This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Contributor
‎2024-02-26 05:18 AM
Jump to solution

Domain objects in remote access encryption domain.

Hello all!

 

Just completed an upgrade of management to R81.20 from R81.10. It manages 3 x clusters currently running on R80.40 (upgrade imminent).

One of the clusters is used for the remote access VPN, and now when pushing policy we get the following error:

"You can use updateable objects, dynamic objects and domain objects in a Remote Access VPN community only as members of a network group whose name starts with 'exclusions_'. The group whose name starts with 'exclusions_' must be a member of another network group."

There is only one domain object in use and I've tried this workaround and it still fails. The only way to get a successful policy installation is to remove the domain object from the RA encryption domain entirely.

TAC have not been much use so far.

Any ideas?

0 Kudos
1 Solution

Accepted Solutions
khodgson_bts
Contributor
‎2024-02-28 08:16 AM
Jump to solution

So it seems that it's only supported in gateways from R81.20.

MicrosoftTeams-image (4).png

Why it didn't give this error message in the production environment I don't know.

View solution in original post

0 Kudos
10 Replies
the_rock
Legend
Legend
‎2024-02-26 05:50 AM
Jump to solution

Hey,

Can you send a screenshot please? I can try it in my lab and report back.

Best,

Andy

0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:00 AM
Jump to solution

OK so this seems to be expected behaviour (working as intended). Domain objects are not permitted in the encryption domain for an remote access VPN except in a very specific scenario detailed here.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

Clearly this has never worked, but until now it's not really been flagged up or enforced during a policy installation.

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 05:10 AM
In response to khodgson_bts
Jump to solution

This part is actuallly true, just tested it.

Andy

"You can use updateable objects, dynamic objects and domain objects in a Remote Access VPN community only as members of a network group whose name starts with 'exclusions_'. The group whose name starts with 'exclusions_' must be a member of another network group."

0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:31 AM
In response to the_rock
Jump to solution

We couldn't get that to work. Is it possibly due to the gateways still being R80.40?

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 05:34 AM
In response to khodgson_bts
Jump to solution

Not sure, but it might be only possible in R81+

Andy

0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:47 AM
In response to the_rock
Jump to solution

Would you mind screenshotting what you've done so I can compare it to what we have please?

0 Kudos
khodgson_bts
Contributor
‎2024-02-28 08:16 AM
Jump to solution

So it seems that it's only supported in gateways from R81.20.

MicrosoftTeams-image (4).png

Why it didn't give this error message in the production environment I don't know.

0 Kudos
the_rock
Legend
Legend
‎2024-02-28 09:18 AM
In response to khodgson_bts
Jump to solution

Not sure, but it would seem so.

Best,

Andy

0 Kudos
ccsjnw
Participant
‎2024-12-13 12:56 PM
Jump to solution

Doesn't work in R82 either.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top