Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gusa2727
Contributor
Jump to solution

Simple question about excluding address in VPM domains

Hi, I have a simple question but I just need to confirm how this works. I need to exclude another destination IP in the VPN domains but I am not completely sure about how to do it. Currently I have this configuration:

 

#ifndef NON_VPN_TRAFFIC_RULES

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=X.X.X.X,dport=80)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

#endif

 

I need to add a new destination and port, and not totally sure if I should do it in this way:

 

#ifndef NON_VPN_TRAFFIC_RULES

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (dst=X.X.X.X,dport=80)
#else
#define NON_VPN_TRAFFIC_RULES (dst=Y.Y.Y.Y,dport=25)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

#endif

 

Can you please confirm if this is the best way to do it or should I do it in a different way? Thanks.

 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
You should have one line defining NON_VPN_TRAFFIC_RULES.
You probably want something like:

#define NON_VPN_TRAFFIC_RULES ((dst=X.X.X.X,dport=80) OR (dst=y.y.y.y,dport=25))

View solution in original post

PhoneBoy
Admin
Admin
It's not prot, it's ip_p.
The language used in this is INSPECT, which used to be documented way back in FireWall-1 3.0.
Yes, I've been doing this...longer than that.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
You should have one line defining NON_VPN_TRAFFIC_RULES.
You probably want something like:

#define NON_VPN_TRAFFIC_RULES ((dst=X.X.X.X,dport=80) OR (dst=y.y.y.y,dport=25))
Gusa2727
Contributor

Yes, thank you. I did it in this way some days ago and it worked well. On the other hand, is there a way to exclude ICMP traffic? I tried something like this and it does not work:

#define NON_VPN_TRAFFIC_RULES (dst=X.X.X.X,prot=1)

Thanks!

0 Kudos
PhoneBoy
Admin
Admin
It's not prot, it's ip_p.
The language used in this is INSPECT, which used to be documented way back in FireWall-1 3.0.
Yes, I've been doing this...longer than that.
PhoneBoy
Admin
Admin
See also the "fw monitor" expressions here if you want to get even more detailed.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Gusa2727
Contributor

Really thanks for all the help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events