Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bernhard_m
Collaborator

Managing a DC-Cluster on a Remote Site

We have the following requirement:

SMS --- HQ-Cluster --- <<S2S VPN / INET>> --- SITE-Cluster -- SITE-DC-Cluster

How can I establish SIC between the SMS and the SITE-DC-Cluster?

My prefered option would be to manage the SITE-DC-Cluster through the VPN Tunnel using the private IPs of SMS and SITE-DC-Cluster-Members. Unfortunately Control Traffic does not go through the VPN Tunnel.

Is there a possibility to exclude only control traffic to specific gateways from Implied Rules?

We also have enough Public IPs on the Remote Site available if someone has an idea how to manage the SITE-DC-Clusters via static NAT on the SITE-Cluster.

tia, Bernhard

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

There are very good reasons why we don't push SIC traffic through VPN by default.
For more discussion on this topic, see the following two threads:

I presume with appropriate hacks to implied_rules.def, you could make this work.
However, it is not recommended.

0 Kudos
bernhard_m
Collaborator

If it is not recommended to manage internal lan firewalls over the vpn tunnel, how does Check Point recommend to manage these kind of gateways?
I'd be happy about ANY working solution. Currently I have none 😞

0 Kudos
PhoneBoy
Admin
Admin

First of all SIC and the relevant protocols are secured, so there should be no issue communicating over an untrusted network.
A static NAT might be necessary here, but it might be that...you really do need to allow SIC over VPN.
I suggest working with TAC on this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events