This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Sarvesh_Chougul
Ivory
‎2019-01-03 03:35 AM

Route Azure internet traffic via VPN to on-premises firewall

Hi All,

I have setup a VPN between Azure and our on-premises Checkpoint cluster. The VPN is up and working fine.

Now we are trying to route all internet bound traffic from Azure subnets via the on-prem firewalls for inspection and auditing. I have setup the route-based vpn i.e. Gateway-to-Gateway tunnel management in Checkpoint and can see that the internet traffic hits the Checkpoint firewall on premises.

However this traffic is being dropped with the error "According to the policy this packet should not be decrypted".

Has anyone faced this issue with forced tunneling?

I have referred to sk101275 and microsoft link below for setting up the VPN:

Configure forced tunneling for Azure Site-to-Site connections: Resource Manager | Microsoft Docs 

Thanks in Advance,

Sarvesh

Tags (2)
0 Kudos
1 Reply
Highlighted
Mark_Mitchell
Silver
‎2019-01-25 11:47 AM

Hi Sarvesh,

I suspect that you may already have the answer you need. 

The message you are seeing "According to the policy this packet should not be decrypted". Means that your onpremise gateway was not expecting to see the traffic from azure via the tunnel and drops it.

Have you set the encryption domain for your azure subnets where the traffic is sourced from on the peer object for the azure gateway within check point? 

Cheers

Mark

0 Kudos