topic Re: Gateway uses VPN despite not being part of the VPN domain in Firewall and Security Management

Gateway uses VPN despite not being part of the VPN domain

Robin_H — Tue, 18 Jul 2023 15:16:52 GMT

Hi!

I´m in the process of setting up a Site2Site VPN from our office to Cisco Umbrella to channel all user surf traffic to the Umbrella "Proxy".

Tunnel is a star community, one tunnel per gateway

My gateway is center and VPN domain is "User-computer-VLAN" (192.168.5.0/24).

Satellite Gateway is the Umbrella gateway with VPN domain "Internet_without_Private_Networks". This is a group-with-exclusion object, consisting of "Internet" except "Private networks (RFC 1918)". The purpose is that the clients shall access all internet IPs through the tunnel, only then being filtered through the Umbrella proxies.

The traffic is then allowed in the ruleset, I also added the community to the rule.

This works nicely but there is a side effect. Every traffic from the gateway itself is also send into the tunnel. This ranges from DNS traffic for ISP redundancy DNS proxy updates to user-VPN-tunnels not working to the gateway to not being able to download updates for IPS and patches.

"Excluded services" might help me with ISP redundancy ping and User-VPN-tunnels but not with the IPS updates. Eventually, Client DNS shall also go through the tunnel, so I can´t exlude that either.

Is there any way I can exclude the gateway from using the tunnel?

Any ideas appreciated!

Greetings,

Robin

Re: Gateway uses VPN despite not being part of the VPN domain

RS_Daniel — Tue, 18 Jul 2023 18:18:55 GMT

Yes,

Check sk108600 scenario 3:

https://support.checkpoint.com/results/sk/sk108600

You can use crypt.def file to exclude traffic from vpn including src ip, dst ip and ports.

Regards

Re: Gateway uses VPN despite not being part of the VPN domain

CheckPointerXL — Tue, 18 Jul 2023 20:13:03 GMT

Take a look here, the setup should be similar

https://support.checkpoint.com/results/sk/sk179920

Re: Gateway uses VPN despite not being part of the VPN domain

Robin_H — Wed, 19 Jul 2023 15:39:51 GMT

This is the way I was already going. Good to know that it seems to be the current best-practice.

In this case, putting services in the cloud does not make things easier though.

Re: Gateway uses VPN despite not being part of the VPN domain

Thomas_Eichelbu — Mon, 18 Dec 2023 12:31:49 GMT

Hello,

did you follow the Cisco guide?
https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnels-with-checkpoint-gaia

do you run a "Domain Based" tunnel or with VTI Tunnel interfaces?

Re: Gateway uses VPN despite not being part of the VPN domain

Robin_H — Thu, 21 Dec 2023 14:12:58 GMT

We´re not using VTI.
Our Umbrella contact just mentioned this new guide the other day but switching to it would be too big at the moment.

We do have an issue with the current setup (IKE SA is not simply renewed or gracefully finished) but that seems related to our usage of MEP, using two different Umbrella DCs in a star community for additional redundancy. Troubleshooting on this will commence soon.