https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3938#M101659 <HTML><HEAD></HEAD><BODY><P>That did indeed work. I will see about getting that SK updated for R80.10.</P><P></P><P>Much appreciated!</P></BODY></HTML> Wed, 05 Jul 2017 17:02:09 GMT William_Garner 2017-07-05T17:02:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3934#M101655 <HTML><HEAD></HEAD><BODY><P>I need the ability to manage a remote R80.10 SmartCenter that is on the other side of a Check Point R80.10 GW. The two locations are connected via a site to site VPN.&nbsp;CPM traffic from remote SmartConsole client R80.10 is sent in the clear to R80.10 SmartCenter because of implied rules instead of being encrypted by the site to site VPN.</P><P></P><P>SK105719 describes the procedure in earlier versions by removing CPMI from the implied rules but does not reference CPM. I have verified that turning off all implied rules in global properties will fix the problem but I only want to remove CPM (tcp 19009) and CPMI (tcp 18190).</P><P></P><P>Thanks!</P></BODY></HTML> Mon, 03 Jul 2017 05:18:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3934#M101655 William_Garner 2017-07-03T05:18:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3935#M101656 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The checkbox&nbsp;that controls this implied rule is "Accept Control Connections". It also generates 36 additional implied rules, all responsible for the different Check Point processes and the interactions between them.</P></BODY></HTML> Mon, 03 Jul 2017 06:58:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3935#M101656 Tomer_Sole 2017-07-03T06:58:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3936#M101657 <HTML><HEAD></HEAD><BODY><P>Hi Tomer,</P><P></P><P>Yes unchecking "Accept Control Connections" will allow the SmartConsole client to connect over the VPN but having a workaround that only excludes CPM and CPMI would be helpful. If this was a VSX environment, disabling "Accept Control Connections", would cause problems with provisioning virtual hardware.&nbsp;</P><P>Thanks!</P></BODY></HTML> Mon, 03 Jul 2017 17:06:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3936#M101657 William_Garner 2017-07-03T17:06:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3937#M101658 <HTML><HEAD></HEAD><BODY><P>The "#define ENABLE_CPMI" in $FWDIR/lib/implied_rules.def on SmartCenter should&nbsp;also responsible for the CPM-Traffic.</P><P></P><P>See following output:</P><P><EM># cat implied_rules.def | grep CPM</EM><BR /><EM>#define ENABLE_CPMI</EM><BR /><EM>#ifdef ENABLE_CPMI</EM><BR /><EM> (dport = CPMI_PORT or dport = CPMI_PORT_NGM), tcp, \</EM><BR /><EM> (sport = CPMI_PORT or sport = CPMI_PORT_NGM), tcp,</EM></P><P></P><P><EM># cat services.def | grep CPMI_PORT_NGM<BR />#ifndef CPMI_PORT_NGM<BR />#define CPMI_PORT_NGM 19009</EM></P><P></P><P>So it should be possible to exclude CPM/CPMI-Traffic by commenting out the "#define ENABLE_CPMI" like the following:</P><P><EM>/* #define ENABLE_CPMI */</EM></P><P></P><P><EM>Be sure to backup your files beforehand <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></EM></P></BODY></HTML> Wed, 05 Jul 2017 12:36:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3937#M101658 Norbert_Bohusch 2017-07-05T12:36:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3938#M101659 <HTML><HEAD></HEAD><BODY><P>That did indeed work. I will see about getting that SK updated for R80.10.</P><P></P><P>Much appreciated!</P></BODY></HTML> Wed, 05 Jul 2017 17:02:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3938#M101659 William_Garner 2017-07-05T17:02:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3939#M101660 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you for sharing this info. I commented radius out of $FWDIR/lib/implied_rules.def. I needed to exclude this traffic because we use a route-based VPN in our situation. I noticed that the specific connection was accepted by a implied rule (control connection) and leaving the gateway un-encrypted via the wrong interface.</P><P></P><P>FYI</P><P></P><P>I found <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk32564&amp;partition=General&amp;product=IPSec">sk32564</A> explaining WHY this happens.</P><P></P><P>Greetz!</P><P></P><P>Jelle</P></BODY></HTML> Thu, 15 Feb 2018 20:22:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Exclude-CPM-traffic-from-implied-rules/m-p/3939#M101660 _Jelle 2018-02-15T20:22:55Z