cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

centrally manage a DAIP gateway

Hello Teams,

My environment:

I have a SmarCenter on R80.10 with public ip address, and want to centrally manage a natted 3000 series R80.10 gateway (is behind natting device router).

My question:

How should i create the gw object without knowing in advance its ip ? And succeed SIC communication ?

Is there any method that suits for such cases ?

Thanks in advance.

Tags (3)
7 Replies

Re: centrally manage a DAIP gateway

You can find all you need in Site to Site VPN Administration Guide R80.10 - first you enable Dynamic Address for the GW object, then establish SIC - SIC is completely NAT tolerant, as the protocol is based on Certificates and SIC names, not on IP addresses. A NAT device between the Security Management Server and Security Gateway will not have any effect on the ability of a Check Point enabled entity to communicate using SIC. Only that a FW in between has to accept the CPD daemon traffic (TCP port 18191). Help in Dashboard says:

Establishing SIC with a Dynamic IP Address Gateway

The following two options become available as a result of selecting Dynamic Address in the Gateways General Properties window.

  • This machine currently uses this IP address enables the establishment of SIC using the IP address that is currently used by the DAIP gateway. Enter this IP address in the space provided.
  • I will enter the IP address and establish trust later enables the postponement of SIC establishment.

Of course it is also possible to establish SIC with the DAIP GW before it is put into production .

Re: centrally manage a DAIP gateway

I found that after establishing SIC, we still have a problem for normal management operations (CPD, FW1_log, ICA_services). When using the firewall gateway object in the rule base, it does not match. The gateway is a DAIP gateway, has Dynamic IP set. I have to manually insert a rule on the central firewall to allow the management traffic from the DSL router's public IP. The central firewall protects the SmartCenter server, which is exposed by Automatic NAT.

I also found that this worked in R77.30, but does not work anymore in R80.20.

What are other people's experiences?

0 Kudos
Admin
Admin

Re: centrally manage a DAIP gateway

It might be worth a TAC case to investigate this.

How To Open a Case with TAC and/or Account Services

0 Kudos

Re: centrally manage a DAIP gateway

I already have, but no results so far 😞

0 Kudos
Admin
Admin

Re: centrally manage a DAIP gateway

Send me the TAC SR in a private message.

0 Kudos

Re: centrally manage a DAIP gateway

Result is that it DOES work in R80.20 🙂 We had a misunderstanding, beause we saw hits in a manual firewall rule.

Obviously there is a mechanism of the gateway telling about its public IP to the SmartCenter server. It may be that some packets gets lost before this information is passed to the SmartCenter server.

I don't know which TCP/UDP port is used for passing this information of public IP address. Does anybody know in which protocol this is embedded?

0 Kudos

Re: centrally manage a DAIP gateway

In sk110216: Security Management Portal (SMP) active ports, we find:

Incoming Ports (from Gateway to the SMP)

TCP9282SWTP_SMSSMS DDNS requests

Outgoing Ports (from the SMP to the Gateway)

TCP18191CPDReceive commands from SMP