https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248521#M48554 <P><SPAN>Hello, This SK is not accessible to me</SPAN></P> Fri, 09 May 2025 15:45:15 GMT jarvis_dantsrib 2025-05-09T15:45:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248481#M48540 <P><SPAN class="">Hello, I am facing a problem where connections on service port 18191 and Checkpoint native services are not encrypted within the VPN, as a consequence it is not possible to manage the firewall and install policy of the remote unit via LAN IP.</SPAN><SPAN class=""><BR /><BR />The interesting thing is that only Checkpoint service traffic is not encrypted, but ICMP, SSH, HTTPS and other non-native services are encrypted within the VPN.</SPAN><SPAN class=""><BR /><BR />It is possible to see that there is a match in implicit accept rules, but the traffic is encrypted.</SPAN></P> Fri, 09 May 2025 05:06:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248481#M48540 jarvis_dantsrib 2025-05-09T05:06:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248482#M48541 <P>This is by design, the CP service traffic is already encrypted and is required to be working to set up a VPN to a remote device over the internet as you need to install the policy to get the VPN going. As such we don't tunnel it by default. You can change this behaviour, but at your risk.</P> <P><A href="https://support.checkpoint.com/results/sk/sk104582" target="_blank">https://support.checkpoint.com/results/sk/sk104582</A></P> Fri, 09 May 2025 05:20:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248482#M48541 emmap 2025-05-09T05:20:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248521#M48554 <P><SPAN>Hello, This SK is not accessible to me</SPAN></P> Fri, 09 May 2025 15:45:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248521#M48554 jarvis_dantsrib 2025-05-09T15:45:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248528#M48559 <P>The solution (and its implications) are discussed in these two CheckMates threads:</P> <UL> <LI><A href="https://community.checkpoint.com/t5/Management/Exclude-CPM-traffic-from-implied-rules/m-p/3934" target="_blank">https://community.checkpoint.com/t5/Management/Exclude-CPM-traffic-from-implied-rules/m-p/3934</A></LI> <LI><A href="https://community.checkpoint.com/t5/Management/Exclude-CPM-Traffic-from-Implied-Rules/m-p/9187" target="_blank">https://community.checkpoint.com/t5/Management/Exclude-CPM-Traffic-from-Implied-Rules/m-p/9187</A></LI> </UL> <P>&nbsp;</P> Fri, 09 May 2025 17:13:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/248528#M48559 PhoneBoy 2025-05-09T17:13:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/272818#M103927 <P>I don't know why but this SK doesn't work for R82 SMS and R81.20 GW configuration.<BR />Right now, I've excluded next:</P><P><SPAN class="">/*<SPAN>&nbsp;</SPAN></SPAN><SPAN class=""><A title="#define" target="_blank">#define</A></SPAN><SPAN class=""><SPAN>&nbsp;</SPAN>ENABLE_CPMI */</SPAN></P><P><SPAN class="">/*<SPAN>&nbsp;</SPAN></SPAN><SPAN class=""><A title="#define" target="_blank">#define</A></SPAN><SPAN class=""><SPAN>&nbsp;</SPAN>ENABLE_CPD */</SPAN></P><P><SPAN class="">/*<SPAN>&nbsp;</SPAN></SPAN><SPAN class=""><A title="#define" target="_blank">#define</A></SPAN><SPAN class=""><SPAN>&nbsp;</SPAN>ENABLE_FWD_LOG */</SPAN></P><P><BR />And after policy installation I see same clear text traffic via VPNT interface.</P> Mon, 09 Mar 2026 08:35:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/272818#M103927 akurtasanov 2026-03-09T08:35:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/272821#M103929 <P>Please make sure you are editing the right instance of the file.&nbsp;<A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Content/Topics-SECMG/Configuring_Implied_Rules_or_Kernel_Tables_for_Security_Gateways_implied_rules.def.htm" target="_blank">https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Content/Topics-SECMG/Configuring_Implied_Rules_or_Kernel_Tables_for_Security_Gateways_implied_rules.def.htm</A></P> <P>&nbsp;</P> Mon, 09 Mar 2026 08:56:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/272821#M103929 emmap 2026-03-09T08:56:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/273341#M104112 <P>Yes, I checked. I contacted TAC but so far no results. Restarting the SMS didn't help either.</P> Fri, 13 Mar 2026 08:02:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connections-to-Checkpoint-native-services-do-not-encrypt-within/m-p/273341#M104112 akurtasanov 2026-03-13T08:02:29Z