Mobile Security is a security service that enables you to set and enforce security requirements for iOS and Android mobile devices that connect to your network. When Mobile Security is enabled, the Firebox blocks traffic from unauthorized mobile devices, and allows traffic from mobile devices that comply with your configured Mobile Security device compliance settings.
Mobile Security is only available for Firebox M and T Series, FireboxV, and XTMv models . It requires a license on the Firebox, which specifies the maximum number of unique, concurrent users, and has an expiration date. For more information, see Mobile Security Licensing.
Mobile Security Components
Mobile Security has both a server and a client component:
The server component of Mobile Security is on your Firebox. You enable Mobile Security for specific Firebox interfaces and configure compliance settings for the Android and iOS devices that connect to your network through those interfaces. The Firebox drops traffic on the selected interfaces from connected mobile devices that are not compliant with the device compliance requirements.
The client component of Mobile Security is the FireClient app, which you install on Android and iOS mobile devices. FireClient downloads the Mobile Security device compliance settings from the Firebox and verifies that mobile devices are compliant with the requirements you specify. FireClient then reports the compliance status to the Firebox. FireClient for Android uses a signature database to identify installed applications classified as malware, riskware, or adware.
How Mobile Security Works
After users connect to your network with an iOS or Android device, they must run FireClient to verify if their mobile devices are compliant with the Mobile Security requirements configured on the Firebox.
Users must install FireClient before they connect to a network that has Mobile Security enabled.
To protect your network, the Mobile Security components complete this process:
- An Android or iOS device connects to your network through a Wi-Fi or VPN connection.
The Firebox denies all traffic from the device because it is not compliant.
- The user opens the FireClient app on the mobile device, connects to the Firebox, and logs in.
If the connection is through a VPN, FireClient does not require the user to log in again.
- FireClient verifies whether the mobile device is compliant with the Mobile Security settings on the Firebox.
FireClient reports the compliance status to the Firebox.
- If FireClient indicates that the mobile device is compliant, the Firebox allows traffic from the device.
For the device to remain compliant, the user must not close the FireClient app.
- If FireClient indicates that the mobile device is not compliant, or if the user closes the FireClient app, the Firebox denies traffic from the mobile device.
For information about how to enable and configure Mobile Security, see Enable Mobile Security.
Network Topology Considerations
Mobile Security enforcement applies only to traffic that is routed through the Firebox. Because Mobile Security enforcement does not apply to traffic within the same subnet, it does not apply to traffic from a mobile device to any other resource on the same subnet as the wireless network.
To fully protect resources on your network from Android and iOS devices that are not compliant, we recommend that you:
- Do not bridge a wireless network to the trusted or optional network
- Do not configure Mobile VPN with SSL to bridge VPN traffic
- Do not connect an AP device to a switch behind the Firebox that connects to other network resources on the same logical network
For more information and deployment examples, see Mobile Security Deployment Examples.