This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SecurityNed
Contributor
‎2023-09-08 02:14 AM
Jump to solution

Traffic is suddenly encrypted by VPN

Hello Checkpoint Community,

We have this unusual behavior in our client's instance wherein traffic is suddenly encrypted through VPN when it shouldn't. 

Screenshot 2023-09-08 171507.png

We honestly don't know why this happened, as there were no changes performed.  

Does anyone have any experience in this and could give us some insight.

Thanks!

0 Kudos
2 Solutions

Accepted Solutions
Martijn
Advisor
Advisor
‎2023-09-11 07:26 AM
Jump to solution

Hi,

The VPN log mentions tcp-high-ports as the service and the non-VPN log mentions TCP-9001 as the service. Can you check on what rule the VPN is hit? And check on what rule it should hit?

Did you changed 'Match for Any' in the mentioned services so traffic is hitting another rule than expected?

Maybe you can take a look at the Audit log to see what was changed after September 6th.

Regards,
Martijn

View solution in original post

0 Kudos
SecurityNed
Contributor
‎2023-09-12 09:13 PM
In response to the_rock
Jump to solution

I actually found a reason as to why this happened. There's overlapping internal domains in both of my clusters, and unfortunately this traffic is being routed towards the other Firewall (NGFW Pair 1) instead. The correct behavior should be that it's going to be routed to its own Firewall (NGFW Pair 2). This has been now addressed.

Anyways, I created a policy to address this, and everything works smoothly now. I might have created a not-so-specific policy and that's why for some reason it keeps on routing the traffic to NGFW Pair 1.

View solution in original post

13 Replies
PhoneBoy
Admin
Admin
‎2023-09-08 07:28 PM
Jump to solution

Do you have a route-based VPN (with VTIs) configured here?
You'd probably need to dig into the log entries (the full log cards) to see why the rulebase logic changed.

0 Kudos
SecurityNed
Contributor
‎2023-09-11 06:29 AM
In response to PhoneBoy
Jump to solution

When opening the log cards, it just says that it's encrypted. But yeah I do think I have a route-based VPN.  

I do noticed that in the log card, the traffic is routed to an IPsec VPN peer for some reason, which shouldn't be the case since I didn't define any routes that would do such action. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-11 10:49 AM
In response to SecurityNed
Jump to solution

Is it all static routes or are dynamic routes used?
Either way, it appears that routing changed somewhere.
This would probably require investigation from the TAC: https://help.checkpoint.com

0 Kudos
Martijn
Advisor
Advisor
‎2023-09-11 07:26 AM
Jump to solution

Hi,

The VPN log mentions tcp-high-ports as the service and the non-VPN log mentions TCP-9001 as the service. Can you check on what rule the VPN is hit? And check on what rule it should hit?

Did you changed 'Match for Any' in the mentioned services so traffic is hitting another rule than expected?

Maybe you can take a look at the Audit log to see what was changed after September 6th.

Regards,
Martijn

0 Kudos
SecurityNed
Contributor
‎2023-09-12 02:13 AM
In response to Martijn
Jump to solution

I will check this as soon as I'm on site tomorrow. But I do remember its "Match Any".

There's no changes to the rule as well.

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 07:43 AM
Jump to solution

I see the point @Martijn is making, I would definitely check into that as well.

Andy

0 Kudos
Zolocofxp
Collaborator
‎2023-09-11 04:47 PM
Jump to solution

You can also follow sk25675 and sk98241 to exclude traffic from being encrypted. 

(1)
the_rock
Legend
Legend
‎2023-09-11 05:43 PM
In response to Zolocofxp
Jump to solution

Definitely good SKs.

0 Kudos
SecurityNed
Contributor
‎2023-09-12 02:31 AM
Jump to solution

Hello Everyone,

To add, I just found a blocked rule regarding this which is unusual. It shouldn't be communicating to my other NGFW pair but it seems it is (via VPN)


Untitled.png

I'm currently checking the SKs provided by @Zolocofxp, while checking @Martijn's suggestion

Will update you guys once there's improvements. Thank you so much for the help.

the_rock
Legend
Legend
‎2023-09-12 04:36 AM
In response to SecurityNed
Jump to solution

Yea...so that message packet should not have been decrypted really means it SHOULD have been encrypted, ie firewall "thinks" it should go through VPN.

Andy

SecurityNed
Contributor
‎2023-09-12 09:13 PM
In response to the_rock
Jump to solution

I actually found a reason as to why this happened. There's overlapping internal domains in both of my clusters, and unfortunately this traffic is being routed towards the other Firewall (NGFW Pair 1) instead. The correct behavior should be that it's going to be routed to its own Firewall (NGFW Pair 2). This has been now addressed.

Anyways, I created a policy to address this, and everything works smoothly now. I might have created a not-so-specific policy and that's why for some reason it keeps on routing the traffic to NGFW Pair 1.

the_rock
Legend
Legend
‎2023-09-13 04:26 AM
In response to SecurityNed
Jump to solution

Good job!

0 Kudos
SecurityNed
Contributor
‎2023-09-12 09:15 PM
Jump to solution

Thank you guys, I was able to troubleshoot it with the help of your inputs. Everything's working as intended now.


Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events