Hello,
What licenses you need to enable Mobile Access VPN blade on ChecknPoint Gateway. About 500 users, MFA with Microsoft Auth app and SAML with Entra.
Is there any free endpoint vpn agent like FortiClient or do you need Harmony endpoint subscription?
You need to take the MOB-Unlimited on your Gateways
And then the Check Point VPN client is free
Mobile Access blade is sold in 3 levels of licensing. You mention 500 users, but how many are connected to VPN at one time? MAB is sold for concurrently connected users so you may not need the MOB-U for unlimited users. The other license levels are MOB-50 and MOB-200 for 50 or 200 concurrent users respectively. Finally, the licenses do not stack. So if you need 300 concurrent vpn connections then you can’t but two MOB-200. You would need the MOB-U for unlimited.
Remote Access VPN currently comes in three (or four) flavors.
SecuRemote - that’s the free one, but it doesn’t support stuff like Office Mode. “No money, no features”.
Mobile VPN - licensed by concurrent connections on the gateway, which means in a cluster environment you need licenses it on all cluster members. Appliances usually include 5 licenses.
Endpoint Connect - part of Harmony Endpoint - licensed by installation on the management managing the RA VPN Gateway.
Optional you can look at Harmony SASE (formerly known as Perimeter81) where you clients connect to the cloud and are tunneled via Site-to-Site VPN to your Gateway. Licensed per user on portal.checkpoint.com .
On recent versions SAML is supported. You will need a certain patch level to have SAML support for mobile devices.
After talking to our CP SME, final BoM looked like this: ( incl. 1x 9100)
||
||
||Product Name|SKU|Category|Qty|
|1|Next Generation Security Management Software for 5 gateways (SmartEvent & Compliance 1 year)|CPSM-NGSM5|Product|1|
|2|SmartEvent and SmartReporter blade for 5 gateways (Smart-1 & open server) 2 year subscription|CPSB-EVS-5-2Y|Service|1|
|3|9100 Base Appliance with SandBlast subscription package for 1 year|CPAP-SG9100-SNBT|Product|1|
|4|Endpoint Management pre-defined system for 1000 endpoints|CPSM-P1003-E|Product|1|
|5|Endpoint Access Control perpetual package. Provides endpoint firewall and VPN remote access|CPEP-ACCESS-P|Product|400|
|6|Enterprise SW Subscription and Premium Support|CPES-SS-PREMIUM|Support|1|
|7|Enterprise Software Subscription and Premium Support additional product|CPES-SS-PREMIUM-ADD|Support|1|
After talking to our CP SME, final BoM looked like this: ( incl. 1x 9100)
Next Generation Security Management Software for 5 gateways (SmartEvent & Compliance 1 year) CPSM-NGSM5 Product 1
SmartEvent and SmartReporter blade for 5 gateways (Smart-1 & open server) 2 year subscription CPSB-EVS-5-2Y Service 1
9100 Base Appliance with SandBlast subscription package for 1 year CPAP-SG9100-SNBT Product 1
Endpoint Management pre-defined system for 1000 endpoints CPSM-P1003-E Product 1
Endpoint Access Control perpetual package. Provides endpoint firewall and VPN remote access CPEP-ACCESS-P Product 400
Enterprise SW Subscription and Premium Support CPES-SS-PREMIUM Support 1
Enterprise Software Subscription and Premium Support additional product CPES-SS-PREMIUM-ADD Support 1
Thank you for your quick reply.
We plan to propose CP to replace existing Remote Access solution. We are talking about 350-400 max concurrent users. The fact that licenses do no stack is bad news. I will speak to CP SME tomorrow about it.
Thanks for your reply. Very good summary.
I created a quick BoM based on a pair of 3800’s and NGFW + 3 yrs premium support + Mob-200 x 4 times and the BoM increased significantly.
I need basic VPN. I know SASE, but low-cost VPN is what we need right now.
VPN is still not dead, but on the long run ZTNA will most probably replace many VPN deployments.
You might also ask about how Harmony SASE might help.
Two mob-200’s are the same price as an unlimited so not sure why that would be a limiting factor.