Re: SIC and Policy installation in remote checkpoi...

RajnishR · ‎2021-09-15

Hi Experts,

I am working on a setup where local mgmt server has to configure and manage remote checkpoint gateway that is in different network via internet & one of SD-WAN service chain.

Below is the flow:

CP- SMS > local CP > Local SD-WAN >>>>>IPSEC/Tunnel >>>> Remote SD-WAN > eth6 - Remote CP - eth7

I am using eth6 for service chain from which remote CP gets traffic and eth7 for mgmt interface

traceroute from remote CP to local CP-SMS works but reverse fails at remote CP eth6 interface as it drops the traffic

13:02:51.046622 IP 10.91.117.14.48954 > UCPE32-CP.33471: UDP, length 40
13:02:51.046644 IP 10.91.117.14.21790 > UCPE32-CP.33476: UDP, length 40
13:02:51.046657 IP 10.91.117.14.64158 > UCPE32-CP.33475: UDP, length 40
13:02:51.046680 IP UCPE32-CP > 10.91.117.14: ICMP UCPE32-CP udp port 33472 unreachable, length 76
13:02:51.046730 IP 10.91.117.14.43784 > UCPE32-CP.33478: UDP, length 40
13:02:51.046792 IP UCPE32-CP > 10.91.117.14: ICMP UCPE32-CP udp port 33473 unreachable, length 76
13:02:51.046842 IP UCPE32-CP > 10.91.117.14: ICMP UCPE32-CP udp port 33468 unreachable, length 76

I have few questions:

1. As remote checkpoint is newly installed and to initially configure it we need to have a connectivity to mgmt server.

with the current status, will it allow traffic to flow from eth6 >> eth7 internally? in my case its dropping and if yes, in what condition?

2. How in production the checkpoint gateways are configured with a central SMS on SIC & policy installation? should we make the route directly to eth7 of remote checkpoint gateway from mgmt server ?

3. I have done fw unloadlocal and will this still deny traffic to flow inside checkpoint?

4. As there is default policy which deny traffic from external network, is there any way , I can locally install the policy in checkpoint gateway ?

Appreciate your response.

Thanks,

Rajnish

RajnishR · ‎2021-09-16

Additional to that,

What is stopping eth7 to get traffic from eth6 in checkpoint. I mean when I try to ping/traceroute/ssh eth7 IP, it does not reach eth7 but stays at eth6 only

PhoneBoy · ‎2021-09-16

Until the gateway has a real policy, IP routing is disabled at the OS level.
I’m guessing that’s why you’re getting ICMP Unreachable in this situation.
That said the gateway is fully aware of all the interfaces it has, so doesn’t need a route from one interface to another.

Regardless, the initial/default policy should allow the necessary traffic.
There is no way to configure the policy locally by design.

RajnishR · ‎2021-09-17

Thanks,

It worked when I unloaded the default policy and then did the SIC and policy installation from mgmt server.

But as I am trying to access from MGMT server to Remote gateway, I can only route it from local checkpoint mgmt interface but not from the LAN interface.

How can I use checkpoint LAN interface to forward traffic to remote gateway?

This flow works:

MGMT Server >>>> MGMT Interface Checkpoint >>> External Interface Checkpoint >>> Internet >> Remote Checkpoint gateway

But this does not work:

MGMT Server >>>> LAN Interface Checkpoint > XXXXXX>> External Interface Checkpoint >>> Internet >> Remote Checkpoint gateway

I have allowed all kind of traffic but the mgmt traffic coming on LAN interface is dropped and not forwarded to external interface.

Please help me to solve it.

Thanks, Rajnish

the_rock · ‎2021-09-17

I can only speak from my own experience, but whenever I saw issue like this, 100% of the time, it turned out to be the routing problem. Message me privately, lets do remote later if you have time, I can help you out.

Cheers.

RajnishR · ‎2021-09-17

Sure, I disabled the anti spoofing on the eth1 interface to allow traffic from 10.x network where my mgmt server is: but this does not look feasible in production. How can I allow internal traffic from a different subnet (other than its own subnet) in checkpoint.

MGMT server (10.x.x.x) >>> eth1 (192.x.x.x) CP

eth7 (10.x.x.x) CP

Also, with anti spoofing, CP gets traffic and forwards to external interface but while returning, checkpoint kernel forwards the traffic to eth7 instead of eth1 because of same subnet.

how can I control this routing based on a specific source and forward to eth1

Regards

RajnishR · ‎2021-09-17

I managed to get reverse traffic using PBR on a specific interface

But how I can use 2 networks traffic to one LAN interface (internal) with anti spoofing enabled?

10.x.x.x & 192.x.x.x to eth1 of checkpoint with anti spoofing enabled?

PhoneBoy · ‎2021-09-17

You configure the anti-spoofing to allow precisely that configuration?
It's possible you may also need to disable a specific kernel variable: fw_local_interface_anti_spoofing
See item 13 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

the_rock · ‎2021-09-18

Does topology for that interface say "defined by routes" or something different?

Andy

RajnishR · ‎2021-09-19

This is internal interface which get LAN traffic but I want to use this interface to also get mgmt traffic for remote gateways so which mechanism can be applied to this internal interface in order to have 2 specific network traffic allowed with anti spoofing enabled.

Currently this interface leads to "This network (internal)"

R//

Rajnish

RajnishR · ‎2021-09-20

Thanks experts,

It is solved by using network group in specific section under interface topology > override > specific

Regards,

Rajnish

Are you a member of CheckMates?

SIC and Policy installation in remote checkpoint gateway R80.40