This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matthew_Do
Contributor
‎2018-10-06 03:54 PM

Manage remote gateway behind a local GWY

Policy can be successfully installed on the remote gateway (Br-FW2) from SmartDashboard PC in the local network behind another gateway (HQ-FW1).

However, ssh and https from SmartDashboard PC to remote gateway (Br-FW2) fails, although policy rule 1 allows these traffic.

SmartDashboard PC is in subnet 172.16.0.0/24 which is hidden behind its default GWY HQ-FW1 (external IP 10.0.0.111)

Can someone see what's wrong?

;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.0.111:10182 -> 10.0.0.112:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "FW2a Network" rule 2;
;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 10.0.0.111:10182 -> 10.0.0.112:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "FW2a Network" rule 2;
;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.0.0.111:10182 -> 10.0.0.112:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "FW2a Network" rule 2;

0 Kudos
3 Replies
Danny
Champion Champion
Champion
‎2018-10-06 04:27 PM

The rule in your screen shot is for the policy installation target Br-FW2 only. As there is a rulebase drop on rule #2 I recommend you to add HQ-FW1 as policy installation target to that rule as well. If HQ-FW1 has it's own security policy, make sure to allow the access there.

Matthew_Do
Contributor
‎2018-10-10 06:50 PM
In response to Danny

SmartConsole is hidden behinds HQ-FW1, when it tried https to Br-FW2, it was seen at Br-FW2 as HQ-FW1 (external IP) and was rejected.

Adding HQ-FW1 to the list of allowed host resolves the issue. I can manage remote Br-FW2 from SmartConsole PC.

0 Kudos
Aidan_Luby1
Participant
‎2018-10-11 06:19 AM
In response to Matthew_Do

That makes sense because from Br-FW2 the source it sees is the Natted Public IP of HQ-FW1, not the internal IP of your pc. I believe you could even be more specific by making a Network Host Object for your HQ-FW1 external IP (or range of IP's if you have multiple nat IP's) and setting that as your source, with the destination being another host object for the external IP of Br-FW2 (or again a network/IP Range object if you have multiple external IP's). 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events