topic Re: exclude gw public ip from encryption domain in Firewall and Security Management

exclude gw public ip from encryption domain

Nikolaos_Liakop — Mon, 29 Nov 2021 22:13:06 GMT

We have a couple of remote branch offices which consist of 1500 series SMB (centrally or locally managed) and a Cluster of CP at our HQ.
All of the remote branch offices connect to the HQ via a Star Topology S2S VPN.

We want our remote branch office users to be able to connect via client vpn (capsule,ENS) towards the HQ besides the S2S VPN
which is something we cannot accomplish at the moment

I suppose we can't connect due to the fact that the HQs public IP belongs to the encryption domain which is something that i want to exclude.
I know also that this can be accomplished via crypt.def. but no matter how hard i tried i cannot do it.

Has anyone done something similar and wants to share a template or an excerpt from crypt.def so that I can see what am I doing wrong ?

Regards

Re: exclude gw public ip from encryption domain

PhoneBoy — Mon, 29 Nov 2021 22:47:17 GMT

If you're just modifying $FWDIR/lib/crypt.def, that won't work for SMB gateways, which have their policy compiled from a different set of .def files.
More precisely they are in /opt/CPSFWR80CMP-R81.10/lib (replace R81.10 with your management version).

Re: exclude gw public ip from encryption domain

Nikolaos_Liakop — Tue, 30 Nov 2021 21:58:29 GMT

Do i need to exclude HQs public IP from all the CPs ??

I was thinking that if i could exclude it from the HQs crypt.def would suffice

Re: exclude gw public ip from encryption domain

PhoneBoy — Tue, 30 Nov 2021 22:04:46 GMT

I think in your case, you'll have to exclude it in both places (the HQ gateways and the SMB gateway).
That means editing both .def files.