topic Re: SMB central management and VPN tunnel in General Topics

SMB central management and VPN tunnel

marcinw — Wed, 22 Apr 2020 08:28:25 GMT

Hi ,

Quick question. In order to makes SMB 1550 firewall "centrally managed" , do I have to create VPN tunnel to Security Gateway and to be connected to Security Management Server via VPN through or VPN has nothing to do with this and I can be connected directly without VPN ? Thank you for responses.

Re: SMB central management and VPN tunnel

Marcel_Gramalla — Wed, 22 Apr 2020 08:53:31 GMT

Hi,

you don't need any VPN to connect your Management Server to any Gateway. You just add the new Device with the external IP address and initialize the SIC as you would do with any Gateway.

So you don't need a VPN for the "centrally managed" Gateway.

Re: SMB central management and VPN tunnel

marcinw — Wed, 22 Apr 2020 09:24:08 GMT

Thanks for reply,

I asked this question because I am struggling with adding 1550 to Open server SMS that is place behind Open server Gateway. Half of my lab is on ESXI the only "live" device is 1550 . I am getting message according what you see on the screenshot in attachment , but sometimes I am able to get policies, In dashboard of SMS 1550 is "green" and full visible. I tried many things , unfortunately all failed:

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk102712

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk66381

I can't figure out what is the reason ?

Re: SMB central management and VPN tunnel

G_W_Albrecht — Wed, 22 Apr 2020 09:25:06 GMT

I have the identical setup and had no issues - could establish SIC, SMS receives Logs and Policy Pull from SMB works, too. The SMS has a Static NAT IP ( x.y.z.198 behind GW x.y.z.190), i would suggest to configure it like that.

I can see no screenshot, but would consult the logs first.

Re: SMB central management and VPN tunnel

marcinw — Wed, 22 Apr 2020 10:33:14 GMT

I have no idea why attachment is being scanned all the time anyway I see message

Security Management Server

Unreachable: Security Management server cannot be reached

Security Policy

Policy Name: Standard

Last policy installation failed: Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard.

Nat works fine, 1550 can ping SMS and inversely, what can be wrong ?

Re: SMB central management and VPN tunnel

G_W_Albrecht — Wed, 22 Apr 2020 11:02:40 GMT

If you configured it following sk66381 all should work! Troubleshooting would start with checking $FWDIR/conf/masters on SMB, then check if files custom_logserver_ip and custom_mgmt_ip are located in /opt/fw1/conf, and check which IP address is configured in them.

Re: SMB central management and VPN tunnel

marcinw — Wed, 22 Apr 2020 12:05:19 GMT

hmmm in $FWDIR/conf/masters on SMB I see Policy, Log and Alert "CHeckpoint_MGMT" (the name from management dashboard) should I replace them with NATed IP address of SMS?