Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Anthony_Vita
Explorer

Configuration for VPN to send 80/443 traffic to Netskope

I have a need to create VPN tunnels from a R80.40 gateway to Netskope cloud gateway.  Want to only send traffic from select internal source IP's that need internet bound http/https traffic to the Netskope cloud for inspection by their SWG.  

 

Anyone figure out how to do this?

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You can certainly create an encryption domain with the specific hosts in question and only those hosts.
However, it will potentially send all Internet-bound traffic from those hosts over the VPN, not just traffic on port 80/443.
Unless, of course, you deny all other traffic from those hosts to the Internet.

Whether you can make this work with Netskope is a separate question.
Also, if the Check Point gateway can perform the same functions (which it likely can), why send the traffic there at all?

0 Kudos
Vladimir
Champion
Champion

Netscope performs combined functions of SWG, CASB and DLP that are a lot more granular than the CP gateway by itself can perform, so I can see a use case for this.

0 Kudos
Anthony_Vita
Explorer

Correct, the additional functions that Netskope performs are part of the reason, another is a unified policy management point for all clients as our endpoints are using Netskope when off net.   

The need for sending only select hosts through the tunnel is for initial testing, eventually we will look to forward all clients that do not have a Netskope client installed (think servers, IOT) through this tunnel to the Netskope SWG.  I was trying to use VTI and PBR, to select the traffic.  I have the VPN community created and the Tunnel are up, but I can't get the traffic to pass.  I have a Rule at the top of the policy to match the source IP of the test clients destined to a Negated RFC1918 network group with a Directional match on the VPN and service of 80/443.  There is also a rule in the application policy for the same.

Looking at the logs, it shows the traffic being encrypted and moved to the appropriate Tunnel interface, but matched on a lower rule for all other Internet bound traffic, not the Directional match rule at the top.  Then there is an accept that is not encrypted, with the message:  Connection terminated before detection: Insufficient data passed.  See SK113479.  What am I missing?

0 Kudos
Vladimir
Champion
Champion

I'm not familiar with NetScope Cloud Gateway requirements, but am curious why the use of VTIs and PBR is required.

Depending on what version of Check Point you are on, I think the use of custom local VPN Domain with VPN Community is a better way of sending traffic from select hosts or access roles to NetScope, if they support domain-based VPNs.

0 Kudos
firewall1-gx
Contributor

Hi Anthony,

Sometime ago I made a configuration look you are need, I can remember that a VPN universal tunnel was configured for this.

Basically we used policy based VPN instead of route based (VTI), with "Route All Traffic Through This Site" enabled on VPN community to negociate 0.0.0.0-0.0.0.0 with remote peer.

The biggest challenge to do this configuration is because you're forwarding all traffic through this tunnel. Thus, now PBR policies can be helpful to redesign outgoing paths.

In my case I routed all traffic, wasn't necessary be a previous test before production, because were a new enviroment. 

I hope that my short words can help you.

Alisson Lima

0 Kudos