This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vanesa_Benito_O
Contributor
‎2026-03-03 08:27 AM

VPn Remote Access. Issue with implied rule

I am trying to configure Remote Access VPN on a recently created R82 cluster, but it is not working and I am not sure why.

The Endpoint client is not able to establish the connection. I can see the connection attempts hitting the firewall, but they are being dropped (they should be accepted by the implicit rules).

I also created an explicit Access Control rule allowing traffic from the public IP address, but I am experiencing the same issue — the firewall does not respond to the connection attempts.

Regarding the configuration:

  • The external interface has a private IP address configured.

  • Under IPSec VPN → Link Selection, I selected Statically NATed IP and configured the public IP address that is directly NATed to the firewall.

  • I verified that the Platform Portal is configured with a specific IP address for connections.

  • The Mobile Access Blade portal is configured with the same public IP address defined in Link Selection.

Does anyone have any idea what could be causing this issue?

0 Kudos
8 Replies
simonemantovani
MVP Silver
MVP Silver
‎2026-03-03 08:46 AM

Hello

could you share some screenshot of your configuration? (in particular the settings in the VPN clients section within the gateway), just to try to help you.

 

Vanesa_Benito_O
Contributor
‎2026-03-03 09:50 AM
In response to simonemantovani

In the configuration I allowed the connection from the following:

VPN.png

And the authenticator method is RADIUS (but well the issue is during the site creation, is like the firewall doesnt associate the Nated IP configured with the VPN service or his internal network...). I have compared the configuration with other environments and everythings seems to be configured correctly 😞

0 Kudos
Martijn
MVP
MVP
‎2026-03-03 08:49 AM

Hi,

What version and hotfix are installed? Cluster or single gateway?

What message does the Endpoint client gets? What does SmartLog show?

Can you test the complete VPN configuration by putting the Endpoint client directly on the external network of the gateway? So without NATed IP. This way you can check the Remote Access configuration is OK.

Martijn

0 Kudos
Vanesa_Benito_O
Contributor
‎2026-03-03 09:44 AM
In response to Martijn

Its a cluster in R82 With take 60.

The message in the Endpoint said there is unable to connect with the site (During the site creation step). And the SmartLog shows how the firewall drops the comunnication, in other environments that comunications are accepted by implied rules. I also try to create a explicit rule to accept the traffic but without succesfull. 

Its a good approach to test the connectivity directly but i need to ask if it is possible... currently i only have access remotly

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-04 12:37 AM
In response to Vanesa_Benito_O

When the firewall is dropping the packets, what is the 'drop reason' in the log? 

0 Kudos
Jesusm
Participant
‎2026-03-03 10:30 AM

Did you add the gateway to the remote access community?

0 Kudos
Vanesa_Benito_O
Contributor
‎2026-03-03 10:51 AM
In response to Jesusm

Yes, I also have another firewall in remote access community (that is working fine with a similar scenario) but I understand that doesnt affect with the comunication of the new remote access right? At the end each gateway has their own VPN domain configured.

0 Kudos
simonemantovani
MVP Silver
MVP Silver
‎2026-03-04 12:27 AM
In response to Vanesa_Benito_O

Usually if you have two different gateways (Gateway A and Gateway B) in the same Remote Access community, for my experience, you need to edit $FWDIR/conf/trac_client_1.ttm file on the gateways and change configuration about MEP related to these lines setting the default to false:

:automatic_mep_topology (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (client_decide)
)
:default (false)
)
)

 

Maybe is not your case (in this case ignore my post), but I always performed this configuration, withtout it the client connect to Gateway A and it's redirected to Gateway B.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events