This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
B_Andre
Explorer
‎2024-05-22 05:29 AM

Definition Object "Internet"

How is the complete Definition of the Object "Internet" in SmartConsole ? 

as i already found it should include Traffic which is going through an Interface which is marked as external. 

 

Now my Problem: 

we have a VPN to a Customer. 

The Website of the Customer is hosted on the same IP like the Peer for VPN.

 

Somehow the Rule for Internet access is now not used and the Traffic gets Blocked in the Cleanup Rule.

So now my Question:

What is really included in the Object "Internet" ? 

Or am i forced to use !RFC1918 to simply include every IP except Private? 

0 Kudos
6 Replies
BikeMan
Contributor
‎2024-05-22 07:42 AM

Hi,

Trying to understand your issue. You have a S2S vpn with a remote peer (one of your customers). This customer is also hosting on the same ip used for VPN their web site. And you can't reach their web site anymore from internal network. 

So CustomerIP = IP registered in the S2S vpn = IP of their web site.

S2S VPN: working fine.

Http (or https) to CustomerIP from your internal network doesn't work.

Right?

Thanks,

 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-05-22 08:02 AM

Have you already handled sk108600 scenario 3?

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-22 09:55 AM

"Internet" means traffic routed through the external interface that doesn't go through a VPN.
Gateway IP is always included in the encryption domain by default unless it's disabled (sk108600 option 3), which is probably why it is getting handled via a different rule.

B_Andre
Explorer
‎2024-05-23 12:40 AM
In response to PhoneBoy

Thanks for the fast reply. 

So if i understood correctly, i have the following options to solve this. 

1. sk108600 scenario 3 --> edit "crypt.def"

2. use of a normal Network Group like !RCF1918 which shouldn't care if its also a Peer IP or not.

Both should work if i get it right ?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-23 07:15 AM
In response to B_Andre

The only way to prevent the gateway from including it's own IP in the encryption domain is editing crypt.def OR, if this is an option (believe this is only possible on R81.20):

image.png

Not sure what you mean by your second point.
However, it would help tremendously if you could show what rules are matching (what you expect versus what actually is).

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-05-22 08:55 PM

Phoneboy explained it perfectly.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events