Re: Can not access smart console over site-site VP...

Blason_R

Hello,

I aimed to establish a connection to the smart console via a site-to-site VPN that is terminated on a Check Point managed by the same Check Point management server. However, I recognize that the CPMI and CPM services are accessed through implied rules. Therefore, I adhered to the documentation and commented out

````

/* #define ENABLE_CPMI */

```

Since my management server is on R82 and firewalls are on R81.20, I had to comment out at below path per documentation

```

/opt/CPR8120CMP-R82/lib/implied_rules.def

```

Subsequently, a particular rule was established for CPMI and CPM services; however, I am still unable to establish a connection via site-to-site VPN.

Currently, if the firewall version matches the management version lets suppose both are on R82 and I modify the $FWDIR/lib/implied_rules.def file, it functions flawlessly. However, this is not the case when the target firewall version is R81.20 or any version other than that of the management server.

Has anyone noticed such an issue before?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Danny

Quick fix: SSH into the Security Management and tunnel the ports 443, 18190, 19009 and 18210. Then perform a SmartConsole connect to 127.0.0.1 and you are fine as long as localhost is allowed to connect.

Blason_R

Indeed - This is what I have been doing it for a long time. However, this method is effective when connecting to a single management server. The problem arises when you utilize ports 18190 and 19009 for localhost, as it prevents connections to other management servers. Given that we are overseeing multiple clients and various management servers, this is gradually becoming an impractical solution. Therefore, we established an RDP server and configured a tunnel with the customer firewalls so that we can access those directly, but we are encountering that issue.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Are you a member of CheckMates?

Can not access smart console over site-site VPN