https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255012#M49924 <P>Thank you once again,&nbsp;I see — this is the solution.</P><P>&nbsp;</P><P>Regards,</P><P>Chethan</P> Wed, 13 Aug 2025 06:57:36 GMT chethan_m 2025-08-13T06:57:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255007#M49920 <P>Hi,</P><P>&nbsp;</P><P>We are currently deploying CGNS firewalls on AWS.</P><P>&nbsp;</P><P>Architecture:</P><UL><LI>The management server is hosted on-premises behind a Check Point firewall cluster.</LI><LI>The CGNS firewall cluster is deployed in the cloud (AWS).</LI><LI>A route-based IPsec site-to-site VPN is established between the on-prem Check Point firewall cluster and the AWS VPN Gateway.</LI></UL><P>&nbsp;</P><P>The Issue:</P><UL><LI>Initially, we successfully established SIC communication between the on-prem SMS and the CGNS firewall cluster, and were able to push policies.</LI><LI>However, after a few minutes, the communication between the SMS and CGNS firewalls dropped (Gateways Lost).</LI><LI>We observed that traffic related to CPD (port 18191) and CPD_amon (port 18192) was hitting<SPAN>&nbsp;</SPAN><STRONG>implied rules</STRONG><SPAN>&nbsp;</SPAN>instead of the<SPAN>&nbsp;</SPAN><STRONG>explicit VPN access rules</STRONG><SPAN>&nbsp;</SPAN>configured.</LI><LI>Non-Check Point related traffic continues to flow over the VPN tunnel and is encrypted as expected.</LI></UL><P>&nbsp;</P><P>Should any exclusions be made in the "$FWDIR/lib/implied_rules.def<SPAN>&nbsp;file"&nbsp; to ensure CP management traffic is properly use the VPN tunnel instead of Implied rules.</SPAN></P><P>&nbsp;</P><P>Any guidance or suggestions to help resolve this would be greatly appreciated.</P><P>&nbsp;</P><P><SPAN>Thank you,</SPAN></P><P><SPAN>Chethan</SPAN></P><P>&nbsp;</P> Wed, 13 Aug 2025 06:35:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255007#M49920 chethan_m 2025-08-13T06:35:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255009#M49921 <P>SIC traffic should not go via your VPN rules, ever. If your VPn tunnel is down, you would lose control. For that reason, it is covered by implied rules, and it is not recommended to change that.<BR /><BR />Management traffic is encrypted, and there is no need to encrypt it again through your IPSec tunnels.&nbsp;</P> Wed, 13 Aug 2025 06:43:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255009#M49921 _Val_ 2025-08-13T06:43:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255010#M49922 <P><SPAN>Thank you for the quick response,&nbsp;</SPAN><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P>There is currently no alternative communication channel between the on-prem SMS and the cloud-deployed CGNS firewalls. AWS Direct Connect is also not yet in place.</P><P>Given that the management server traffic is already encrypted, would it be feasible to re-establish SIC using<SPAN>&nbsp;</SPAN><STRONG>public IP addresses</STRONG><SPAN>&nbsp;</SPAN>instead of<SPAN>&nbsp;</SPAN><STRONG>private IP addresses</STRONG>?</P><P>&nbsp;</P><P>Regards,</P><P>Chethan</P> Wed, 13 Aug 2025 06:48:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255010#M49922 chethan_m 2025-08-13T06:48:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255011#M49923 <P>I don't see why not, I've done this many times with many customers around the globe.</P> Wed, 13 Aug 2025 06:51:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255011#M49923 _Val_ 2025-08-13T06:51:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255012#M49924 <P>Thank you once again,&nbsp;I see — this is the solution.</P><P>&nbsp;</P><P>Regards,</P><P>Chethan</P> Wed, 13 Aug 2025 06:57:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Management-Server-Traffic-Hits-the-Implied-Rules/m-p/255012#M49924 chethan_m 2025-08-13T06:57:36Z