https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-Management-R77-30-Gateway-as-VPN-Endpoint/m-p/3110#M4289 <HTML><HEAD></HEAD><BODY><P>Note that tcpdump should still show the communication on TCP port 257 if Implied Rules are impacting the communication.</P><P>It sounds like the&nbsp;Security Groups in AWS are blocking communication here.</P></BODY></HTML> Wed, 28 Jun 2017 02:47:39 GMT PhoneBoy 2017-06-28T02:47:39Z https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-Management-R77-30-Gateway-as-VPN-Endpoint/m-p/3109#M4288 <HTML><HEAD></HEAD><BODY><P>Currently have a star VPN configuration between On Prem and AWS.&nbsp; (Two firewalls on prem, two firewalls in AWS).</P><P></P><P>Prior to a policy push with R80.10 management, I was able to collect logs from the AWS appliances over the VPN tunnel that was built.&nbsp; Now, after pushing policy from an R80.10 Management server, I'm no longer able to send logs from the AWS gateways to the on prem management server.&nbsp; Connectivity to the gateways in AWS is fine (can still push policy / reach devices behind the gateways)</P><P></P><P>A netstat shows the gateway in AWS attempting to connect to the proper logging server:</P><P>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 10.0.0.1:55388&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.1:257&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SYN_SENT&nbsp;&nbsp;&nbsp; 4487/fwd</P><P></P><P>I am able to successfully connect to 192.168.0.1 from the gateway (via ping or telnet tests):</P><P>[Expert@FW1:0]# ping 192.168.0.1</P><P>PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.</P><P>64 bytes from 192.168.0.1: icmp_seq=1 ttl=58 time=34.3 ms</P><P>64 bytes from 192.168.0.1: icmp_seq=2 ttl=58 time=28.4 ms</P><P>64 bytes from 192.168.0.1: icmp_seq=3 ttl=58 time=28.7 ms</P><P></P><P>[Expert@FW1:0]# telnet 192.168.0.1 443</P><P>Trying 192.168.0.1...</P><P>Connected to 192.168.0.1.</P><P>Escape character is '^]'.</P><P>^]</P><P></P><P>However, when I attempt to telnet directly to port 257, the telnet test times out:</P><P>[Expert@FW1:0]# telnet 192.168.0.1 257</P><P>Trying 192.168.0.1...</P><P>telnet: connect to address 192.168.0.1: Connection timed out</P><P></P><P>My assumption is that the implied rules for Logging are taking precedence and the logging traffic is not making it to the explicit rule in policy that allows and encrypts the traffic.</P></BODY></HTML> Sun, 02 Apr 2017 14:55:45 GMT https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-Management-R77-30-Gateway-as-VPN-Endpoint/m-p/3109#M4288 Kyle_S 2017-04-02T14:55:45Z https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-Management-R77-30-Gateway-as-VPN-Endpoint/m-p/3110#M4289 <HTML><HEAD></HEAD><BODY><P>Note that tcpdump should still show the communication on TCP port 257 if Implied Rules are impacting the communication.</P><P>It sounds like the&nbsp;Security Groups in AWS are blocking communication here.</P></BODY></HTML> Wed, 28 Jun 2017 02:47:39 GMT https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-Management-R77-30-Gateway-as-VPN-Endpoint/m-p/3110#M4289 PhoneBoy 2017-06-28T02:47:39Z