https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240827#M46722 <P>By commenting&nbsp;<SPAN>#define ENABLE_CPD_AMON MGMT server was able to reach VSX gateway and install policy but I cannot create new interface or virtual system. I see 18191 port traffic is going as clear text. I tried to exclude&nbsp;#define ENABLE_CPD but it doesn't work and now policy push is failing on virtual system with TCP connectivity failure (Port 18191)</SPAN></P><P><SPAN>In other gateway I see traffic is dropping saying, clear text should be encrypted.&nbsp;</SPAN></P><P><SPAN>VSX should send it in through ipsec tunnel.</SPAN></P><P>&nbsp;</P> Mon, 10 Feb 2025 14:23:02 GMT an_technical 2025-02-10T14:23:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240795#M46721 <P>Hi All,</P><P>&nbsp;</P><P>I am working on a deployment where SMS and VSX gateway are separated by cities and communication is over ipsec tunnel.</P><P>I commented #define ENABLE_CPD_AMON from implied_rules.def rule and created new rule in access policy to send traffic in vpn.</P><P>Will this be enough for management server to communicate with VSX gateway (connectivity from mgmt to VSX, Policy installation etc)</P><P>&nbsp;</P><P>Thanks</P> Mon, 10 Feb 2025 10:35:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240795#M46721 an_technical 2025-02-10T10:35:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240827#M46722 <P>By commenting&nbsp;<SPAN>#define ENABLE_CPD_AMON MGMT server was able to reach VSX gateway and install policy but I cannot create new interface or virtual system. I see 18191 port traffic is going as clear text. I tried to exclude&nbsp;#define ENABLE_CPD but it doesn't work and now policy push is failing on virtual system with TCP connectivity failure (Port 18191)</SPAN></P><P><SPAN>In other gateway I see traffic is dropping saying, clear text should be encrypted.&nbsp;</SPAN></P><P><SPAN>VSX should send it in through ipsec tunnel.</SPAN></P><P>&nbsp;</P> Mon, 10 Feb 2025 14:23:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240827#M46722 an_technical 2025-02-10T14:23:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240869#M46723 <P>In general, we do not recommend making this configuration change as you can end up in a situation where you are unable to manage your gateways due to a VPN outage.<BR />Also, it's best to consult with TAC to ensure you are making the correct changes to implied rules.</P> Mon, 10 Feb 2025 20:00:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240869#M46723 PhoneBoy 2025-02-10T20:00:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240917#M46728 <P>100% concur with PhoneBoy. &nbsp;I tried this myself long ago, and (amazingly) I got it working... for a short time. &nbsp;It eventually became very problematic and I had to undo this trick. &nbsp;Do not do it this way; avoid it as much as you can.</P> <P>You'll need to manage the VSX directly from your remote management server, but not through a VPN or through another VS; the VS0 can protect itself.</P> <P>&nbsp;</P> Tue, 11 Feb 2025 15:06:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SMS-and-VSX-gateway-communication-over-ipsec-tunnel/m-p/240917#M46728 Duane_Toler 2025-02-11T15:06:53Z