Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Biju_Nair
Contributor
Jump to solution

Managing a gateway over VPN

Hi, I have a scenario, my MDS and CMA is in Site A and CP Gateway is in Site B.

CP Gateway in B is perimeter firewall(cluster) and VPN is configured on this gateway to connect from site A to B.

A and B are connected over VPN(Internet). There are multiple VPNs from A to B using multiple ISPs.

Until and unless the VPN are up and running, I guess everything is fine.

However, if the primary VPNs fails, I wish the VPN 2 should be up without intervention.

As per my knowledge, to bring another tunnel up, CP gateway need the connectivity to CP-SMS(I guess for CRL check) which in the scenario wont be possible.

How can I achieve this and still able to manage teh CP-gateway in  B using the mgmt server in Site A after the primary VPN fails. (I know installing a local SMS in site B is a solution, however thought to check if there is any other option available.

MGMT is MDS(80.10)

SG is R77.30

Regards,

Biju

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Normally management traffic is excluded from being sent through the VPN precisely for this reason.
For more discussion on this topic, see the following two threads:

View solution in original post

8 Replies
Vladimir
Champion
Champion

How is the gateway in site B is defined in the SMS?

0 Kudos
Biju_Nair
Contributor

It's defined as a gateway and installed as a perimeter firewall.

Regards,

Biju Nair

Sent from my iPhone

0 Kudos
Vladimir
Champion
Champion

That much is clear, but what IP address is assigned to the cluster object?

Is it external IP that belongs to one of the ISPs in site B or is it a private IP from one of the site B ranges?

Is this cluster connected to multiple ISPs directly or are there perimeter routers with BGP handling ISP redundancy?

If each cluster member connected to one of the ISPs, are the external interfaces configured as non-clustered/monitored?

Or do you have both ISPs connected to each cluster member and have those configured for ISP redundancy?

0 Kudos
Biju_Nair
Contributor

Two vlan interfaces(external) are configured under a physical interface with two different public IPs on each cluster member and both are clustered with cluster IP.

Regards,

Biju Nair

Sent from my iPhone

0 Kudos
PhoneBoy
Admin
Admin

Normally management traffic is excluded from being sent through the VPN precisely for this reason.
For more discussion on this topic, see the following two threads:

Vladimir
Champion
Champion

Please read the:

ISP Redundancy Script and Additional VPN Considerations in:

http://dl3.checkpoint.com/paid/ac/ac9831a11ff7dab4ccaac18dc9de9776/How_To_Configure_ISP_Redundancy.p... 

One more thing to consider is the IP assigned to the Cluster Object in its "General" properties:

If it is the IP that belongs to one of the ISPs and you do not have a BGP AS  advertisements configured for that range, then the cluster cannot be reached by the SMS in case this ISP connection fails.

If you have it configured with RFC1918 IP, than theoretically, your VPN could be reestablished and you should be able to maintain the management capabilities.

Note that in this case, the route for this IP should be added to the gateway on SMS site pointing to your perimeter routers to be perceived as external.

This being said, as Dameon pointed out, management over VPN is not recommended.

0 Kudos
Nithya_Shivanan
Explorer

I need to onboard site B security HA cluster VPN gateway which was earlier managed by local CMA to Site A MDS-CMA. VPN terminates on same device via public IP, management device access via another interface which private IP. Please advise, Vladimir Yakovlev

0 Kudos
Vladimir
Champion
Champion

Not sure if I am getting a clear picture without desired state topology diagram.

That being said, if I understand it correctly:

1. Your Site B cluster was previously managed via private IP

2. It is now must be managed by the management server located at the same site via this private IP

3. You now are shifting management function to the site A MDS

4. There is a VPN present between Site A and Site B gateways or clusters

5. Both site's gateways or clusters will be managed by the same MDS and, possibly same CMA

The best approach, IMHO, will be to change the management IP of the HA cluster and its members in site B to its public VIP.

Note that this will necessitate the re-establishing SIC with the gateways.

So long as you Encryption Domain in Site B is properly defined and DOES NOT include cluster's public IP, the management traffic between CMA in Site A and the Cluster in Site B will not be going over the VPN, but will be secured by SIC.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events