Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4136
Views
15
Helpful
2
Replies

ISE and Checkpoint VPN

Go to solution
franjean47
Level 1
Level 1

‎05-10-2021 03:43 PM

Hi  

 

We have a 8 node ISE 2.6 patch 6 deployment in a Checkpoint firewall/VPN environment and are investigating what requirements are to use the ISE to authenticate and authorize the Checkpoint VPN users. 

 

1. Can the ISE be configured to do VPN access with Checkpoint in a similar way that you can with Cisco Firewalls and Anyconnect?

2. Do you need pxGrid to be able to do ISE to Checkpoint VPN integration?

3. Is it possible to do Profiling and/or Posture with Checkpoint VPN?

 

The only ISE to Checkpoint integration information we have been able to find thus far has been with Checkpoint Identity Collector, but could not find anything specific to just the VPN.

 

Any guidance will be greatly appreciated.

 

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-11-2021 01:00 PM - edited ‎05-11-2021 01:23 PM

@franjean47 

You can configure checkpoint to use ISE as the RADIUS server to authenticate the users, you don't need pxgrid for that.

 

I doubt you can profile the devices, ISE needs to learn the MAC address of an endpoint in order to create an endpoint record and profile the device. The MAC address for the LAN interface of the VPN client cannot be learnt by ISE over a layer 3 connection. If using the AnyConnect VPN client to authenticate to the VPN ISE can learn the MAC address using ACIdex values, but I doubt you can use AnyConnect with the CheckPoint firewall?

 

I've not tried it, but if using ISE 3.0 perhaps agentless posture might work in your scenario.

Posturing would require the AnyConnect ISE posture client, so you'd need to install this and a profile specifying the ISE call home servers. I doubt you could use posture redirect method, as I assume the CheckPoint device wouldn't support the redirect acl that ASA/FTD do.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎05-11-2021 01:00 PM - edited ‎05-11-2021 01:23 PM

@franjean47 

You can configure checkpoint to use ISE as the RADIUS server to authenticate the users, you don't need pxgrid for that.

 

I doubt you can profile the devices, ISE needs to learn the MAC address of an endpoint in order to create an endpoint record and profile the device. The MAC address for the LAN interface of the VPN client cannot be learnt by ISE over a layer 3 connection. If using the AnyConnect VPN client to authenticate to the VPN ISE can learn the MAC address using ACIdex values, but I doubt you can use AnyConnect with the CheckPoint firewall?

 

I've not tried it, but if using ISE 3.0 perhaps agentless posture might work in your scenario.

Posturing would require the AnyConnect ISE posture client, so you'd need to install this and a profile specifying the ISE call home servers. I doubt you could use posture redirect method, as I assume the CheckPoint device wouldn't support the redirect acl that ASA/FTD do.

0 Helpful

Go to solution
Spyros Kasapis
Level 1
Level 1
In response to Rob Ingram

‎09-20-2021 03:23 AM

Hello ,

any documentation or workaround with checkpoint vpn and ISE with azure-ad ?

Customers Also Viewed These Support Documents