topic Re: Locally managed SMBs .def files for VPN fine-tuning in Spark Firewall (SMB)

Locally managed SMBs .def files for VPN fine-tuning

G_W_Albrecht — Fri, 23 Mar 2018 08:05:08 GMT

This is a follow-up to SMB units SMS files for VPN fine-tuning after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def for VPN Fine-Tuning that are usually made on the SMS and installed on a GW by a policy install. SMB units also have these files - crypt.def can be found in /pfrm2.0/config1/fw1/lib/ or /pfrm2.0/config2/fw1/lib/ and in /opt/fw1/lib/crypt.def.

The VPN configuration from sk108600 VPN Site-to-Site with 3rd party and sk86582 Excluding subnets in encryption domain from accessing a specific VPN community can also be found on locally managed SMBs crypt.def and edited there. As locally managed SMB units have no manual policy install command to recompile and apply these changes, Yuri points out that reboot would activate the new settings, but also, a much easier way is available ("not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274), changes can be applied by issuing:
[Expert]# fw_configload

The sk100278 gives two commands to apply changes from an edited $FWDIR/conf/trac_client_1.ttm file:
[Expert]# fw_configload
[Expert]# sfwd_restart

So i have asked R&D for more information and i have received the following as the officially supported procedures: In locally managed SMB appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported. Also note that sk30919 does not list SMB as relevant Product. Only crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect.

Supported for locally managed SMB appliances are changes to crypt.def to enable VPN features not available in WebGUI or CLI. We learn that the files from /pfrm2.0/config1/ or /pfrm2.0/config2/ are linked to /opt/fw1/lib/. And we learn the command vpn_configload !

Re: Locally managed SMBs .def files for VPN fine-tuning

Pedro_Espindola — Thu, 26 Dec 2019 23:37:26 GMT

Gunther, do you know how to make the procedure from "sk114882 - Remote Access clients configuration based on group membership" work on SMB gateways?

Re: Locally managed SMBs .def files for VPN fine-tuning

HristoGrigorov — Fri, 27 Dec 2019 04:30:11 GMT

Actually there seems to be a shell script on SMB that appears to do the vpn_configload thingy the right way:

/opt/fw1/bin/vpn_configload.sh

Re: Locally managed SMBs .def files for VPN fine-tuning

G_W_Albrecht — Thu, 09 Jan 2020 09:15:19 GMT

You could try with a User group defined in Users & Objects > Users Management > Users

and

/pfrm2.0/opt/fw1/conf/trac_client_1.ttm

/pfrm2.0/config2/fw1/conf/trac_client_1.ttm

Re: Locally managed SMBs .def files for VPN fine-tuning

G_W_Albrecht — Thu, 09 Jan 2020 09:16:54 GMT

That is just the command i have mentioned far above 8)

Re: Locally managed SMBs .def files for VPN fine-tuning

HristoGrigorov — Sat, 11 Jan 2020 05:03:41 GMT

vpn_configload is binary and vpn_configload.sh is shell script.... so actually there are two commands.

Re: Locally managed SMBs .def files for VPN fine-tuning

Baasanjargal_Ts — Mon, 03 Aug 2020 00:59:13 GMT

Hello

I am trying to configure universal tunnel on Check Point SMB firewall with 3rd party. Branch router has 0.0.0.0 0.0.0.0 subnet for the tunnel destination side. Check Point SMB firewall is enabled Allow remote gateway all traffic pass through this gateway option.
Problem is: Branch hosts access to internet through their own router instead of check point SMB.

Re: Locally managed SMBs .def files for VPN fine-tuning

G_W_Albrecht — Wed, 19 Aug 2020 08:47:14 GMT

The SMB Route all traffic thru GW option is for RA clients only, not for IPSEc VPN tunnels. So the branch router is having an issue when not routing everything into the VPN...

Re: Locally managed SMBs .def files for VPN fine-tuning

ereche — Fri, 11 Apr 2025 11:19:01 GMT

I'm looking for a solution, trying to solve the mystery of why even if i put is on SMS crypt.def it's not work. Now i know, SMB is everything different and there`s no documentation about it. We do these steps on Quantum Spark 1900 and solve the problem.

Do this on SMS, not on GW. Depends on version SMS you have to choose correct file.

vi /opt/CPSFWR81CMP-R82/lib/crypt.def

Insert these lines on the file and save it.

define USERC_CHECK(rule) {

(<src> in userc_rules)

};

#ifndef NON_VPN_TRAFFIC_RULES

#ifndef IPV6_FLAVOR

#define NON_VPN_TRAFFIC_RULES (dst=192.168.5.1 or dst=192.168.5.2)

#else

#define NON_VPN_TRAFFIC_RULES 0

#endif

#endif /* __crypt_def__ */

Then install policy on gateways and see the logs. The traffic will pass directly do p2p and not encrypted anymore.