- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
My question is similar to this thread Exclude CPM traffic from implied rules however I have a 77.30 GW on-prem with a VPN to an R80.10 AWS vSec instance. Both are managed by different managers. So when the traffic is initiated from my management client behind the 77.30 GW, it encrypts. When it gets to the 80.10 GW it "accepts" and doesn't decrypt. So I followed the thread above where I commented out ENABLE_CPMI, but no change. Encrypt on the on-prem side (I did not change anything there) and accept on rule zero at AWS.
Here is my implied_rules.def
May be I am reading the thread you are referencing wrong, but it looks to me that the implied_rules.def file should be edited on the management server, not the gateway.
Since the object you are managing is called bi-prod-fw:0 , I'm inclined to think that it is a gateway.
The sk111954 dealing with logging through the VPN, which relies on subset of CPMI indicates same approach:
By design, when "Accept control connections" is enabled, The Security Firewall log connection to the Log Server will be matched by the Security Gateway on the implied Rules instead of the VPN configuration and rulebase.
"#define ENABLE_FWD_LOG" line#define ENABLE_FW1_SAM
#define ENABLE_FWD_LOG
#define ENABLE_IKE#define ENABLE_FW1_SAM
/* #define ENABLE_FWD_LOG */
#define ENABLE_IKEMay be I am reading the thread you are referencing wrong, but it looks to me that the implied_rules.def file should be edited on the management server, not the gateway.
Since the object you are managing is called bi-prod-fw:0 , I'm inclined to think that it is a gateway.
The sk111954 dealing with logging through the VPN, which relies on subset of CPMI indicates same approach:
By design, when "Accept control connections" is enabled, The Security Firewall log connection to the Log Server will be matched by the Security Gateway on the implied Rules instead of the VPN configuration and rulebase.
"#define ENABLE_FWD_LOG" line#define ENABLE_FW1_SAM
#define ENABLE_FWD_LOG
#define ENABLE_IKE#define ENABLE_FW1_SAM
/* #define ENABLE_FWD_LOG */
#define ENABLE_IKEGreat call. That worked. Now I'm getting CRLs failed to be downloaded and now I see rule zero for FW1_ica_services. I assume comment out #define ENABLE_FW1_ICA_SERVICES
Thoughts?
That worked. Thanks so much for your input!!!
Glad to be of help ![]()
Please mark the question as answered, so the others in similar situation could use this for references.
Cheers,
Vladimir
As a general rule, it is a bad idea to force control connections through the VPN.
If your VPN goes down for any reason, getting it back up when you have no ability to manage the gateway becomes a challenge.
Agree. I made them aware of that. They are leaving external access there, just not leaving it open. Thats the break-glass-in-case-of-emergency access method.
Thanks,
Paul
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 20 | |
| 8 | |
| 6 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 2 |
Thu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealThu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASETue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeThu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY