topic Re: Cross community VPN traffic in Spark Firewall (SMB)

Cross community VPN traffic

Attiq786 — Wed, 24 Mar 2021 09:47:25 GMT

Hi All,

We have 7 SMB(1570) appliances on different sites worldwide. all have site to site VPNs between them.

There is a requirement to establish Azure Cloud VPN and we can create only 4 tunnels maximum.

remaining three sites will need to go through our HQ SMB gateway for Cloud access.

is it possible to have cross-community communication between remaining sites and the cloud, through HQ on SMB appliances?

rather than using enc domains, if i use routing for this, will it work?

Regards

Attiq

Re: Cross community VPN traffic

G_W_Albrecht — Wed, 24 Mar 2021 10:00:37 GMT

Why not go for a star topology ? See Check Point 1400 Appliances Locally Managed Administration Guide R77.20.87 p.164f:

VPN star community – One gateway is the center and routes all traffic (encrypted and internet traffic of the remote peer) to the internet and back to the remote peer. The peer gateway is a satellite and is configured to route all its traffic through the center.

For examples of when to use a mesh or star community, see VPN Community Use Cases (on page 165).

Re: Cross community VPN traffic

Attiq786 — Wed, 24 Mar 2021 12:47:32 GMT

Thanks @G_W_Albrecht

I was not sure if I route all traffic through Centre then it will not direct the traffic out to internet rather than going through the Cloud Tunnel. as there is no option to have a multi site community in SMB. But I guess if I have the set Enc Domain for the cloud tunnel correctly, it will.

also did not want to route all internet traffic through, but I will try. Thanks for the suggestion.

Re: Cross community VPN traffic

Bob_Zimmerman — Wed, 24 Mar 2021 16:47:49 GMT

How are the devices managed? If you are managing them with a SmartCenter, there are three options:

Satellites to center only
Satellites to center and through center to other satellites
Satellites to center and through center to other satellites and the Internet

Just set up your Azure tunnel as another satellite in the community, pick the second option, and your Internet traffic won't go through the center.

Re: Cross community VPN traffic

G_W_Albrecht — Wed, 24 Mar 2021 17:03:56 GMT

Having a central GAiA GW with SMS in the star topology would be preferable - but here we only have 7 SMB (1570) appliances locally managed. Only 3. is supported in this case!

Re: Cross community VPN traffic

Attiq786 — Thu, 25 Mar 2021 15:35:16 GMT

@G_W_Albrecht yes that's correct. all locally managed. I would have loved the Central Management solution, but it was already decided/configured before I took over the project. Nevertheless we might distribute the traffic through 3 different gateways rather than having all the load on only one.

Re: Cross community VPN traffic

G_W_Albrecht — Thu, 25 Mar 2021 17:10:22 GMT

Another possible configuration without SmartDashboard would be using vpn_route.conf to configure VPN Routing in Domain Based VPN like we read in sk69726: VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM profile in Star Community and c

This sk is for central management, but using local /opt/fw1/lib/vpn_route.conf has the same effect - this is linked in /pfrm2.0/config1/ or /pfrm2.0/config2/vpn_route.conf

All details can be found in https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Domain-Based-VPN.htm?TocPath=Domain%20Based%20VPN|Configuring%20VPN%20Routing%20in%20Domain%20Based%20VPN|_____0#Configuring_VPN_Routing_in_Domain_Based_VPN

After the changes, new vpn setting can be applied locally without reboot using

# vpn_configload

If this does not do the trick, maybe we need:

# fw_configload
# sfwd_restart

Re: Cross community VPN traffic

G_W_Albrecht — Thu, 25 Mar 2021 20:57:52 GMT

But to be on the safe side, i would evaluate this information and open a TAC case to get the confirmation that this is a supported configuration.