Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SUPPORT_RINGO_C
Explorer

centrally manage a DAIP gateway

Hello Teams,

My environment:

I have a SmarCenter on R80.10 with public ip address, and want to centrally manage a natted 3000 series R80.10 gateway (is behind natting device router).

My question:

How should i create the gw object without knowing in advance its ip ? And succeed SIC communication ?

Is there any method that suits for such cases ?

Thanks in advance.

9 Replies
G_W_Albrecht
Legend
Legend

You can find all you need in Site to Site VPN Administration Guide R80.10 - first you enable Dynamic Address for the GW object, then establish SIC - SIC is completely NAT tolerant, as the protocol is based on Certificates and SIC names, not on IP addresses. A NAT device between the Security Management Server and Security Gateway will not have any effect on the ability of a Check Point enabled entity to communicate using SIC. Only that a FW in between has to accept the CPD daemon traffic (TCP port 18191). Help in Dashboard says:

Establishing SIC with a Dynamic IP Address Gateway

The following two options become available as a result of selecting Dynamic Address in the Gateways General Properties window.

  • This machine currently uses this IP address enables the establishment of SIC using the IP address that is currently used by the DAIP gateway. Enter this IP address in the space provided.
  • I will enter the IP address and establish trust later enables the postponement of SIC establishment.

Of course it is also possible to establish SIC with the DAIP GW before it is put into production .

CCSE CCTE CCSM SMB Specialist
Stephan_Scholz
Participant

I found that after establishing SIC, we still have a problem for normal management operations (CPD, FW1_log, ICA_services). When using the firewall gateway object in the rule base, it does not match. The gateway is a DAIP gateway, has Dynamic IP set. I have to manually insert a rule on the central firewall to allow the management traffic from the DSL router's public IP. The central firewall protects the SmartCenter server, which is exposed by Automatic NAT.

I also found that this worked in R77.30, but does not work anymore in R80.20.

What are other people's experiences?

0 Kudos
PhoneBoy
Admin
Admin

It might be worth a TAC case to investigate this.

How To Open a Case with TAC and/or Account Services

0 Kudos
Stephan_Scholz
Participant

I already have, but no results so far 😞

0 Kudos
PhoneBoy
Admin
Admin

Send me the TAC SR in a private message.

0 Kudos
Stephan_Scholz
Participant

Result is that it DOES work in R80.20 🙂 We had a misunderstanding, beause we saw hits in a manual firewall rule.

Obviously there is a mechanism of the gateway telling about its public IP to the SmartCenter server. It may be that some packets gets lost before this information is passed to the SmartCenter server.

I don't know which TCP/UDP port is used for passing this information of public IP address. Does anybody know in which protocol this is embedded?

0 Kudos
G_W_Albrecht
Legend
Legend

In sk110216: Security Management Portal (SMP) active ports, we find:

Incoming Ports (from Gateway to the SMP)

TCP9282SWTP_SMSSMS DDNS requests

Outgoing Ports (from the SMP to the Gateway)

TCP18191CPDReceive commands from SMP
CCSE CCTE CCSM SMB Specialist
hemh
Participant

I wanted to share my experience with SG3100 gateways in DAIP mode with 80.10.

In previous version 77.20 with 1100 edge gateways, we never had a problem with DAIP mode, but since we migrated to 80.10 and replace the 1100 with 3100, we really had hard times to make it work.

I spent hours on the phone with TAC, and we finally found a recipe.

The trick is to create a address range object to represent the private ip of the gateway WAN interface, witch in contrary of the public IP held by the ISP router witch may change, can be statically configured (or statically assigned by the ISP router DHCP). I will call this objet DAIP_GW_WAN_Private.

This object must be allowed in a policy rule to reach the management server(on its private and NATted public IP) on the ports FW1_ica_services, FW1_ica_pull and CPD.

Management server (on its private and NATted public IP) must be allowed in a policy rule to reach DAIP_GW_WAN_Private on port CPD_amon

For a meshed community, DAIP_GW_WAN_Private must be allowed in a policy rule to reach other gateways on port IKE and IKE_NAT_TRAVERSAL.

 DAIP_GW_WAN_Private must be allowed in a policy rule to talk with  VPN community central Gateway on port IKE and IKE_NAT_TRAVERSAL in both ways

In our meshed community, we didn't configured permanent tunels, because the tunnel-test packet doen't get trough, and thus we lost the smartview monitor information about tunnels.

Hope this will help.

0 Kudos
LarsG
Participant

Hello Hemh.

I am currently having a similar situation, the DAIP Gateway is a 1450 running embedded Gaia R77.20, Management R80.30 behind R80.10 Gateway Cluster.

Could you maybe tell me why an address range object is needed to represent the private IP of the gateway and not e.g. a dummy host object? Furthermore, this setup does not seem to work for my environment.

I created an address range object for 192.168.1.4 (DAIP_GW_WAN_Private address) and created the rules you described.

The packet is dropped:

;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 <DYNAMIC_ROUTER_IP>:58672 -> <MANAGEMENT_IP>:18191 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "External to Internal" rule <RULENUMBER>;

Best Regards,

Lars

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events