https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34363#M88237 <HTML><HEAD></HEAD><BODY><P>If there is a possibility to use NAT for the 2 servers and forget the VPN, I would go that way, the point there is that the traffic is already encrypted.</P></BODY></HTML> Tue, 19 Feb 2019 10:16:38 GMT Maarten_Sjouw 2019-02-19T10:16:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34360#M88234 <HTML><HEAD></HEAD><BODY><P>I have a new secondary management server at a different site and have been asked to try and get it working over the VPN tunnels between sites.&nbsp; The problem is that the primary mgmt in site 1 and secondary in site 2 do not communicate correctly over the VPN as its my understanding that the control connections between them hit the implied rules first so the traffic does not get encrypted (allow control connection is switched on the Primary).&nbsp;</P><P></P><P>Getting them working on&nbsp;sk39740 did not work either and we ended up losing connectivity to the GWs are site 2</P><P></P><P>Any advice on whether the VPN option is&nbsp;possible and would be welcome.</P><P></P><P>Thanks</P><P>J</P></BODY></HTML> Tue, 19 Feb 2019 08:40:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34360#M88234 Jon_Dyke 2019-02-19T08:40:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34361#M88235 <HTML><HEAD></HEAD><BODY><P>When the tunnels are built on Check Point gateways managed by these management servers, this is correct. You cannot run management traffic over a tunnel that is managed by the same management server, think about it, when something fails on that tunnel, how will you be able to correct it?</P><P>For Management HA the ports used could be excluded from the Implied rules but the point is that 2 of these ports are also used in the communication between management and gateway.&nbsp;</P><P>The ports are 18221, 18211 and 18192 and the latter 2 are also used between GW and management.</P></BODY></HTML> Tue, 19 Feb 2019 09:23:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34361#M88235 Maarten_Sjouw 2019-02-19T09:23:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34362#M88236 <HTML><HEAD></HEAD><BODY><P>Probably helps if I explain a bit more.&nbsp; We have 3 sites with 2 GW's in each.&nbsp; There is a mesh VPN between them.&nbsp; Up to now we have had 1 mgmt server at 1 site but have now purchased a secondary mgmt server (to run in HA) for BCP purposes.&nbsp; The secondary is there for BCP only - we would only ever use it if we lost the primary site and needed to push policy to Site2 and Site3 (our production and DR site).</P><P></P><P>I understand its best practice to do this using&nbsp;<SPAN style="color: #333333; background-color: #ffffff;">sk39740 - but was curious if this was achievable - it seems it would be very tricky if the same ports are used for mgmt and GW.</SPAN></P><P></P><P><SPAN style="color: #333333; background-color: #ffffff;">We will take another look at&nbsp;<SPAN>sk39740 - but to be honest this was not proving easy either but&nbsp; we will persist with this&nbsp; approach.</SPAN></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"><SPAN>Thanks</SPAN></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"><SPAN>J</SPAN></SPAN></P></BODY></HTML> Tue, 19 Feb 2019 09:55:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34362#M88236 Jon_Dyke 2019-02-19T09:55:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34363#M88237 <HTML><HEAD></HEAD><BODY><P>If there is a possibility to use NAT for the 2 servers and forget the VPN, I would go that way, the point there is that the traffic is already encrypted.</P></BODY></HTML> Tue, 19 Feb 2019 10:16:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34363#M88237 Maarten_Sjouw 2019-02-19T10:16:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34364#M88238 <HTML><HEAD></HEAD><BODY><P>You don't want to go there.</P><P><A href="https://community.checkpoint.com/thread/6209-managing-a-gateway-over-vpn" target="_blank">https://community.checkpoint.com/thread/6209-managing-a-gateway-over-vpn</A>&nbsp;</P></BODY></HTML> Fri, 21 Jun 2019 09:20:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Secondary-Management-Server-over-VPN/m-p/34364#M88238 PhoneBoy 2019-06-21T09:20:22Z