topic Re: Traffic is suddenly encrypted by VPN in General Topics

Traffic is suddenly encrypted by VPN

SecurityNed — Fri, 08 Sep 2023 09:18:13 GMT

Hello Checkpoint Community,

We have this unusual behavior in our client's instance wherein traffic is suddenly encrypted through VPN when it shouldn't.

We honestly don't know why this happened, as there were no changes performed.

Does anyone have any experience in this and could give us some insight.

Thanks!

Re: Traffic is suddenly encrypted by VPN

PhoneBoy — Sat, 09 Sep 2023 02:28:49 GMT

Do you have a route-based VPN (with VTIs) configured here?
You'd probably need to dig into the log entries (the full log cards) to see why the rulebase logic changed.

Re: Traffic is suddenly encrypted by VPN

SecurityNed — Mon, 11 Sep 2023 13:29:23 GMT

When opening the log cards, it just says that it's encrypted. But yeah I do think I have a route-based VPN.

I do noticed that in the log card, the traffic is routed to an IPsec VPN peer for some reason, which shouldn't be the case since I didn't define any routes that would do such action.

Re: Traffic is suddenly encrypted by VPN

Martijn — Mon, 11 Sep 2023 14:26:37 GMT

Hi,

The VPN log mentions tcp-high-ports as the service and the non-VPN log mentions TCP-9001 as the service. Can you check on what rule the VPN is hit? And check on what rule it should hit?

Did you changed 'Match for Any' in the mentioned services so traffic is hitting another rule than expected?

Maybe you can take a look at the Audit log to see what was changed after September 6th.

Regards,
Martijn

Re: Traffic is suddenly encrypted by VPN

the_rock — Mon, 11 Sep 2023 14:43:34 GMT

I see the point @Martijn is making, I would definitely check into that as well.

Andy

Re: Traffic is suddenly encrypted by VPN

PhoneBoy — Mon, 11 Sep 2023 17:49:25 GMT

Is it all static routes or are dynamic routes used?
Either way, it appears that routing changed somewhere.
This would probably require investigation from the TAC: https://help.checkpoint.com

Re: Traffic is suddenly encrypted by VPN

Zolocofxp — Mon, 11 Sep 2023 23:47:17 GMT

You can also follow sk25675 and sk98241 to exclude traffic from being encrypted.

Re: Traffic is suddenly encrypted by VPN

the_rock — Tue, 12 Sep 2023 00:43:47 GMT

Definitely good SKs.

Re: Traffic is suddenly encrypted by VPN

SecurityNed — Tue, 12 Sep 2023 09:13:45 GMT

I will check this as soon as I'm on site tomorrow. But I do remember its "Match Any".

There's no changes to the rule as well.

Re: Traffic is suddenly encrypted by VPN

SecurityNed — Tue, 12 Sep 2023 09:31:39 GMT

Hello Everyone,

To add, I just found a blocked rule regarding this which is unusual. It shouldn't be communicating to my other NGFW pair but it seems it is (via VPN)

I'm currently checking the SKs provided by @Zolocofxp, while checking @Martijn's suggestion

Will update you guys once there's improvements. Thank you so much for the help.

Re: Traffic is suddenly encrypted by VPN

the_rock — Tue, 12 Sep 2023 11:36:07 GMT

Yea...so that message packet should not have been decrypted really means it SHOULD have been encrypted, ie firewall "thinks" it should go through VPN.

Andy

Re: Traffic is suddenly encrypted by VPN

SecurityNed — Wed, 13 Sep 2023 04:13:45 GMT

I actually found a reason as to why this happened. There's overlapping internal domains in both of my clusters, and unfortunately this traffic is being routed towards the other Firewall (NGFW Pair 1) instead. The correct behavior should be that it's going to be routed to its own Firewall (NGFW Pair 2). This has been now addressed.

Anyways, I created a policy to address this, and everything works smoothly now. I might have created a not-so-specific policy and that's why for some reason it keeps on routing the traffic to NGFW Pair 1.

Re: Traffic is suddenly encrypted by VPN

SecurityNed — Wed, 13 Sep 2023 04:15:23 GMT

Thank you guys, I was able to troubleshoot it with the help of your inputs. Everything's working as intended now.

Re: Traffic is suddenly encrypted by VPN

the_rock — Wed, 13 Sep 2023 11:26:26 GMT

Good job!