This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2023-07-25 02:51 AM
Jump to solution

Client VPN license in Checkpoint

I have CPSB-VPN blade license on my AWS Checkpoint Gatways. I am looking to enable Remote access VPN for a few clients.

My query is do i require additional license for this ? i read about Securemote which requires only CPSB-VPN blade but the kb states that it has limited functionality.. what are its limitations ?

0 Kudos
1 Solution

Accepted Solutions
LostBoY
Advisor
‎2023-07-27 05:24 AM
In response to the_rock
Jump to solution

OK so i resolved the issue.. the thing was this was a geocluster with 0.0.0.0 as its cluster IP. However, the VPN blade requires a legit Cluster IP to function as soon as i replaced it policy installation was successfull.

 

View solution in original post

17 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-25 03:00 AM
Jump to solution

In terms of primary limitations Securemote doesn't support office mode.

Depending on the license many gateway SKUs allow 5 mobile access connections by default.

CCSM R77/R80/ELITE
LostBoY
Advisor
‎2023-07-25 03:51 AM
In response to Chris_Atkinson
Jump to solution

Office mode affects only DNS and WINS ? does still assigns an IP address from a defined pool ? my requirement is only to give RDP access to a jump box.

Also is there a remote vpn configuration limitation for Checkpoint Cloudguard ? 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-25 04:47 AM
In response to LostBoY
Jump to solution

Yes it impacts VPN IP assignment flexibility 

Some templates don't support VPN, specifically with VMSS for Azure the SecuRemote flavor is not supported.

Source: https://sc1.checkpoint.com/documents/iaas/webadminguides/en/cp_vmss_for_azure/content/topics-azure-v...

CCSM R77/R80/ELITE
LostBoY
Advisor
‎2023-07-25 05:30 AM
In response to Chris_Atkinson
Jump to solution

i am using AWS Cloudguard and i read somewhere that VPN wasnt supported on R80.40 cloudguard but was introduced from R81 onwards...unfortunately i cudnt find that link.

I was trying to test Securemote but when i try to enable ipsec vpn blade policy installation fails

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-07-25 06:13 AM
In response to LostBoY
Jump to solution

SecuRemote will not use the OM IP pool for IP assignement but needs the firewall to be configured to let the original client IP connect and access. So this is only an alternative if the RA client has a static IP.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-25 07:35 AM
In response to LostBoY
Jump to solution

For AWS Remote Access isn't supported for auto-scale deployments, what scenario have you deployed?

https://sc1.checkpoint.com/documents/iaas/webadminguides/en/cloudguard_network_for_aws_autoscaling_d...

CCSM R77/R80/ELITE
0 Kudos
LostBoY
Advisor
‎2023-07-25 07:54 AM
In response to Chris_Atkinson
Jump to solution

it is a cross availability zone cluster on R81.20

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-25 08:35 AM
In response to LostBoY
Jump to solution

In such cases Site-to-Site and Remote Access VPN are supported only with the Primary Elastic IP (VIP). You cannot use additional Elastic IP's for VPN.

CCSM R77/R80/ELITE
LostBoY
Advisor
‎2023-07-25 09:24 AM
In response to Chris_Atkinson
Jump to solution

i suppose that will be fine in my case...

However after enabling ipsec vpn blade on GW policy installation is failing 😞

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-25 01:19 PM
In response to LostBoY
Jump to solution

Screenshot of the precise error?
Blur sensitive details.

0 Kudos
LostBoY
Advisor
‎2023-07-26 03:08 AM
In response to PhoneBoy
Jump to solution

It just says operation ended with errors , no error message detail available

Preview file
46 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-26 06:38 AM
In response to LostBoY
Jump to solution

Did you click on the specific lines where it said failed?
It should show details why it failed.
If not, you should involve the TAC: https://help.checkpoint.com 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-26 06:50 AM
In response to LostBoY
Jump to solution

If you expand the reason why it failed, as the guys indicated, would tell us the reason. Please blur out any sensitive info mate.

Andy

Best,
Andy
0 Kudos
LostBoY
Advisor
‎2023-07-27 02:35 AM
In response to the_rock
Jump to solution

unfortunately there is no reason defined and no expansion available there

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-27 05:06 AM
In response to LostBoY
Jump to solution

I find that odd, sorry...there has to be some kind of wording as to why its failing. If you expand the down arrow where it fails, can you send a screenshot please?

Andy

Best,
Andy
0 Kudos
LostBoY
Advisor
‎2023-07-27 05:24 AM
In response to the_rock
Jump to solution

OK so i resolved the issue.. the thing was this was a geocluster with 0.0.0.0 as its cluster IP. However, the VPN blade requires a legit Cluster IP to function as soon as i replaced it policy installation was successfull.

 

the_rock
MVP Gold
MVP Gold
‎2023-07-27 05:36 AM
In response to LostBoY
Jump to solution

Great job mate, tx for sharing!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events