Re: Managing a DC-Cluster on a Remote Site

bernhard_m · ‎2021-12-10

We have the following requirement:

SMS --- HQ-Cluster --- <<S2S VPN / INET>> --- SITE-Cluster -- SITE-DC-Cluster

How can I establish SIC between the SMS and the SITE-DC-Cluster?

My prefered option would be to manage the SITE-DC-Cluster through the VPN Tunnel using the private IPs of SMS and SITE-DC-Cluster-Members. Unfortunately Control Traffic does not go through the VPN Tunnel.

Is there a possibility to exclude only control traffic to specific gateways from Implied Rules?

We also have enough Public IPs on the Remote Site available if someone has an idea how to manage the SITE-DC-Clusters via static NAT on the SITE-Cluster.

tia, Bernhard

PhoneBoy · ‎2021-12-13

There are very good reasons why we don't push SIC traffic through VPN by default.
For more discussion on this topic, see the following two threads:

I presume with appropriate hacks to implied_rules.def, you could make this work.
However, it is not recommended.

bernhard_m · ‎2021-12-14

If it is not recommended to manage internal lan firewalls over the vpn tunnel, how does Check Point recommend to manage these kind of gateways?
I'd be happy about ANY working solution. Currently I have none 😞

PhoneBoy · ‎2021-12-14

First of all SIC and the relevant protocols are secured, so there should be no issue communicating over an untrusted network.
A static NAT might be necessary here, but it might be that...you really do need to allow SIC over VPN.
I suggest working with TAC on this.

Are you a member of CheckMates?

Managing a DC-Cluster on a Remote Site