Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

SMB central management and VPN tunnel

Hi ,

Quick question. In order to makes SMB 1550 firewall "centrally managed" , do I have to create VPN tunnel to Security Gateway and to be connected to Security Management Server via VPN through or VPN has nothing to do with this and I can be connected directly without VPN ? Thank you for responses.

0 Kudos
6 Replies
Highlighted

Hi,

you don't need any VPN to connect your Management Server to any Gateway. You just add the new Device with the external IP address and initialize the SIC as you would do with any Gateway. 

So you don't need a VPN for the "centrally managed" Gateway.

0 Kudos
Highlighted
Ivory

Thanks for reply,

I asked this question because I am struggling with adding 1550 to Open server SMS that is place behind Open server Gateway. Half of my lab is on ESXI the only "live" device is 1550 . I am getting message according what you see on the screenshot in attachment , but sometimes I am able to get policies, In dashboard of SMS 1550 is "green" and full visible. I tried many things , unfortunately all failed:

https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I can't figure out what is the reason ?

0 Kudos
Highlighted
Sapphire

I have the identical setup and had no issues - could establish SIC, SMS receives Logs and Policy Pull from SMB works, too. The SMS has a Static NAT IP ( x.y.z.198 behind GW x.y.z.190), i would suggest to configure it like that.

I can see no screenshot, but would consult the logs first.

0 Kudos
Highlighted
Ivory

I have no idea why attachment is being scanned all the time anyway I see message 

Security Management Server

Unreachable: Security Management server cannot be reached

 

Security Policy
 
Policy Name: Standard
  • Last policy installation failed: Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard.

 

Nat works fine, 1550 can ping SMS and inversely, what can be wrong ? 

 

0 Kudos
Highlighted
Sapphire

If you configured it following sk66381 all should work! Troubleshooting would start with checking $FWDIR/conf/masters on SMB, then check if files custom_logserver_ip and custom_mgmt_ip are located in /opt/fw1/conf, and check which IP address is configured in them.

0 Kudos
Highlighted
Ivory

hmmm in $FWDIR/conf/masters on SMB I see Policy, Log and Alert "CHeckpoint_MGMT" (the name from management dashboard) should I replace them with NATed IP address of SMS?

0 Kudos