This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bernhard_m
Collaborator
‎2021-12-10 04:05 PM

Managing a DC-Cluster on a Remote Site

We have the following requirement:

SMS --- HQ-Cluster --- <<S2S VPN / INET>> --- SITE-Cluster -- SITE-DC-Cluster

How can I establish SIC between the SMS and the SITE-DC-Cluster?

My prefered option would be to manage the SITE-DC-Cluster through the VPN Tunnel using the private IPs of SMS and SITE-DC-Cluster-Members. Unfortunately Control Traffic does not go through the VPN Tunnel.

Is there a possibility to exclude only control traffic to specific gateways from Implied Rules?

We also have enough Public IPs on the Remote Site available if someone has an idea how to manage the SITE-DC-Clusters via static NAT on the SITE-Cluster.

tia, Bernhard

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-12-13 08:55 AM

There are very good reasons why we don't push SIC traffic through VPN by default.
For more discussion on this topic, see the following two threads:

I presume with appropriate hacks to implied_rules.def, you could make this work.
However, it is not recommended.

0 Kudos
bernhard_m
Collaborator
‎2021-12-14 03:23 AM
In response to PhoneBoy

If it is not recommended to manage internal lan firewalls over the vpn tunnel, how does Check Point recommend to manage these kind of gateways?
I'd be happy about ANY working solution. Currently I have none 😞

0 Kudos
PhoneBoy
Admin
Admin
‎2021-12-14 10:25 PM
In response to bernhard_m

First of all SIC and the relevant protocols are secured, so there should be no issue communicating over an untrusted network.
A static NAT might be necessary here, but it might be that...you really do need to allow SIC over VPN.
I suggest working with TAC on this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events