This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
William_Garner
Employee Alumnus
Employee Alumnus
‎2017-07-02 10:18 PM

Exclude CPM traffic from implied rules

I need the ability to manage a remote R80.10 SmartCenter that is on the other side of a Check Point R80.10 GW. The two locations are connected via a site to site VPN. CPM traffic from remote SmartConsole client R80.10 is sent in the clear to R80.10 SmartCenter because of implied rules instead of being encrypted by the site to site VPN.

SK105719 describes the procedure in earlier versions by removing CPMI from the implied rules but does not reference CPM. I have verified that turning off all implied rules in global properties will fix the problem but I only want to remove CPM (tcp 19009) and CPMI (tcp 18190).

Thanks!

5 Replies
Tomer_Sole
Mentor
Mentor
‎2017-07-02 11:58 PM

Hi,

The checkbox that controls this implied rule is "Accept Control Connections". It also generates 36 additional implied rules, all responsible for the different Check Point processes and the interactions between them.

0 Kudos
William_Garner
Employee Alumnus
Employee Alumnus
‎2017-07-03 10:06 AM
In response to Tomer_Sole

Hi Tomer,

Yes unchecking "Accept Control Connections" will allow the SmartConsole client to connect over the VPN but having a workaround that only excludes CPM and CPMI would be helpful. If this was a VSX environment, disabling "Accept Control Connections", would cause problems with provisioning virtual hardware. 

Thanks!

0 Kudos
Norbert_Bohusch
Advisor
‎2017-07-05 05:36 AM

The "#define ENABLE_CPMI" in $FWDIR/lib/implied_rules.def on SmartCenter should also responsible for the CPM-Traffic.

See following output:

# cat implied_rules.def | grep CPM
#define ENABLE_CPMI
#ifdef ENABLE_CPMI
(dport = CPMI_PORT or dport = CPMI_PORT_NGM), tcp, \
(sport = CPMI_PORT or sport = CPMI_PORT_NGM), tcp,

# cat services.def | grep CPMI_PORT_NGM
#ifndef CPMI_PORT_NGM
#define CPMI_PORT_NGM 19009

So it should be possible to exclude CPM/CPMI-Traffic by commenting out the "#define ENABLE_CPMI" like the following:

/* #define ENABLE_CPMI */

Be sure to backup your files beforehand Smiley Happy

William_Garner
Employee Alumnus
Employee Alumnus
‎2017-07-05 10:02 AM
In response to Norbert_Bohusch

That did indeed work. I will see about getting that SK updated for R80.10.

Much appreciated!

0 Kudos
Jelle_Hazenberg
Collaborator
Collaborator
‎2018-02-15 12:22 PM

Hi,

Thank you for sharing this info. I commented radius out of $FWDIR/lib/implied_rules.def. I needed to exclude this traffic because we use a route-based VPN in our situation. I noticed that the specific connection was accepted by a implied rule (control connection) and leaving the gateway un-encrypted via the wrong interface.

FYI

I found sk32564 explaining WHY this happens.

Greetz!

Jelle

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top