Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Advisor

Management CPM and CPMI ports are not matching rules.

Hi Team,

I have this scenario -

Customer has Fortigate firewall at DC end while CP at HO (R80.40). Mgmt server(R81) is in DC and behind FG lets say 10.10.11.10 while network behind CP is 10.30.20.0/24.

Now we have a tunnel built between DG-FG and HO-CP. everything works fine except customer wanted to connect to smart console from HO network i.e. 10.30.20.0/24. Now since its a tunnel initially I thought it should take ACL and should not be issue while investigating found that connection is going through Implied rule since its a control connection and not matching VPN tunnel rule.

Later I decided to bypass 18190, 19009 ports and decided to route through Internet however I believe due to Peer and S2S vpn even this is not working.

Any clue or has any one ever faced this issue before?

TIA

6 Replies
_Val_
Admin
Admin

SIC communications are already encrypted and as you rightly mentioned, not going through IPSec tunnel. The main reason for that you do not want to rely on VPN for control connections to work. 

For SmartConsol, I would suggest checking NAT and routing, before anything else.

RamGuy239
Advisor

I think this is expected behaviour? Check Point will by default include the peer addresses as a part of the encryption domain. Simply adding TCP-18190 (CPMI) and TCP-19009 (CPM) to the excluded services will not be enough.

This will make it so that these services will not be included within the Check Point VPN logic so it won't be tossed into the VPN -tunnel and routing so you should be able to have these services routed over the Internet instead of being encrypted within the tunnel. But as the peer addresses are getting automatically added as part of what Check Point considers the encryption domain it still expects traffic heading towards the peer address of the DG-FG to be encrypted if I'm not mistaken?

So you will have to follow sk86582 in order to exclude the peer addresses so the Check Point doesn't expect this traffic to be encrypted.

Another solution would be to have CPMI and CPM removed from implied_rules.def. The issue with implied_rules.def is when you start having VPN traffic hitting rule 0 getting accepted and not getting encrypted. If these services are removed from implied_rules.def this won't happen and you would be able to connect Smart Console via the VPN tunnel using the private IP addresses just fine.

The downside to this is that you will no longer have CPMI and CPM as part of implied rules. Resulting in rule 0 no longer saving you from badly designed security policies. Now you will have to make sure that each relevant security policy has explicit rules that allow CPMI and CPM traffic towards the management where it's needed. With implied rules in place, this is no required as this kind of traffic will be automatically accepted within rule 0.

Blason_R
Advisor

This  can be accepted as a solution because it just a matter connecting to mgmt console and it not a SIC traffic neither CPD or amon traffic so I guess I am at least risk here.

0 Kudos
Blason_R
Advisor

Now the thing is - I don't see CPM port in implied_rules.def instead I am seeing CPMI which is 18190 bt I bellieve we need 19009/CPM port as well?

0 Kudos
RamGuy239
Advisor

Hi, @Blason_R 

It's somewhat misleading. The line "#define ENABLE_CPMI" will affect both CPM and CPMI. You can use sk105719 as a reference.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Blason_R
Advisor

Well I did something else - I natted traffic to mgmt server behind other IP and not firewall IP since its peer IP.

Thanks for your help.

 

0 Kudos