topic Re: Remote Access and Site-to-Site VPN access restriction in General Topics

Remote Access and Site-to-Site VPN access restriction

Di_Junior — Sat, 17 Nov 2018 21:27:43 GMT

Dear Mates

I have currently migrated our VPN solution to Check Point. However, I have been experiencing some issues when it comes to restricting access to specific machines.

For example, if I set the VPN domain on the Gateway to 10.10.0.0/24 which is a network behind the gateway. And then create a firewall policy for remote users to access only 10.10.0.20/32, the remote users are also being able to access other hosts in 10.10.0.0/24 network like 10.10.0.22/32 , even if I only use a single host as a destination.

In the figure above, the RemoteAcess-users, are also being able to access other machines on the defined VPN domain apart from GUI-A.

Does this mean that remote users can access any machine in the VPN domain?

Any ideas on how this issue could be resolved, in such a way remote users only access the machines defined in the Destination field of the Firewall Policy?

Site-to-Site VPN

The same behavior is happening in site-to-site VPN, I only specified on host in the source, but other host can also access the remote machines even if they are not specified as source.

Thanks in advance

Re: Remote Access and Site-to-Site VPN access restriction

JozkoMrkvicka — Sun, 18 Nov 2018 06:54:50 GMT

1. Please check logs and find out which firewall rule is allowing such traffic (if all rules have enabled logging).

2. Send us screenshot of "GUI-A" and "GUI-B" hosts.

3. Check NAT rules if there are any.

Re: Remote Access and Site-to-Site VPN access restriction

Di_Junior — Sun, 18 Nov 2018 07:09:37 GMT

Hi there

There is only one rule. And when such communication happen, I don't see the logs in SmartView tracker. I'm starting to wondering if it's not an implicit rule.

Thanks

Re: Remote Access and Site-to-Site VPN access restriction

JozkoMrkvicka — Sun, 18 Nov 2018 07:16:39 GMT

Hi,

In this case try to enable logging of Implied rules from Global Settings and install the database (of course firewall itself).

Stupid question, but it happened to me few times - are you checking the correct gateway ? Try to do tcpdump to confirm that you see some traffic during test, and issue "fw stat" to find which policy package is used for this cluster.

Re: Remote Access and Site-to-Site VPN access restriction

Di_Junior — Sun, 18 Nov 2018 08:09:38 GMT

Hi Jozko Mrkvicka

The traffic seems to be accepted by an implied rule (see the figure below). The question is, where can i find the implied rule number 0? is it the first one in the implicit rules (File->View->implied rules)?

Thanks

Re: Remote Access and Site-to-Site VPN access restriction

JozkoMrkvicka — Sun, 18 Nov 2018 09:05:01 GMT

Isnt IP 10.10.1.3 one of cluster members? Is this IP part of Topology ?

usually traffic going from cluster members is going via Implied Rules.

Also, try some real traffic, like ssh or https, not ping.

Re: Remote Access and Site-to-Site VPN access restriction

Di_Junior — Sun, 18 Nov 2018 09:34:35 GMT

its not a cluster. I am using two separated gateways.

10.10.1.3 is a host which is part of the topology of the remote peer.

Re: Remote Access and Site-to-Site VPN access restriction

JozkoMrkvicka — Sun, 18 Nov 2018 09:45:07 GMT

10.10.1.3 must be included only in local VPN encryption domain of SGW-B (also part of Topology).

10.10.0.10 must be included only in remote VPN encryption domain of VPN-PEER.

Re: Remote Access and Site-to-Site VPN access restriction

Di_Junior — Sun, 18 Nov 2018 09:56:14 GMT

Hi Jozko Mrkvicka

You were right.

I enabled Web services on the 10.10.0.10, and I tried to access it using http from a remote client and access was not granted. I tried to ping it, it worked.

I guess this issue is only related to Ping.

Why is that ping is accepted by the implied rule even if the destination is not specified in the firewall policy?

Thanks

Re: Remote Access and Site-to-Site VPN access restriction

JozkoMrkvicka — Sun, 18 Nov 2018 13:09:02 GMT

Hi Di Junior‌,

Please check if you have Accept ICMP requests enabled, or not. These are the default settings for all implied rules:

Re: Remote Access and Site-to-Site VPN access restriction

AlekseiShelepov — Sun, 18 Nov 2018 17:26:59 GMT

0 - Implied rules - it represents all of implied rules, you would need to check Global properties or Implied rules themselves to understand which setting exactly allows this traffic. But usually it's not difficult to determine.

I would like to point to another possibility, which is not your case obviously, but just worth mentioning.

Accept all encrypted traffic option might be enabled in comunity properties.

Which will result in the following rule, which is visible in policy by default (not like implied rules).