topic Re: Excluded Services issue in SASE and Remote Access

Excluded Services issue

Dave_Taylor1 — Mon, 21 May 2018 16:45:57 GMT

We recently encountered an issue setting up an IPSEC tunnel between our Check Point and Bluecoat/Symantec for their Web Security Services. We could not successfully use service ranges as recommended within Check Point. We were able to create the service ranges, however it failed to exclude the services.

We instead were required to list every service we needed to exempt from the tunnel.

Is this a known limitation within Check Point R77.30 or has this been addressed with R80.10?

Blue Coat's instruction

In the SmartDashboard, select Services.
Right-click Group and select New Group. The interface displays the Group Properties dialog.
Click New. The interface displays the Group Properties dialog.
1. Name the object. For example, indicate that these are ports 1 to 79.
2. In Port field, enter 1-79. This excludes all ports up to 80 (web).
3. Click Advanced. The interface displays the Advanced TCP Service Properties dialog.
4. Select Match For 'Any'. This prevents policy installation warnings because of a possible already-defined port.
5. Click OK; click OK again to close the Group Properties dialog.
Repeat Steps 3.1 through 3.3 to add two more groups.
1. Mid-TCP-Ports: 81 to 442.
2. High-TCP-Ports: 444 to 65535.
  This allows port 443 traffic into the VPN tunnel.
(Optional) You can also add ICMP and all UDP ports.

Re: Excluded Services issue

G_W_Albrecht — Fri, 25 May 2018 08:56:57 GMT

What you list from BlueCoat is how to define which traffic should not go thru the VPN tunnel - but you left out the final step, that is, where you have to add these newly defined service/port groups so they are excluded ! This is made in Community settings under Excluded Services.

Re: Excluded Services issue

Dave_Taylor1 — Fri, 25 May 2018 13:27:29 GMT

Right, I understand that.

What I'm saying is the example they provide for the ranges - Mid-TCP-Ports: 81 to 442. & High-TCP-Ports: 444 to 65535, although I can create them, will not work for some reason.

Is there a limitation with service ranges for VPN exclusion?

Re: Excluded Services issue

Dave_Taylor1 — Tue, 10 Jul 2018 17:47:05 GMT

Just an FYI. Apparently this was an issue in certain versions of R77.30 later fixed in a HotFix, but not an issue in R80.10 according to our support at Optiv.

Re: Excluded Services issue

PhoneBoy — Wed, 11 Jul 2018 12:44:48 GMT

Confirmed.

See: Services configured as Excluded for IPSec tunnel are not being excluded

Re: Excluded Services issue

Robin_H — Mon, 31 Mar 2025 08:47:25 GMT

I just encountered this bug in R81.10 and the workaround in the sk fixed it.

I guess TAC would like to hear about it?