This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sahiln
Explorer
‎2019-05-07 11:49 PM

CPD Traffic dropped from GW-2 to GW-1 in VMware

Below is my configuration of my lab :-

1. Mgmt PC - 172.16.31.22 (Vmnet 1) 

2. Mgmt Server - 172.16.31.110 (Vmnet 1)

3. GW-1 - 172.16.31.1 (Vmnet 1) --------------------Internal network

4. GW-1 - 192.168.1.251 ( Bridged to WIFI network) ----------------outside network || Also enabled NAT on this interface. Nat IP - 192.168.1.251

5. GW-2 - 192.168.1.250  ( Bridged to WIFI network) ----------------outside network

--------------------------------------------------------------------------------------------------------

Default gateway of Mgmt PC and Mgmt Server is the IP address of GW-1  (172.16.31.1)

Policies installed : -

1. Mgmt Pc - GW-1 and GW-2 --------------Accept the traffic of https/http/icmp/dns.

2. Mgmt Server - GW-2 ------------------Accept all the traffic.

 

Now, when I add the gateway in Mgmt server, the status will turn into Green, but when I install the above policies - I got the message that connection is lost with GW-2 and when I checked the logs, it said that CPD traffic drop from GW-2 to GW-1 (port 18191).

 

Please provide the solution of my query.

 

 

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2019-05-08 05:42 PM

The Management Server traffic heading to GW2 is being NATted behind GW1.
Since GW2 doesn't see this as being from the management, it's dropping the relevant traffic.

Generally speaking, there should be bidirectional connectivity between management server and gateway.
Allocate an address for the management server on 192.168.1.x, configure that on the NAT tab of the management server, and push policy to both gateways.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-05-09 03:41 AM
In response to PhoneBoy

Add a No-NAT rule above your hide NAT for Mgmt to GW2.
Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-09 06:38 AM
In response to Maarten_Sjouw

That assumes routes are in place to route back to the management from GW2 😬
0 Kudos
VictorSingh28
Explorer
‎2022-12-20 06:06 AM
In response to PhoneBoy

Dear Team, Good Evening,

This is Victor here and I am new to this community. Even I am also facing the same issue for same scenario and setup on Vmware. I have two sites setup namely HQ and Branch. From a PC on HQ site I am trying to do an HTTPS connection for the Branch Firewall which is not working. I have configured Hide NAT for the HQ network , HTTPS service rule is also configured. Traffic for rule is also accepted but when I am checking the logs I can see The HQ FW is dropping the CPD 18191 traffic from the Branch FW to HQ FW due to the CleanUp rule but the Branch FW is accepting the same traffic due to the Implied rule.

FYI: Both sites are UP and running, no connectivity issues yet. 

Kindly help or suggest if I am missing something or have wrongly configured things.

Kindly see the attachment pic for clarity of the issue.

Thanks.

Preview file
3219 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-20 06:03 PM
In response to VictorSingh28

NAT for management is generally recommended with Static NAT (not HIDE NAT).
It’s possible you will need an explicit rule to permit this communication.

0 Kudos
VictorSingh28
Explorer
‎2023-01-15 06:13 AM
In response to PhoneBoy

Thanks a lot for the help, noted your point, will implement as suggested.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events