This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Advisor
Wednesday
Jump to solution

Issue running management via Harmony SASE

I have a customer that runs Harmony SASE for their remote access and has done for quite a while now with no issues.

We have recently upgraded the management server from R81.20 to R82.10 using the export/import method to allow us to increase disk sizes. When I exported it I got a warning about a changed config file $FWDIR/lib/implied_rules.def, and when I looked at this the change was to comment out one line as follows /* #define ENABLE_CPMI */

This stops implied rules accepting the control connections, so they have explicit rules in place to allow these connections, the reasoning being that trying to run SmartConsole remotely didn't work as the packets were not being encrypted, so this was the fix (sk105719). It's been working for several months with no issues.

After the upgrade I edited the file and made the same change, however it no longer appears to fix this issue, with the packets being accepted by the implied rules and not encrypted.

The sk mentions R82 but not explicitly R82.10 but I'm assuming that it's because it's yet to be updated.

Has anyone else come across this at all?

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Wednesday
Jump to solution

I'm sure that you are all over this but make sure the file edited was also in the correct Management file path for your GW version e.g.

https://sc1.checkpoint.com/documents/R82.10/WebAdminGuides/EN/CP_R82.10_SecurityManagement_AdminGuid... 

 

CCSM R77/R80/ELITE

View solution in original post

6 Replies
Lesley
MVP Gold
MVP Gold
Wednesday
Jump to solution

Make sure to turn off policy installation acceleration since those files are not beeing transfered when this is active.

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
StevePearson
Advisor
Thursday
In response to Lesley
Jump to solution

yes, policy acceleration was disabled when I pushed the policy

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Wednesday
Jump to solution

I'm sure that you are all over this but make sure the file edited was also in the correct Management file path for your GW version e.g.

https://sc1.checkpoint.com/documents/R82.10/WebAdminGuides/EN/CP_R82.10_SecurityManagement_AdminGuid... 

 

CCSM R77/R80/ELITE
StevePearson
Advisor
Thursday
In response to Chris_Atkinson
Jump to solution

Yes, and i've double checked this this morning.

StevePearson
Advisor
Thursday
In response to Chris_Atkinson
Jump to solution

Hi Chris,

Let me take back my earlier reply, I did indeed modify the wrong version of the file! Reading the guide you linked to in more detail made me realise the mistake!

Thanks for your help!

StevePearson
Advisor
Thursday
Jump to solution

Just been testing this again and found that it works via a remote access VPN connection, but not via SASE connection. The difference here is that the RA VPN is a policy based VPN but SASE is a route based VPN.

It's worth saying that everything else is working correctly over SASE, so it's not an issue with the SASE tunnel itself.

The logs clearly show that as soon as I pushed the initial policy the CPMI packets are being accepted by the implied rules for some reason.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events