This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aaron_Lee
Participant
‎2018-09-02 08:33 PM

Route a specific internet site through remote gateway

We use full mesh Check Point VPN, each site use a gateway for the Internet access ( local breakout), however there's a request to route a specific internet site through another VPN site which should deliver the traffic from that remote gateway and not the local breakout, anyone has any idea how this request can be achieved in Check Point VPN? Thanks in advance.

8 Replies
Gomboragchaa
Advisor
‎2018-09-02 11:25 PM

Hi,

I am not sure, But I think you cannot route to specific website through over another VPN.

You have only 2 options. Internet traffic goes over each gateway or All traffic through over central vpn firewall.

0 Kudos
_Val_
Admin
Admin
‎2018-09-03 12:13 AM

The scenario is not exactly clear. Could you put a short diagram together on what you are trying to do, please?

0 Kudos
Claudio_Bolcato
Contributor
‎2018-09-03 08:18 AM

the only thing comes to my mind is VTI and route based VPN, depending on your mesh community size.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2018-09-03 04:09 PM

Perhaps configuring the file vpn_route.conf can help here?  Have seen it used before many times but admittedly not for traffic going to an Internet site...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Aaron_Lee
Participant
‎2018-12-02 09:24 PM
In response to Timothy_Hall

Hi Timothy,

Thanks for your reply and we have tried this way, however when test the traffic we see the traffic sent to remote gateway through the VPN tunnel but after that the traffic was dropped on the remote gateway with this log:

encryption failure : according to the policy the package should not have been decrypted.

If the traffic is not an internet site, then it is ok.

0 Kudos
Vladimir
Champion
Champion
‎2018-09-04 06:04 AM

Configure  CP in the specific site as a non-transparent proxy mode (you can add an interface to anchor proxy functionality to it) and set up NAT to it in your branch gateway.

Create PAC file for the branch to define NATed proxy IP for the URL in question and exempt the rest of the web traffic using "Direct".

Tomas_Jurak
Explorer
‎2019-01-28 03:09 AM
In response to Vladimir

Hmm, seemed like a good idea to me, but then I found an article stating that it can not work: HTTP and HTTPS traffic is dropped and/or latency is experienced when HTTP / HTTPS traffic goes throu... . My customer uses R77.30. Anyway, I will ask them to run a small virtual machine with squid or some other proxy, it should work.

Thanks!

0 Kudos
Vladimir
Champion
Champion
‎2019-01-28 07:23 AM
In response to Tomas_Jurak

Just looked at the sk you are referencing. Perhaps it is applicable to R80+ as well, but these versions are not listed in the "Applies to" section.

You may want to run it by CP to figure out if it is still the case or if the product was modified to support it.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events