- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello everyone
I'm having some issues using the Check Point Gateway as a proxy when I'm using the check point client VPN.
Scenario is as follows: my gateway is configured as a proxy. Recently I activated VPN functionality. The vpn works normally, however, I can not navigate if I use the proxy check point but I can ping any site.
I made a test connected in another VPN that gives access to the same networks, I used the Check Point proxy again and the access was allowed or denied according to my ACLs and I can see it in my logs.
is there any limitation on using the gateway as vpn and proxy or should I make some configuration?
Thanks!
Plea specify the version of the Check Point Management and gateways, if you have proxy configured in transparent or explicit mode, if you have defined the interface for the proxy and if you are using .pac files on your VPN clients.
Additionally, please clarify what kind of VPN are we talking about: SSL or the IPSec and if second, what VPN software client and version is in use.
Thanks for your answer, Vladimir!
I'm using R80.10 in both: Mangament and gateway. Proxy is configured in Non Transparent mode. I did not define an interface for the proxy and in this firt moment I'm not using .pac file on VPN client.
I'm using IPSec with Check Point Endpoint Security E80.70
Kadu,
Please check if the VPN tunneling is enabled on your EndPoint Security clients, else you are looking at the split tunnel scenario, where not all traffic is being sent to the gateways.
Since you have mentioned that you can ping all the sites, (I presume from the client), try traceroute from the client to determine if your ICMP traffic is going over the VPN, or if it is going directly via local gateway of the remote client.
Additionally, it is a good idea to determine, using nslookup, where does the DNS resolution happening, locally or via VPN.
Next, confirm that you are offering "Office Mode" to remote users.
If yes, check the IP Pool that is being used for address allocation.
Make sure that you have a rule allowing the IP pool to access Internet and that it is being NATed on its way out.
You may also check "Optional Parameters" in the "Office Mode" to see what DNS servers are defined for remote clients.
Cheers,
Vladimir
Vladimir, is this option you referred to (VPN tunneling)? How can I change it?
My ICMP traffic is going directly via local gateway of my remote client.
DNS resolution is happening via VPN normally.
I'm offering "Office Mode" to remote users.
Any idea?
Thanks for your time!
If you are using a simple SecuRemote, you will not be able to change this:
If you are using a full EndPoint security, this should work:
Provided the rules are in place to allow it.
Cheers,
Vladimir
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY