This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sarvesh_Chougul
Explorer
‎2019-01-03 03:35 AM

Route Azure internet traffic via VPN to on-premises firewall

Hi All,

I have setup a VPN between Azure and our on-premises Checkpoint cluster. The VPN is up and working fine.

Now we are trying to route all internet bound traffic from Azure subnets via the on-prem firewalls for inspection and auditing. I have setup the route-based vpn i.e. Gateway-to-Gateway tunnel management in Checkpoint and can see that the internet traffic hits the Checkpoint firewall on premises.

However this traffic is being dropped with the error "According to the policy this packet should not be decrypted".

Has anyone faced this issue with forced tunneling?

I have referred to sk101275 and microsoft link below for setting up the VPN:

Configure forced tunneling for Azure Site-to-Site connections: Resource Manager | Microsoft Docs 

Thanks in Advance,

Sarvesh

0 Kudos
1 Reply
Mark_Mitchell
Advisor
‎2019-01-25 11:47 AM

Hi Sarvesh,

I suspect that you may already have the answer you need. 

The message you are seeing "According to the policy this packet should not be decrypted". Means that your onpremise gateway was not expecting to see the traffic from azure via the tunnel and drops it.

Have you set the encryption domain for your azure subnets where the traffic is sourced from on the peer object for the azure gateway within check point? 

Cheers

Mark

0 Kudos
Labels