topic Re: exclude checkpoint public/external ip from encryption domain? in General Topics

exclude checkpoint public/external ip from encryption domain?

Tommie_Van_Hove — Mon, 19 Jun 2023 12:16:56 GMT

Hello.

Yes another one of these regarding crypt.def file that needs to be modified but slightly different.

there are currently 2 sites with a checkpoint cluster.
both are managed by the same SMS located in site 1 ( site1 cluster managed via internal ip, site2 cluster via public ip)
the 2 clusters also make a s2s vpn.
(this is running now with no modifications to crypt.def file)

the company wants a multi vendor approach and has decided to change the roll of the checkpoint to internal/dmz firewall and bought palo alto firewalls to be the internet facing firewall.

the main site will be migrated first which means there will be an intermediate setup where the internet facing firewall on site 1 will be palo alto and the remote site will still be checkpoint.
(also requiring a s2s tunnel from palo alto to remote checkpoint)

I already want to prepare the crypt.def file right now (when it's still checkpoint to checkpoint) but am a bit confused which entries I then have to configure to make sure both checkpoint clusters don't send the remote public ips inside the tunnel.

so far I got:

vpn_exclude_1={<"site1 1st public ip","site1 3rd public ip">};
vpn_exclude_2={<"site2 1stpublic ip","site2 3rd public ip">};

#define NON_VPN_TRAFFIC_RULES ((src=vpn_exclude_1) or (src=vpn_exclude_2) or (dst=vpn_exclude_1) or (dst=vpn_exclude_2))

but I'm not sure if this is not too much.
open questions:

1: they are both clusters so the checkpoints have a vip ( 1st ip), gw1(2nd ip), gw2(3rd ip) hence the vpn_exclude objects contain a range of 3 ip's.
I'm not entirely sure if this is necessary? do I need to exclude each ip defined on a checkpoint ( vip and physical interface ip) or would i only need to exclude the vip?
or should I just exclude the entire public ip subnet of each site (eg /28) ?

2: both checkpoints clusters will have to use this crypt.def file to exclude the other's public ip from the tunnel
my logic:
I need to include "src=vpn_exclude_1" and "dst=vpn_exclude_2" for the cluster on site 1 to make sure it does not send its own public ip in the tunnel and so that it knows it can accept the public ip of site2 outside the tunnel

I need to include "src=vpn_exclude_2" and "dst_vpn_exclude_1" for the cluster on site 2 to make sure it does the exact same.

so 4 statements required to get this to work between 2 checkpoint peers
Am I correct here or do I not need to include those 4 statements in the non_vpn_traffic_rules

During migration (intermediat setup with 1 side palo alto) as long as the peer ip used by the palo to setup the vpn tunnel is one of the 3 addresses that is already excluded it should require no further modification on the remote checkpoint once the local gateway becomes a palo alto.

goals of doing this:
I do not want to lose my mgmt connection to the remote gateway when installing this policy (with the new crypt.def file)
I do not want to lose my mgmt connection to the remote gateway over public ip when we install the palo alto in front of the checkpoint on site 1. (at this point the public ip is moved away from the site1 checkpoint and natting behind public ip will be done by the palo alto)

Re: exclude checkpoint public/external ip from encryption domain?

K_R_V — Mon, 19 Jun 2023 14:35:37 GMT

Hey Tommie,

Indeed, to exclude the public IP address form the encryption domain , you will need to modify the crypt.def file. I'm still hoping for a check box to enable/disable this in the future !
There is no real need for this exclusion just to setup a VPN tunnel to a 3th party, only if you need communication over the IP addresses outside the tunnel (icmp, webserver running on the same Public IP and outside of the tunnel, ..)

I think your syntax is correct, but a bit too much with only OR's, I would create it like this :

vpn_exclude_1={<"site1 1st public ip","site1 3rd public ip">};
vpn_exclude_2={<"site2 1st public ip","site2 3rd public ip">};

#ifndef NON_VPN_TRAFFIC_RULES
#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES ((src in vpn_exclude_1 and dst in vpn_exclude_2) or \
(src in vpn_exclude_2 and dst in vpn_exclude_1))
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif
#endif

question 1 :
I think only the VIP is needed and not the physical IP addresses, but no harm to add them.

question 2 : indeed, should be like this :

(src in vpn_exclude_1 and dst in vpn_exclude_2) or
(src in vpn_exclude_2 and dst in vpn_exclude_1)

Re: exclude checkpoint public/external ip from encryption domain?

PhoneBoy — Mon, 19 Jun 2023 17:43:26 GMT

Indeed, to exclude the public IP address form the encryption domain , you will need to modify the crypt.def file. I'm still hoping for a check box to enable/disable this in the future !

It's there in R81.20:

Re: exclude checkpoint public/external ip from encryption domain?

D_W — Thu, 10 Apr 2025 10:24:27 GMT

Will this option "Exclude gateway's external IP addresses from VPN Domain" be available for SMB Devices as well?

Re: exclude checkpoint public/external ip from encryption domain?

PhoneBoy — Thu, 10 Apr 2025 15:11:03 GMT

I see no reason why we wouldn't, but it doesn't seem to be supported at present.

Re: exclude checkpoint public/external ip from encryption domain?

genisis__ — Fri, 20 Jun 2025 15:47:13 GMT

I've noted that "vpn-domain-exclude-external-ip-addresses" is not available in the API (2.0) which is set when you enable "Exclude gateway's external IP addresses from VPN Domain" from the GUI. Do we know when this will be available?

Re: exclude checkpoint public/external ip from encryption domain?

PhoneBoy — Mon, 23 Jun 2025 19:28:16 GMT

Offhand, I do not.
However, there are many things relative to the gateway object that still need API support.

Re: exclude checkpoint public/external ip from encryption domain?

MiniNinja — Sun, 22 Mar 2026 14:57:23 GMT

Hey PhoneBoy,

You know that this option excludes not only external IPs but also the main IP from the VPN domain.

We have encountered this, and it’s not a bug, but a feature.

At the same time, UserCheck, Identity Sharing, and I believe Captive Portal themselves select the main IP as their access IP.

This creates a catch-22 situation for branches if they route through the center, assuming that the white (public) IPs of both nodes must be accessible outside of IPsec.

Re: exclude checkpoint public/external ip from encryption domain?

PhoneBoy — Mon, 23 Mar 2026 21:25:37 GMT

Had no idea it excluded the Main IP, though it does make sense.
Pretty sure you can change the IPs used for UserCheck/Captive Portal, though I'm not sure about Identity Sharing.
Identity Broker is always an option.