This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
a month ago

Can not access smart console over site-site VPN

Hello,

I aimed to establish a connection to the smart console via a site-to-site VPN that is terminated on a Check Point managed by the same Check Point management server. However, I recognize that the CPMI and CPM services are accessed through implied rules. Therefore, I adhered to the documentation and commented out

````

/* #define ENABLE_CPMI */

```

Since my management server is on R82 and firewalls are on R81.20, I had to comment out at below path per documentation

```

/opt/CPR8120CMP-R82/lib/implied_rules.def

```

Subsequently, a particular rule was established for CPMI and CPM services; however, I am still unable to establish a connection via site-to-site VPN.

Currently, if the firewall version matches the management version lets suppose both are on R82 and I modify the $FWDIR/lib/implied_rules.def file, it functions flawlessly. However, this is not the case when the target firewall version is R81.20 or any version other than that of the management server.

Has anyone noticed such an issue before?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
2 Replies
Danny
Champion Champion
Champion
a month ago

Quick fix: SSH into the Security Management and tunnel the ports 443, 18190, 19009 and 18210. Then perform a SmartConsole connect to 127.0.0.1 and you are fine as long as localhost is allowed to connect.

0 Kudos
Blason_R
Leader
Leader
a month ago
In response to Danny

Indeed - This is what I have been doing it for a long time. However, this method is effective when connecting to a single management server. The problem arises when you utilize ports 18190 and 19009 for localhost, as it prevents connections to other management servers. Given that we are overseeing multiple clients and various management servers, this is gradually becoming an impractical solution. Therefore, we established an RDP server and configured a tunnel with the customer firewalls so that we can access those directly, but we are encountering that issue.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events