topic Re: Exclude CPM Traffic from Implied Rules for one GW r81.10 in General Topics

Exclude CPM Traffic from Implied Rules for one GW r81.10

Andrey_Gl — Thu, 27 Jul 2023 11:24:26 GMT

We manage a lot of gateways through our SMS, but on one gateway there is a need to encypt management traffic (CPM, etc.) through a tunnel. How can we configure the implied_rules.def file so that the traffic specifically to that gateway does go through the tunnel but not for others?

Re: Exclude CPM Traffic from Implied Rules for one GW r81.10

Tal_Paz-Fridman — Thu, 27 Jul 2023 11:54:31 GMT

Please look at:

https://community.checkpoint.com/t5/Management/Exclude-CPM-Traffic-from-Implied-Rules/m-p/9187#M1452

And:

sk105719 CPMI/CPM traffic from remote SmartConsole client to the Management Server is not encrypted, but accepted by Implied Rules instead:

https://support.checkpoint.com/results/sk/sk105719

But as PhoneBoy wrote:

"As a general rule, it is a bad idea to force control connections through the VPN.

If your VPN goes down for any reason, getting it back up when you have no ability to manage the gateway becomes a challenge."

Re: Exclude CPM Traffic from Implied Rules for one GW r81.10

Andrey_Gl — Thu, 27 Jul 2023 13:10:33 GMT

I agree with you, but there is only one cluster of gateways and there is only one public address (the vip address is public, and the addresses on the nodes are local), so it is not possible to manage them outside the tunnel.