Create a Post
Showing results for 
Search instead for 
Did you mean: 

Route Azure internet traffic via VPN to on-premises firewall

Hi All,

I have setup a VPN between Azure and our on-premises Checkpoint cluster. The VPN is up and working fine.

Now we are trying to route all internet bound traffic from Azure subnets via the on-prem firewalls for inspection and auditing. I have setup the route-based vpn i.e. Gateway-to-Gateway tunnel management in Checkpoint and can see that the internet traffic hits the Checkpoint firewall on premises.

However this traffic is being dropped with the error "According to the policy this packet should not be decrypted".

Has anyone faced this issue with forced tunneling?

I have referred to sk101275 and microsoft link below for setting up the VPN:

Configure forced tunneling for Azure Site-to-Site connections: Resource Manager | Microsoft Docs 

Thanks in Advance,


0 Kudos
1 Reply

Hi Sarvesh,

I suspect that you may already have the answer you need. 

The message you are seeing "According to the policy this packet should not be decrypted". Means that your onpremise gateway was not expecting to see the traffic from azure via the tunnel and drops it.

Have you set the encryption domain for your azure subnets where the traffic is sourced from on the peer object for the azure gateway within check point? 



0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events