Managing Firewall through IPSEC VPN Tunnel

mikehinnenkamp · ‎2023-11-08

Hello,

We have a situation internally I could use help with. We are an energy company, and use private APNs for a lot of our substation and field device connections. We are in the process of moving our Checkpoint firewalls over to these APNs, but have management and traffic issues. Basically we need to manage them through the APN's site to site vpn tunnel with the 3rd party.

I have reviewed some other posts on this, but they dont seem to fit exactly. For example https://community.checkpoint.com/t5/General-Topics/Manage-firewalls-via-IPSec-VPN-tunnel/td-p/53075

and https://support.checkpoint.com/results/sk/sk104582

We need to keep our existing connections working, which are through an APN, but via a 3rd party cisco router (we are trying to migrate from). From what I am reading, if we disable the CPMI in implied rules, it might break a lot of our other locations. We are trying to use site-to-site checkpoint VPNs as well over this APN connection. Is there some way TAC can change the implied rules to allow encryption of that traffic? The option to move the CMPI and many others 'Before Last' is greyed out, which seems like exactly what we want.

Anyone else doing this? I have a case with Diamond started but it hasnt gotten far.

PhoneBoy · ‎2023-11-08

What is terminating the Site-to-Site tunnels here?
A high-level diagram would be exceptionally helpful here.

Note that in general, we do not recommend disabling the Implied Rules that keep SIC traffic outside of the VPN.
And they can only be disabled globally (i.e. no exceptions for specific firewalls/paths).
That means explicit rules will need to be created for every managed gateway.

mikehinnenkamp · ‎2023-11-08

The Checkpoint on our perimeter is terminating the VPNs. We use VTI interfaces and then BGP exchange for route based VPNs. The carrier side of the APN is a Cisco router. Here is an overview:

I am trying to get this to work without getting a set of Cisco routers to do the VTI... I did see a setting in the impliedrules.def, nobody seems to know what its for though:

#ifndef MANAGEMENT_OVER_VPN
#define IS_NOT_MANAGED_OVER_VPN 1
#else
#define IS_NOT_MANAGED_OVER_VPN 0
#endif

If you could somehow add a rule in the implied rules to either encrypt or apply after the rest of the rules (like other parts of implied) that would work no problem. But from who i've talked to that doesnt seem to be the case.

PhoneBoy · ‎2023-11-08

I have never seen that particular macro before.
As noted previously, Implied Rules cannot be modified, only enabled or disabled in the .def files.

the_rock · ‎2023-11-08

You dont need to add anything. All you need to do is backup the file, remove # on line is not managed over vpn =1, install policy.

Andy

mikehinnenkamp · ‎2023-11-08

That seems like an all or nothing, or does that just allow the traffic to be encrypted in the defined rules?

We currently have about 50 checkpoint firewalls, just starting them to move to manage over vpn (this is the ONLY way to use a cell APN i can see for these locations). The rest have their APN go through a 3rd party Cisco device, so CPMI and whatnot are just encrypted. I wish I had a test lab.

I'm surprised this is still something that hasnt been changed considering the release of the 1595RC, seems to be built for this kind of thing, hopefully I can get somewhere with Diamond or R&D.

the_rock · ‎2023-11-08

No one is really fan of changing implied_rules.def file, unless absolutely needed or last resort option. I would verify those settings with support.

Andy

Are you a member of CheckMates?

Managing Firewall through IPSEC VPN Tunnel