topic HowTo: Use SSH tunnels with Check Point in General Topics

topic HowTo: Use SSH tunnels with Check Point in General Topics https://community.checkpoint.com/t5/General-Topics/HowTo-Use-SSH-tunnels-with-Check-Point/m-p/146631#M25757 <P><STRONG>SSH tunnels</STRONG> are very helpful to tunnel required traffic through a working SSH connection.</P> <P><STRONG>Pro:</STRONG></P> <UL> <LI>If SSH is already working, other traffic can be routed through it without the need for additional rules / policy install</LI> </UL> <P><STRONG>Prerequisites:</STRONG></P> <UL> <LI>SSH tunneling needs to be enabled <UL> <LI>temporarily: <CODE>sed -i 's/^AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && sshd restart</CODE></LI> <LI>permanently: see <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106031" target="_self">sk106031</A></LI> </UL> </LI> <LI><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Host-Access.htm" target="_self">Host Access</A> / <A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/GUI-Clients.htm" target="_self">GUI Clients</A> might need to be adjusted to allow connections from the system that tunnels the traffic (<EM>source ip or 127.0.0.1 in case your tunnel's destination is the local system</EM>)</LI> <LI>SSH session timeout should be unset while tunneling traffic via: <CODE>unset TMOUT</CODE></LI> </UL> <P><STRONG>Use cases:</STRONG></P> <UL> <LI>Troubleshooting connectivity issues <UL> <LI>Example: if your normal SmartConsole connection to the SmartCenter Server doesn't work anymore (<EM>VPN down or something else</EM>) but you can still connect to the firewall gateway via SSH, you can simply tunnel SmartConsole connections through the gateway</LI> </UL> </LI> <LI>.. </LI> </UL> <P><STRONG>Establishing a SSH tunnel:</STRONG></P> <UL> <LI>Example for a SmartConsole connection: <UL> <LI>According to <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk52421" target="_self">sk52421</A> ports 443, 18190, 18210 and 19009 need to be tunneled to the SmartCenter Server</LI> <LI>the <A href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html" target="_self">Putty</A> way:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 452px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/16103i217FE8E528264ADD/image-size/large?v=v2&px=999" role="button" title="image.png" alt="image.png" /></span></LI> <LI>recent Windows versions have an OpenSSH client built-in, so you can also open a CMD terminal and establish an SSH tunnel via CLI using the <CODE>ssh -L</CODE> parameter</LI> <LI>and of course any other SSH client of your choice should work as well</LI> <LI>after the SSH tunnel is established you can then start SmartConsole like this and the traffic is piped through the SSH tunnel:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 677px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/16104iE4FE64E75704B297/image-size/large?v=v2&px=999" role="button" title="image.png" alt="image.png" /></span></LI> </UL> </LI> </UL> Wed, 20 Apr 2022 21:49:48 GMT Danny 2022-04-20T21:49:48Z HowTo: Use SSH tunnels with Check Point https://community.checkpoint.com/t5/General-Topics/HowTo-Use-SSH-tunnels-with-Check-Point/m-p/146631#M25757 <P><STRONG>SSH tunnels</STRONG> are very helpful to tunnel required traffic through a working SSH connection.</P> <P><STRONG>Pro:</STRONG></P> <UL> <LI>If SSH is already working, other traffic can be routed through it without the need for additional rules / policy install</LI> </UL> <P><STRONG>Prerequisites:</STRONG></P> <UL> <LI>SSH tunneling needs to be enabled <UL> <LI>temporarily: <CODE>sed -i 's/^AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && sshd restart</CODE></LI> <LI>permanently: see <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106031" target="_self">sk106031</A></LI> </UL> </LI> <LI><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/Host-Access.htm" target="_self">Host Access</A> / <A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/GUI-Clients.htm" target="_self">GUI Clients</A> might need to be adjusted to allow connections from the system that tunnels the traffic (<EM>source ip or 127.0.0.1 in case your tunnel's destination is the local system</EM>)</LI> <LI>SSH session timeout should be unset while tunneling traffic via: <CODE>unset TMOUT</CODE></LI> </UL> <P><STRONG>Use cases:</STRONG></P> <UL> <LI>Troubleshooting connectivity issues <UL> <LI>Example: if your normal SmartConsole connection to the SmartCenter Server doesn't work anymore (<EM>VPN down or something else</EM>) but you can still connect to the firewall gateway via SSH, you can simply tunnel SmartConsole connections through the gateway</LI> </UL> </LI> <LI>.. </LI> </UL> <P><STRONG>Establishing a SSH tunnel:</STRONG></P> <UL> <LI>Example for a SmartConsole connection: <UL> <LI>According to <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk52421" target="_self">sk52421</A> ports 443, 18190, 18210 and 19009 need to be tunneled to the SmartCenter Server</LI> <LI>the <A href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html" target="_self">Putty</A> way:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 452px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/16103i217FE8E528264ADD/image-size/large?v=v2&px=999" role="button" title="image.png" alt="image.png" /></span></LI> <LI>recent Windows versions have an OpenSSH client built-in, so you can also open a CMD terminal and establish an SSH tunnel via CLI using the <CODE>ssh -L</CODE> parameter</LI> <LI>and of course any other SSH client of your choice should work as well</LI> <LI>after the SSH tunnel is established you can then start SmartConsole like this and the traffic is piped through the SSH tunnel:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 677px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/16104iE4FE64E75704B297/image-size/large?v=v2&px=999" role="button" title="image.png" alt="image.png" /></span></LI> </UL> </LI> </UL> Wed, 20 Apr 2022 21:49:48 GMT https://community.checkpoint.com/t5/General-Topics/HowTo-Use-SSH-tunnels-with-Check-Point/m-p/146631#M25757 Danny 2022-04-20T21:49:48Z