protections:

  1. Backup the $CVPNDIR/conf/httpd.conf configuration file.

  2. Edit $CVPNDIR/conf/httpd.conf by deleting or commenting out this line:

    LoadModule wi_module /opt/CPcvpn-<current version>/lib/libModWI.so

    Where <current version> is the Check Point version installed.

Changing to an IPS Profile Configuration for Mobile Access

We recommend using the local IPS Web Intelligence protections that are automatically configured and activated when you enable the Mobile Access blade. If you want to use the IPS profile that you assign to the Security Gateway instead of the local file, make sure that certain crucial protections are active so that your Security Gateway stays secure.

To change to a Security Gateway IPS profile configuration for Mobile Access instead of the local configuration:

  1. Edit the IPS profile assigned to the Security Gateway to include all of the protections listed in the "IPS Protections Crucial for Mobile Access" section.

  2. From the CLI, run:

    cvpnd_settings set use_ws_local_configuration false

  3. When prompted, backup the $CVPNDIR/conf/cvpnd.C file.

  4. Restart the Check Point processes. Run: cvpnstop ; cvpnstart

Note - If IPS is disabled, Mobile Access will use the local IPS configuration to ensure that the Security Gateway is protected. This is true regardless of the use_ws_local_configuration flag settings.

To switch back to the local, automatic IPS settings for Mobile Access:

  1. From the CLI, run:

    cvpnd_settings set use_ws_local_configuration true

  2. Restart the Check Point processes. Run: cvpnstop ; cvpnstart

IPS Protections Crucial for Mobile Access

The protections listed below should always be active on Mobile Access traffic. They are included in the local IPS settings that are automatically activated when Mobile Access is enabled on a Security Gateway. See that most but not all are included in the Recommended_Protection IPS Profile.

Protection Name

In Recommended_Protection Profile?

HTTP Format Sizes

yes

HTTP Methods

yes

ASCII Only Request

yes

General HTTP Worm Catcher

yes

Directory Traversal

yes

Cross-Site Scripting

no

Command Injection

yes

Header Rejection

yes

Malicious Code Protector

no

Non Compliant HTTP

yes

Anti-Virus and Anti-Malware Blade

Certain Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. settings configured for a Security Gateway in the Traditional Anti-Virus > Security Gateway > HTTP page of the Threat Prevention tab also apply to Mobile Access traffic. To activate traditional Anti-Virus protection, enable the Traditional Anti-Virus on the Security Gateway.

These settings apply to Mobile Access traffic when Traditional Anti-Virus is configured to scan traffic By File Direction:

  • Incoming files arriving to - Inspects traffic that Mobile Access users upload to Mobile Access. (The drop-down menu is not relevant.)

  • Outgoing files leaving - Inspects the traffic that Mobile Access users download from Mobile Access. (The drop-down menu is not relevant.)

  • The Internal Files field is not relevant since Mobile Access uses an external interface.

  • Exceptions are not supported.

If Traditional Anti-Virus is configured to scan traffic By IPs, all portal traffic is scanned according to the settings defined for the Mail, FTP and HTTP protocols in SmartDashboard.

Mobile Access Anti-Virus protections always work in proactive mode regardless of which option you select.

Note - After SSL Network ExtenderClosed A secure connectivity framework for remote access VPN to a corporate network. SSL Network Extender uses a thin VPN client installed on the user's remote computer that connects to an SSL-enabled web server on a VPN Gateway. Acronym: SNX. traffic is rerouted to the Security Gateway, Anti-Virus inspects the traffic as it does to any other unencrypted traffic.

Enabling Traditional Anti-Virus

The Anti-Virus blade and Traditional Anti-Virus can be activated on Security Gateways in your system.

Note - You cannot activate the Anti-Virus blade and Traditional Anti-Virus on the same Security Gateway.

To configure Traditional Anti-Virus:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Other > More Settings > Enable Traditional Anti-Virus.

  3. Click OK.

  4. Define rules in the Access Control Policy to allow the specified services. Anti-Virus scans only accepted traffic.

  5. From Anti-Bot and Anti-Virus tab > Traditional Anti-Virus, select the services to scan using these options:

    1. From the Database Update page, configure when to perform automatic signature updates or initiate a manual signature update.

    2. From the Security Gateway > Mail Protocol page, configure Anti-Virus scanning options for Mail Anti-Virus, Zero Hour Malware, SMTP, and POP3 services.

    3. From the Security Gateway > FTP page, configure FTP traffic scanning options.

    4. From the Security Gateway > HTTP page, configure HTTP traffic scanning options.

    5. From the Security Gateway > File Types page, configure the options to scan, block or pass traffic according to the file type and configure continuous download options.

    6. From the Security Gateway > Settings page, configure options for file handling and scan failures.

IPsec VPN Blade

The IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade and Mobile Access blade can be enabled on the same Security Gateways. They can be used in parallel to enable optimal site to site and remote access VPN connectivity for your environment.

Certain VPN Clients that worked with Mobile Access in previous versions do not work with the Mobile Access blade on Security Gateways R71 and higher. They only work with the IPsec VPN blade.

These are:

  • Endpoint Connect

  • SecureClient Mobile

SSL Network Extender works either with Mobile Access or with IPsec VPN. However, if the Mobile Access blade is enabled on a Security Gateway, SSL Network Extender must be configured through Mobile Access. If you had SSL Network Extender configured through IPsec VPN and now you enabled the Mobile Access blade on the Security Gateway, you must reconfigure SSL Network Extender policy in the Mobile Access tab of SmartDashboard. Rules regarding SSL Network Extender in the main security rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase. are not active if the Mobile Access tab is enabled.

Office Mode can be configured either with Mobile Access or with IPsec VPN.

Concurrent Connections to the Security Gateway

In the Gateway Properties > Optimization > Capacity Optimization section you can configure the maximum limit for concurrent connections.

When users connect to corporate resources through the Mobile Access blade, it creates multiple connections. For example, from the user to the Security Gateway, and from the Security Gateway to the internal server. Therefore, in an environment with over 1000 remote users, we recommend that you increase the maximum concurrent connections.

For example: The default maximum is 25,000. If you have 2000 mobile access users, increase the maximum to 29,000 (2 times 2000).