This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jeanbruno
Participant
‎2021-02-03 12:57 PM

80.30SP and VPN routing

Hi,

 

We are hitting this limitations in Maestro architecture :

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

-------

  • It is not supported to configure a Scalable Platform 40000 / 60000 object or a Maestro Security Group object as a VPN Satellite Gateway if other VPN peers communicate through it.
  • It is not supported to configure Client to Site traffic over the Site-to-Site VPN tunnel with a a Scalable Platform 40000 / 60000 or a Maestro Security Group.

 

-------

We are redirecting the remote access traffic to a site to site VPN.

 

Client VPN <====Remoteaccess===> 80.30SP< ====SITE 2 SITE VPN======> Azure GW <--VNET--> Server

SG don't like and break TCP session. It's not supported  yet, there is an RFE coming.

 

However do you have an idea as a workaroud?

We were thinking NATting the remote access traffic behind a pool before sending it to the VPN ...

Thanks for your help

 

JB

 

 

 

 

 

5 Replies
jeanbruno
Participant
‎2021-02-10 06:39 AM

i got the answer from Check Point, it's not supported on 80.30SP . A hotfix is needed with RFE...

sk147033

Thanks

 

0 Kudos
Peter_Baumann
Contributor
‎2021-02-10 06:43 AM

Hi @jeanbruno 
Very interesting. We also have a customer with a migrated Maestro installation with a setup similar to this you described.
We see packet drops after 50s (TCP End Timer value) on the packets coming from the server back to the client.
You can see it with "g_fw ctl zdebug drop | grep <hidenat-ip-fw>"
Strange is that the drops are intermittent.

Workaround for now is a incoming fw rule which allows any traffic from server to vpn-client.

Do you have the same behavior at your installation?

Thanks,
Peter

0 Kudos
jeanbruno
Participant
‎2021-02-10 06:52 AM
In response to Peter_Baumann

Hi Peter,

What version are you running?

I got bad TCP séquences,first SYN not seen. UDP seemed ok. i didnt do zdebug drop cause TAC confirmed the not supported topology.

Client to Site Traffic over Site to Site VPN Tunnel is supported only in 81.10 according to CP.

0 Kudos
Peter_Baumann
Contributor
‎2021-02-10 07:49 AM
In response to jeanbruno

Hi @jeanbruno 
Customer is using R80.30SP with JHF which exactly I cannot see since I have no access to the fw right now.

0 Kudos
jeanbruno
Participant
‎2021-02-10 07:57 AM
In response to Peter_Baumann

Ok maybe same troubles than us. If you want full VPN support on 80.30SP you need to contact your sales CP and ask for the hotfix though RFE

And it can be installed only on top of Jumbo take 47.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events