This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jon_Dyke
Contributor
‎2019-02-19 12:40 AM

Secondary Management Server over VPN

I have a new secondary management server at a different site and have been asked to try and get it working over the VPN tunnels between sites.  The problem is that the primary mgmt in site 1 and secondary in site 2 do not communicate correctly over the VPN as its my understanding that the control connections between them hit the implied rules first so the traffic does not get encrypted (allow control connection is switched on the Primary). 

Getting them working on sk39740 did not work either and we ended up losing connectivity to the GWs are site 2

Any advice on whether the VPN option is possible and would be welcome.

Thanks

J

0 Kudos
4 Replies
Maarten_Sjouw
Champion
Champion
‎2019-02-19 01:23 AM

When the tunnels are built on Check Point gateways managed by these management servers, this is correct. You cannot run management traffic over a tunnel that is managed by the same management server, think about it, when something fails on that tunnel, how will you be able to correct it?

For Management HA the ports used could be excluded from the Implied rules but the point is that 2 of these ports are also used in the communication between management and gateway. 

The ports are 18221, 18211 and 18192 and the latter 2 are also used between GW and management.

Regards, Maarten
0 Kudos
Jon_Dyke
Contributor
‎2019-02-19 01:55 AM

Probably helps if I explain a bit more.  We have 3 sites with 2 GW's in each.  There is a mesh VPN between them.  Up to now we have had 1 mgmt server at 1 site but have now purchased a secondary mgmt server (to run in HA) for BCP purposes.  The secondary is there for BCP only - we would only ever use it if we lost the primary site and needed to push policy to Site2 and Site3 (our production and DR site).

I understand its best practice to do this using sk39740 - but was curious if this was achievable - it seems it would be very tricky if the same ports are used for mgmt and GW.

We will take another look at sk39740 - but to be honest this was not proving easy either but  we will persist with this  approach.

Thanks

J

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-19 02:16 AM
In response to Jon_Dyke

If there is a possibility to use NAT for the 2 servers and forget the VPN, I would go that way, the point there is that the traffic is already encrypted.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-22 10:51 AM

You don't want to go there.

https://community.checkpoint.com/thread/6209-managing-a-gateway-over-vpn 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events