Configuring the Remote Access Blade

On the VPN view > Remote Access section > Blade Control page you can establish secure encrypted connections between devices such as mobile devices, home desktops and laptops, and the organization through the Internet.

For Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway., you must configure users on the appliance with credentials and configure the required permissions for specified users. The appliance must be accessible from the Internet.

We highly recommend that you first configure DDNS or an Internet connection with a static IP address on the appliance. If you do not use a static IP address, your appliance's IP address can change based on your Internet Service Provider. DDNS lets home users connect to the organization by hostname and not IP address that can change. See Device view > System section > DDNS & Device Access page > DDNS section for more details.

To configure DDNS, see Configuring DDNS and Access Service.

To configure the static IP address, see Configuring Internet Connectivity.

Note - Remote Access VPN supports connections from IPv4 addresses only.

Getting Started with Remote Access VPN

    1. Go to the VPN view > Remote Access section > Blade Control page.

    2. Select On.

    3. Mandatory: Select Allow traffic from Remote Access users.

    4. Optional: Select Log traffic from Remote Access users.

    5. Optional: Select Require users to confirm their identity using Two-Factor Authentication.

      Two-Factor Authentication, also called multi-factor authentication, is an extra layer of security to prevent unauthorized access to your system. The gateway sends a passcode to the user by email or SMS to allow the user to connect through VPN. Starting from R81.10.07, you can also select to use Google Authenticator.

      To use Two-Factor Authentication, you must have Remote Access permissions configured, with an email address and mobile phone number.

      For SMS, you can use the Check Point SMS provider, or an external SMS provider. If a customer uses a public SMS server, the administrator must provide the username and password for the SMTP server and a Dynamic URL that contains the API of the external service provider.

      Notes:

      • By default, the gateway sends the passcode by both email and SMS.

      • L2TP and SNX do not support Two-Factor Authentication.

        To make sure these connection work, run this command in Gaia ClishClosed The default shell of the Gaia CLI:

        set vpn remote-access advanced allow-older-clients true

      To configure Two-Factor Authentication:

      1. On the VPN view > Remote Access section > Blade Control page, select Require users to confirm their identity using Two-Factor Authentication.

      2. Click configure.

        The Two-Factor Authentication Settings window opens.

      3. Select the applicable option:

        Note - The authentication methods are global settings, which means they are enforced for all users and groups.

        Starting from R81.10.15, you can select to override global settings for Two-Factor Authentication and Route All Traffic for local users and AD groups. . Set policy per individual user (local or AD group) on the Configuring Remote Access Users page.

        To select to receive by both SMS and email, select both checkboxes.

        1. Select the SMS checkbox.

        2. To use Check Point SMS, select Use Check Point SMS provider service.

        3. If you select Use External SMS provider, enter the information for these fields:

          • DynamicID URL

          • Provider user name

          • Provider password

          • API ID

          • Message to display (optional).

        1. Select the Email checkbox.

        2. Optional: Enter the Message to send.

        Note - Users must have Remote Access permissions configured for this option.

        1. Select the Use Google Authenticator checkbox.

        2. Click Save.

          The SMB Cloud Service sends an email that contains a QR code to the email address configured for the user.

        3. Scan the QR code with the Google Authenticator application.

        4. The one-time password (OTP) appears.

          Note - The OTP expires after 30 seconds.

        5. On your computer, connect to the VPN. Enter your username and password.

        6. For the second authentication, enter the OTP in the Response field.

        7. The Cloud Service compares the OTP to the one represented by the QR code in the application. If it matches, you are connected to VPN.

        The Cloud Service sends a QR code with an OTP when:

        • A new user is configured.

        • The information for an existing user is edited, such as a new email address is added or the user receives Remote Access permissions.

        • The administrator decides that all users must use Cloud Authentication.

      4. On the Advanced tab, below Dynamic ID Settings, enter the:

        • Length of the one-time password.

        • Amount of time in minutes until the password expires.

        • Maximum number of retries.

      5. Below Country Code, enter the Default country code.

      6. Click Save.

      To sign in with Two-Factor Authentication:

      1. Connect to your VPN.

      2. You get a prompt for a DynamicID One Time Password (OTP) sent to your mobile phone as an SMS, or directly to your email account, or by scanning the QR code.

      Notes:

      • VPN Two-Factor Authentication is per gateway, not administrator.

      • When you turn on Two-Factor Authentication, you enable it for all VPN clients. This means all VPN users must have a configured mobile phone number and email address with which to connect.

    6. Optional: In R81.10.15 and higher: Configure the schedule to enable or disable the Remote Access VPN blade. See Remote Access VPN Scheduler.‎

    7. Optional: In R81.10.15 and higher: Configure the Allow/Block List to allow or block the Remote Access VPN traffic from specific sources. See Allow or Block Remote Access VPN Traffic from Specific Sources.

    8. In the section "VPN Remote Access users can connect via", select the applicable Remote Access VPN clients.

      The supported Remote Access VPN clients are:

      • Check Point VPN clients - Install a VPN client on your desktop or laptop.

      • Mobile client - To connect on your smartphone or tablet (iOS or Android).

      • SSL VPN - To connect through SSL VPN. Enter the IP address in your web browser.

      • Windows VPN client - L2TP. For either Windows or macOS, connect with a pre-shared key. For instructions, click How to connect.

      To configure Remote Access VPN methods:

      1. Select the checkbox next to the desired method and click How to connect.

        The Usage window opens.

      2. Follow the instructions on the screen.

      3. Close the window.

      4. Click Save.

    9. At the bottom of the page, click Save.

    Note - When the Remote Access VPN blade is managed by Cloud Services, a lock icon appears. You cannot toggle between the On and Off states. If you change other policy settings, the change is temporary. Any changes you made locally are overridden in the next synchronization between the gateway and Cloud Services.

  2. Follow the applicable procedure:

    1. Go to the VPN view >Remote Access section > Remote Access Users page.

    2. Click Add.

      The New Local User window opens.

    3. Enter the required information in the fields.

      Note - The Email and Phone number fields are optional. However, if you want to give this user Remote Access VPN permissions, this information is necessary for Two-Factor Authentication during the Remote Access VPN connection.

    4. In the Remote Access permissions, select the applicable options.

    5. Click Save.

    You can use the Active Directory or RADIUS servers to automatically populate your users and groups.

    See Configuring Authentication Servers for Remote Access.

    To see a table of the defined authentication servers, go to the VPN view > Remote Access section > Authentication Servers page.

    1. Click the username in the table and click Edit.

      You can also double-click the username.

    2. Select Remote Access permissions.

    3. Click OK.

    1. Click Edit permissions.

    2. At the top, click the applicable filter:

      • Click Users to see the locally configured users.

      • Click Active Directory to see the user groups configured on an Active Directory server.

    3. In the left column, select the checkbox near the applicable usernames / user groups.

    4. Click Save.

    • To see the currently connected Remote Users, go to the VPN view > Remote Access section > Connected Remote Users page.

    • To see the current Remote Access VPN tunnels, go to the Logs & Monitoring view > Status section > VPN Tunnels page.

    • To see the traffic from the currently connected Remote Access VPN users, go to the Logs & Monitoring view > Logs section > Security Logs page.

      Note - On the VPN view > Remote Access section > Blade Control page, you must select Log traffic from Remote Access users.

Remote Access VPN Scheduler

Starting from R81.10.15: With the Remote Access VPN Scheduler, you can configure the VPN Remote Access to be active only during specific hours, for example during normal business hours.

On the VPN Remote Access Control page, the Remote Access VPN status is shown at the bottom of the Remote Access section.

  • VPN Remote Access is active

  • VPN Remote Access is inactive due to VPN Scheduler

  • VPN Remote Access VPN scheduler is not configured

In the Remote Access section of the VPN Remote Access Control page:

  1. Click the available option:

    • If you did not enable the scheduler yet, WebUI shows this line:

      The Remote Access VPN scheduler is not configured

      Click Configure at the end of this line.

    • If you already enabled the scheduler, WebUI shows this line:

      Remote Access VPN is inactive due to the current scheduler configuration

      Click the link scheduler in this line.

    The Remote Access VPN Scheduler window opens.

  2. To enable this feature, move the slider Remote Access VPN scheduler is enabled.

    The slider becomes green.

  3. In the line In the defined time intervals, Remote Access VPN will be, select the applicable action:

    • Active - Enables the Remote Access VPN blade during the configured hours and days.

    • Inactive (this is the default) - Disables the Remote Access VPN blade during the configured hours and days.

  4. Optional: Select Disconnect VPN users when Remote Access VPN is turned off by the scheduler.

  5. Click New.

  6. Configure the schedule and click Save:

    1. Start time

    2. End time

    3. Days

  7. Click Save.

In the Remote Access section of the VPN Remote Access Control page:

  1. In the line Remote Access VPN is inactive due to the current scheduler configuration, click the link scheduler.

  2. Click the schedule.

  3. Click Edit.

  4. Configure the applicable settings and click Save.

  5. Click Save.

In the Remote Access section of the VPN Remote Access Control page:

  1. In the line Remote Access VPN is inactive due to the current scheduler configuration, click the link scheduler.

  2. Click the schedule.

  3. Click Delete.

  4. Click Delete to confirm.

  5. Click Save.

Allow or Block Remote Access VPN Traffic from Specific Sources

Starting from R81.10.15, you can block or allow traffic from selected objects, including Network Objects and Updatable Objects (Geo Locations).

In the Remote Access section of the VPN Remote Access Control page:

  1. Click the available option:

    • If you did not enable the allow/block list yet, WebUI shows this line:

      Access is not allowed/blocked for specific objects

      Click Configure at the end of this line.

    • If you already enabled the allow/block list, WebUI shows this line:

      Only access from selected objects is allowed

      Click the link selected objects in this line.

    The Remote Access VPN Allow/Block Lists window opens.

  2. To enable this feature, move the slider Remote Access VPN Allow/Block lists are enabled.

    The slider becomes green.

  3. In the line Traffic from the following sources will be, select the applicable action:

    • Allowed (this is the default) - Allows traffic only from the selected objects and blocks traffic from all other sources.

    • Blocked - Blocks traffic only from the selected objects and allows traffic from all other sources.

  4. Click +Add and select Network object or Geo Location.

    Important - By default, this list is empty. Make sure to select the applicable objects to prevent unwanted behavior - allowing all traffic or blocking all traffic.

    1. Click Geo Locations.

      The Import Updatable Object window opens.

    2. Enter the applicable text in the Search field and select the checkboxes next to the relevant continents and countries that appear.

      Note - The maximum supported number of selected Geo Location objects in this list is 100. See sk182654.

    3. Click Save.

    1. Click Network Objects.

      The Select Network Objects window opens.

    2. Click New.

      The New Network Object window opens.

    3. For Type, select one of these from the menu:

      • Single IP

      • IP Range

      • Network

      • Wildcard

    4. Enter the Name of the object.

    5. Enter the Network address and the Subnet mask.

    6. Click Save.

In the Remote Access section of the VPN Remote Access Control page:

  1. In the line Only access from selected objects is allowed, click the link selected objects.

  2. In the list, click the object you want to delete.

    You can select only one object at a time.

  3. From the toolbar, click Delete.

  4. Click Save.

Advanced Options

For more information, see Configuring Advanced Remote Access Options.

Changing the Default Remote Access VPN Port

The default Remote Access VPN port on the Quantum Spark Gateway is TCP 443. If you configured the WebUI on the appliance to work on the TCP port 443 as well, a conflict message appears on the VPN view > Remote Access section > Blade Control page.

If you enabled one of these Remote Access VPN clients:

  • Check Point VPN clients

  • Mobile client

  • SSL VPN

then you must change the default Remote Access VPN port:

  1. Click the Change port link.

    The Remote Access Port Settings window opens.

  2. In the Remote Access port field, enter a new port number.

  3. Select Reserve port 443 for port forwarding.

  4. Click Save.

Connections Between Remote Access VPN Clients in the Same Office Mode Pool

Follow this procedure to allow connections between Remote Access VPN clients that get an IP address from the same Office Mode Pool.

  1. Go to the Users & Objects view > Network Resources section > Network Objects page.

  2. Click New to create a new Network object for the Office Mode network:

    1. In the Type menu, select Network.

    2. In the Network address field, enter the applicable network IP address.

    3. In the Subnet mask field, enter the required subnet mask.

    4. In the Object name field, enter the applicable name.

      For example: OMPOOL.

    5. Click Save.

  3. Go to the Device view > Advanced section > Advanced Settings page.

  4. Configure the parameter VPN Remote Access - Back Connections enable:

    1. In the top search field, enter:

      VPN Remote Access - Back Connections enable.

    2. Select the parameter VPN Remote Access - Back Connections enable and click Edit.

    3. Select the option Back connections enable.

    4. Click Save.

  5. Configure an Access Policy rule to allow traffic between computers in the Office Mode network:

    1. Go to the Access Policy view > Firewall section > Policy page.

    2. In the section Incoming, Internal and VPN traffic, click New.

    3. Configure this rule:

      Source

      Destination

      Service

      Action

      Log

      OMPOOL

      OMPOOL

      *Any

      Accept

      Log, or None

    4. Click Save.

  6. Configure the NAT Policy rule to disable NAT on the traffic between computers in the Office Mode network:

    1. Go to the Access Policy view > Firewall section > NAT page.

    2. In the section NAT Rules, click View NAT rules.

    3. Click New.

    4. Configure this rule:

      Original Source

      Original Destination

      Original Service

      Translated Source

      Translated Destination

      Translated Service

      OMPOOL

      OMPOOL

      *Any

      *Original

      *Original

      *Original

    5. Click Save.