topic Re: VPN Disconnect after disabling: Accept Remote Access Control Connections in Firewall and Security Management

VPN Disconnect after disabling: Accept Remote Access Control Connections

DR_74 — Thu, 16 Sep 2021 13:36:27 GMT

Hi,

TCP 264 was opened on our gateways. As we don't use Remote Access VPN on our Gateway we would like to disable it.

We only have Site 2 Site VPN with Azure.(built in Azure VPN, not a Checkpoint VM in Azure)

After disabling "Accept Remote Access Control Connections" on our Checkpoint gateway, the VPN with Azure get disconnected.

Re-enabling it and Install Policiies makes the VPN up again

From my understanding TCP 264 is only relevant with for Remote Access VPN, not Site2Site...

Does it make sense?

Re: VPN Disconnect after disabling: Accept Remote Access Control Connections

G_W_Albrecht — Thu, 16 Sep 2021 14:20:58 GMT

From sk52421 Ports used by Check Point software it does look like that:

TCP

264

FW1_topo - Check Point Security Gateway SecuRemote Topology Requests

Topology Download from Security Gateway (by FWD daemon) to SecuRemote (build 4100 and higher) and SecureClient

But in sk42815: How to create a site to site (S2S) VPN without using control connections we learn:

If you turn off implied rules (if you disable them in Global Properties > Firewall > Accept VPN-1 power/UTM control connection and Accept Remote Access control connections), you may not be able to install a policy on a Remote VPN-1 Power Gateway. Even if you define explicit rules in place of the implied rules, you may still not be able to install the policy.

Re: VPN Disconnect after disabling: Accept Remote Access Control Connections

DR_74 — Thu, 16 Sep 2021 14:29:31 GMT

Thanks, maybe I don't understand the sk but it does'nt make sense in our environment:

- We have an On-Prem gateway and the remote GW is an Azure gateway.

- We only disable : Accept Remote Access control connections

We don't use Remote VPN.

Re: VPN Disconnect after disabling: Accept Remote Access Control Connections

PhoneBoy — Thu, 16 Sep 2021 14:38:20 GMT

I suspect that option is doing something else in addition.
Recommend the following: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132712&partition=Advanced&product=Mobile

Re: VPN Disconnect after disabling: Accept Remote Access Control Connections

G_W_Albrecht — Thu, 16 Sep 2021 15:02:27 GMT

sk42815 tells you how to replace implied rules my manually defined rules. For working S2S VPN, either just enable Accept Remote Access control connections or use sk42815 to create a manual rule instead !