This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Contributor
‎2024-02-26 05:18 AM
Jump to solution

Domain objects in remote access encryption domain.

Hello all!

 

Just completed an upgrade of management to R81.20 from R81.10. It manages 3 x clusters currently running on R80.40 (upgrade imminent).

One of the clusters is used for the remote access VPN, and now when pushing policy we get the following error:

"You can use updateable objects, dynamic objects and domain objects in a Remote Access VPN community only as members of a network group whose name starts with 'exclusions_'. The group whose name starts with 'exclusions_' must be a member of another network group."

There is only one domain object in use and I've tried this workaround and it still fails. The only way to get a successful policy installation is to remove the domain object from the RA encryption domain entirely.

TAC have not been much use so far.

Any ideas?

0 Kudos
1 Solution

Accepted Solutions
khodgson_bts
Contributor
‎2024-02-28 08:16 AM
Jump to solution

So it seems that it's only supported in gateways from R81.20.

MicrosoftTeams-image (4).png

Why it didn't give this error message in the production environment I don't know.

View solution in original post

0 Kudos
12 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-02-26 05:50 AM
Jump to solution

Hey,

Can you send a screenshot please? I can try it in my lab and report back.

Best,

Andy

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:00 AM
Jump to solution

OK so this seems to be expected behaviour (working as intended). Domain objects are not permitted in the encryption domain for an remote access VPN except in a very specific scenario detailed here.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

Clearly this has never worked, but until now it's not really been flagged up or enforced during a policy installation.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 05:10 AM
In response to khodgson_bts
Jump to solution

This part is actuallly true, just tested it.

Andy

"You can use updateable objects, dynamic objects and domain objects in a Remote Access VPN community only as members of a network group whose name starts with 'exclusions_'. The group whose name starts with 'exclusions_' must be a member of another network group."

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:31 AM
In response to the_rock
Jump to solution

We couldn't get that to work. Is it possibly due to the gateways still being R80.40?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 05:34 AM
In response to khodgson_bts
Jump to solution

Not sure, but it might be only possible in R81+

Andy

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-02-28 05:47 AM
In response to the_rock
Jump to solution

Would you mind screenshotting what you've done so I can compare it to what we have please?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 06:03 AM
In response to khodgson_bts
Jump to solution

 
Best,
Andy
Preview file
180 KB
khodgson_bts
Contributor
‎2024-02-28 08:16 AM
Jump to solution

So it seems that it's only supported in gateways from R81.20.

MicrosoftTeams-image (4).png

Why it didn't give this error message in the production environment I don't know.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-28 09:18 AM
In response to khodgson_bts
Jump to solution

Not sure, but it would seem so.

Best,

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-10 02:44 PM
In response to khodgson_bts
Jump to solution

@khodgson_bts 

Sorry to revisit this a year later, but wanted to check something with you. We actually used this method recrntly with a customer to add 2 domain objects into group that started with exclusions_ and then added that group into RA vpn domain. Worked like a charm.

Now, tested today with another client, it failed, but could have been the domain itself. Now, TAC is telling us this exclusions_ group is used to exclude things, NOT include them, which makes sense 100%, BUT, its still not clear to me, for sure.

Thoughts?

Andy

Best,
Andy
0 Kudos
ccsjnw
Contributor
‎2024-12-13 12:56 PM
Jump to solution

Doesn't work in R82 either.

0 Kudos
BAlexiev
Explorer
46m ago
In response to ccsjnw
Jump to solution

Works for exclusions, as stated in the documentation, both in R81.20 and R82. You need to add Updateable objects and Domain objects into a Network group named exclusions_RemoteAccessVPN, for example, keeping in mind that

For exclusion mode, the name must begin with:

exclusions_

Ref: Dynamic Split Tunneling for SaaS Using Updatable Objects.

Then the exclusions_RemoteAccessVPN group should be added to the group, which includes the network objects, which will be part of your VPN Domain - the group you specify in the RemoteAccess community (as override) or in the GW object configuration. For example, this group can be called RemoteAccessVPN_Networks. You should not use the exclusions_RemoteAccessVPN group directly as the VPN Domain group (which doesn't make much sense) and for now you can't add the Domain objects to another group, which you will include alongside the Updateable objects in your exclusions_RemoteAccessVPN group. Meaning no recursive resolving is currently possible.

Suggestions: @PhoneBoy

It would be nice if recursive resolving of Domain objects is added as a feature (to allow adding them to a group, which then will be added to the exclusions_ group). This will allow for cleaner configuration and will bi similar to the AD concept of adding Global groups to Domain Local groups.

Additionally, a much better approach would be to add not only company services to the Updateable objects, but similar to what we have there for US government, add other Government sites/domains for each country as Updateable objects. This would mean we have just one "group" added to the exclusions_ group and since Government sites are excluded from HTTPS Inspection and many times blocked from other countries, we will easily exclude them from the RA VPN tunnels.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events