topic VPN between Checkpoint cluster and Zscaler ZIA public service edge as documented in sk174848 in Firewall and Security Management

VPN between Checkpoint cluster and Zscaler ZIA public service edge as documented in sk174848

Christine_Berns — Wed, 22 Mar 2023 13:49:14 GMT

We are trying to implement a VPN tunnel between our Checkpoint 7000 cluster and the Zscaler ZIA service as documented in sk174848. It looks like this procedure will cause ALL traffic, including traffic that would normally be handled by other VPN tunnels on the same cluster, traffic that would normally be routed to DMZ segments on the cluster, traffic from the Checkpoints to Checkpoint cloud update services and other traffic that should bypass the tunnel and go direct to the Internet, to be sent through this Zscaler tunnel. How can one exclude this traffic from going into the Zscaler tunnel?

Re: VPN between Checkpoint cluster and Zscaler ZIA public service edge as documented in sk174848

PhoneBoy — Wed, 22 Mar 2023 20:45:43 GMT

I believe, in this case, only traffic routed to the default route is sent across the tunnel.
Which means any more specific routes should apply first (i.e. for your LAN/DMZ or similar).
As for excluding traffic from Check Point updates, etc: my first thought was to see: https://support.checkpoint.com/results/sk/sk167135
Unfortunately, this isn’t supported with VPN.

Which means: what you’re asking for is very likely an RFE.

Re: VPN between Checkpoint cluster and Zscaler ZIA public service edge as documented in sk174848

Christine_Berns — Wed, 22 Mar 2023 21:49:26 GMT

Our VPNs are configured as domain-based VPNs. Let's say a packet for an external site gets routed via the default route to the firewall external interface and there are two VPN communities that this packet matches. Community-A is for a specific VPN to a client and the packet matches the specific source and destination addresses defined in the source and destination encryption domains. Community-B is for this Zscaler VPN and the packet matches the specific source address in the source encryption domain and also matches on the destination as this VPN is configured as a universal tunnel (as required by Zscaler). Which VPN community will this packet be encrypted by?

Re: VPN between Checkpoint cluster and Zscaler ZIA public service edge as documented in sk174848

PhoneBoy — Thu, 23 Mar 2023 13:57:06 GMT

When you use an empty encryption domain, it’s a route-based VPN.
In this case, the following rules apply: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109340&partition=Advanced&product=IPSec
Bottom line: Domain-Based VPNs take precidence.