This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rjpereira
Contributor
‎2020-02-17 05:22 PM

Missing "config-vpn"

I'm deployed R80.40 AMI in AWS, with a Transit Gateway integration, that should recognize TGW tags and initiate the configuration of site-to-site VPNs with existing gateways.

I see that on the logs management server issues a "config-vpn" command to gateway, but the reply is "command not found", which I confitm if I login there via SSH.

 

This config-vpn is also referred in documentation (e.g. https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_Transit_VPC_for_AWS/html_frameset.h... ).

Does anyone know how to make sure that config-vpn binary is installed on the security gateways ?

Thanks

 

0 Kudos
4 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-02-18 01:00 AM

I would involve TAC here !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
rjpereira
Contributor
‎2020-02-18 01:45 AM
In response to G_W_Albrecht

Problem solved in the meantime, and leaving a suggestion for product team:

On all your sample AWS templates where you configure Security Group ports, you set TCP allow rules for 257, 18191-18192,  18210-18211, 18221, 28264.

 

You are forgetting to add 18208: without it 

 

cprid_util -server 10.59.0.28 putfile -local_file /opt/CPcme/features/config-vpn.sh -remote_file /bin/config-vpn -perms 500 with:
data=None
env=None
2020-02-18 10:11:11,267 CME_SERVICE INFO Return code= 3
Output=
Stderr=

, fails for not being able to communicate with the gateway.

It would be much better if Checkpoint published real world templates with strict securitygroup and acl rules that documented requirements, than using always "permissive -1 rules" and not documented it properly....

0 Kudos
chkpyehonatanwe
Employee Alumnus
Employee Alumnus
‎2020-02-18 10:05 AM
In response to rjpereira

Hi rjpereira,

 

Thank you for your comments.

 

The issue occurred because the Gateways Security Group that was created by the template, was replaced with the Management Security Group that was created by the template. Meaning, the Gateways and the Management had the same Security Group rules.

The solution templates configure a permissive Security Group for the Gateways, since traffic arriving to the Gateways can be originated from anywhere, for example: the internet, the VPC in which the Gateways are deployed, other VPCs over AWS Transit Gateway and corporate network over Direct Connect.

Therefore, it is impossible to predict the source IP ranges of incoming traffic, and since the Gateways themselves are Firewalls, it is reasonable to allow access to the Gateways from any IP address.

 

Regards,

Yehonatan

0 Kudos
rjpereira
Contributor
‎2020-02-18 11:22 PM
In response to chkpyehonatanwe

I don't agree 100%. I understand that the Cidr ranges may be left open to allow different types of deployment, but you should lockdown the protocol/port rules in network acls and security groups to properly document a secure deployment. Those will not depend on the customer setup.

Cheers

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
Multi Cloud Cluster GCP+Azure
Upcoming Events

    Sort by:
    CheckMates Events