Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor
Advisor

Remote Access and Site-to-Site VPN access restriction

Dear Mates

I have currently migrated our VPN solution to Check Point. However, I have been experiencing some issues when it comes to restricting access to specific machines.

For example, if I set the VPN domain on the Gateway to 10.10.0.0/24 which is a network behind the gateway. And then create a firewall policy for remote users to access only 10.10.0.20/32, the remote users are also being able to access other hosts in 10.10.0.0/24 network  like 10.10.0.22/32 , even if I only use a single host as a destination.

 

In the figure above, the RemoteAcess-users, are also being able to access other machines on the defined VPN domain apart from GUI-A.

Does this mean that remote users can access any machine in the VPN domain?

Any ideas on how this issue could be resolved, in such a way remote users only access the machines defined in the Destination field of the Firewall Policy?

Site-to-Site VPN

The same behavior is happening in site-to-site VPN, I only specified on host in the source, but other host can also access the remote machines even if they are not specified as source.

Thanks in advance

0 Kudos
10 Replies
JozkoMrkvicka
Authority
Authority

1. Please check logs and find out which firewall rule is allowing such traffic (if all rules have enabled logging).

2. Send us screenshot of "GUI-A" and "GUI-B" hosts.

3. Check NAT rules if there are any.

Kind regards,
Jozko Mrkvicka
0 Kudos
Di_Junior
Advisor
Advisor

Hi there

There is only one rule. And when such communication happen, I don't see the logs in SmartView tracker. I'm starting to wondering if it's not an implicit rule.

Thanks

0 Kudos
JozkoMrkvicka
Authority
Authority

Hi,

In this case try to enable logging of Implied rules from Global Settings and install the database (of course firewall itself).

Stupid question, but it happened to me few times - are you checking the correct gateway ? Try to do tcpdump to confirm that you see some traffic during test, and issue "fw stat" to find which policy package is used for this cluster.

Kind regards,
Jozko Mrkvicka
Di_Junior
Advisor
Advisor

Hi Jozko Mrkvicka 

The traffic seems to be accepted by an implied rule (see the figure below). The question is, where can i find the implied rule number 0? is it the first one in the implicit rules (File->View->implied rules)?

Thanks

0 Kudos
JozkoMrkvicka
Authority
Authority

Isnt IP 10.10.1.3 one of cluster members? Is this IP part of Topology ?

usually traffic going from cluster members is going via Implied Rules.

Also, try some real traffic, like ssh or https, not ping.

Kind regards,
Jozko Mrkvicka
0 Kudos
Di_Junior
Advisor
Advisor

its not a cluster. I am using two separated gateways.

10.10.1.3 is a host which is part of the topology of the remote peer.

0 Kudos
JozkoMrkvicka
Authority
Authority

10.10.1.3 must be included only in local VPN encryption domain of SGW-B (also part of Topology).

10.10.0.10 must be included only in remote VPN encryption domain of VPN-PEER.

Kind regards,
Jozko Mrkvicka
0 Kudos
Di_Junior
Advisor
Advisor

Hi Jozko Mrkvicka

You were right.

I enabled Web services on the 10.10.0.10, and I tried to access it using http from a remote client and access was not granted. I tried to ping it, it worked.

I guess this issue is only related to Ping.

Why is that ping is accepted by the implied rule even if the destination is not specified in the firewall policy?

Thanks

0 Kudos
JozkoMrkvicka
Authority
Authority

Hi Di Junior‌,

Please check if you have Accept ICMP requests enabled, or not. These are the default settings for all implied rules:

Kind regards,
Jozko Mrkvicka
0 Kudos
AlekseiShelepov
Advisor

0 - Implied rules - it represents all of implied rules, you would need to check Global properties or Implied rules themselves to understand which setting exactly allows this traffic. But usually it's not difficult to determine.

I would like to point to another possibility, which is not your case obviously, but just worth mentioning.

Accept all encrypted traffic option might be enabled in comunity properties.

Which will result in the following rule, which is visible in policy by default (not like implied rules).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events