This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Kadu_Lincoln
Explorer
‎2017-12-01 04:09 AM

I can ping but I can't browse - vpn and proxy check point

Hello everyone

I'm having some issues using the Check Point Gateway as a proxy when I'm using the check point client VPN.

Scenario is as follows: my gateway is configured as a proxy. Recently I activated VPN functionality. The vpn works normally, however, I can not navigate if I use the proxy check point but I can ping any site.

I made a test connected in another VPN that gives access to the same networks, I used the Check Point proxy again and the access was allowed or denied according to my ACLs and I can see it in my logs.

is there any limitation on using the gateway as vpn and proxy or should I make some configuration?

Thanks!

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2017-12-01 11:27 AM

Plea specify the version of the Check Point Management and gateways, if you have proxy configured in transparent or explicit mode, if you have defined the interface for the proxy and if you are using .pac files on your VPN  clients.

Additionally, please clarify what kind of VPN are we talking about: SSL or the IPSec and if second, what VPN software client and version is in use.

0 Kudos
Kadu_Lincoln
Explorer
‎2017-12-03 02:51 PM

Thanks for your answer, Vladimir!

I'm using R80.10 in both: Mangament and gateway. Proxy is configured in Non Transparent mode. I did not define an interface for the proxy and in this firt moment I'm not using .pac file on VPN client.

I'm using IPSec with Check Point Endpoint Security E80.70

0 Kudos
Vladimir
Champion
Champion
‎2017-12-04 11:09 AM
In response to Kadu_Lincoln

Kadu,

Please check if the VPN tunneling is enabled on your EndPoint Security clients, else you are looking at the split tunnel scenario, where not all traffic is being sent to the gateways.

Since you have mentioned that you can ping all the sites, (I presume from the client), try traceroute from the client to determine if your ICMP traffic is going over the VPN, or if it is going directly via local gateway of the remote client.

Additionally, it is a good idea to determine, using nslookup, where does the DNS resolution happening, locally or via VPN.

Next, confirm that you are offering "Office Mode" to remote users.

If yes, check the IP Pool that is being used for address allocation.

Make sure that you have a rule allowing the IP pool to access Internet and that it is being NATed on its way out.

You may also check "Optional Parameters" in the "Office Mode" to see what DNS servers are defined for remote clients.

Cheers,

Vladimir

0 Kudos
Frederico_Linco
Explorer
‎2017-12-05 03:26 PM
In response to Vladimir

Vladimir, is this option you referred to (VPN tunneling)? How can I change it?

My ICMP traffic is going directly via local gateway of my remote client.

DNS resolution is happening via VPN normally.

I'm offering "Office Mode" to remote users.

Any idea?

Thanks for your time!

0 Kudos
Vladimir
Champion
Champion
‎2017-12-05 05:57 PM
In response to Frederico_Linco

If you are using a simple SecuRemote, you will not be able to change this:

SecuRemote

If you are using a full EndPoint security, this should work:

Route Through Gateway Hub

Provided the rules are in place to allow it.

Cheers,

Vladimir

Labels