This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Contributor
‎2024-02-26 05:18 AM
Jump to solution

Domain objects in remote access encryption domain.

Hello all!

 

Just completed an upgrade of management to R81.20 from R81.10. It manages 3 x clusters currently running on R80.40 (upgrade imminent).

One of the clusters is used for the remote access VPN, and now when pushing policy we get the following error:

"You can use updateable objects, dynamic objects and domain objects in a Remote Access VPN community only as members of a network group whose name starts with 'exclusions_'. The group whose name starts with 'exclusions_' must be a member of another network group."

There is only one domain object in use and I've tried this workaround and it still fails. The only way to get a successful policy installation is to remove the domain object from the RA encryption domain entirely.

TAC have not been much use so far.

Any ideas?

0 Kudos
1 Solution

Accepted Solutions
khodgson_bts
Contributor
‎2024-02-28 08:16 AM
Jump to solution

So it seems that it's only supported in gateways from R81.20.

MicrosoftTeams-image (4).png

Why it didn't give this error message in the production environment I don't know.

View solution in original post

0 Kudos
11 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-02-26 05:50 AM
Jump to solution

Hey,

Can you send a screenshot please? I can try it in my lab and report back.

Best,

Andy

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:00 AM
Jump to solution

OK so this seems to be expected behaviour (working as intended). Domain objects are not permitted in the encryption domain for an remote access VPN except in a very specific scenario detailed here.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

Clearly this has never worked, but until now it's not really been flagged up or enforced during a policy installation.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 05:10 AM
In response to khodgson_bts
Jump to solution

This part is actuallly true, just tested it.

Andy

"You can use updateable objects, dynamic objects and domain objects in a Remote Access VPN community only as members of a network group whose name starts with 'exclusions_'. The group whose name starts with 'exclusions_' must be a member of another network group."

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:31 AM
In response to the_rock
Jump to solution

We couldn't get that to work. Is it possibly due to the gateways still being R80.40?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 05:34 AM
In response to khodgson_bts
Jump to solution

Not sure, but it might be only possible in R81+

Andy

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:47 AM
In response to the_rock
Jump to solution

Would you mind screenshotting what you've done so I can compare it to what we have please?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 06:03 AM
In response to khodgson_bts
Jump to solution

 
Best,
Andy
Preview file
180 KB
khodgson_bts
Contributor
‎2024-02-28 08:16 AM
Jump to solution

So it seems that it's only supported in gateways from R81.20.

MicrosoftTeams-image (4).png

Why it didn't give this error message in the production environment I don't know.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 09:18 AM
In response to khodgson_bts
Jump to solution

Not sure, but it would seem so.

Best,

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-10 02:44 PM
In response to khodgson_bts
Jump to solution

@khodgson_bts 

Sorry to revisit this a year later, but wanted to check something with you. We actually used this method recrntly with a customer to add 2 domain objects into group that started with exclusions_ and then added that group into RA vpn domain. Worked like a charm.

Now, tested today with another client, it failed, but could have been the domain itself. Now, TAC is telling us this exclusions_ group is used to exclude things, NOT include them, which makes sense 100%, BUT, its still not clear to me, for sure.

Thoughts?

Andy

Best,
Andy
0 Kudos
ccsjnw
Contributor
‎2024-12-13 12:56 PM
Jump to solution

Doesn't work in R82 either.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events