I have a security gateway being managed by a SMS over a VPN. I realize this isn't the best solution, but it is a temporary setup.
I've read through all the posts I can find, relating to removing services from implied_rules.def on the Management Server and repushing policy, in order for the traffic to be caught by a regular VPN rule.
Such as:
https://community.checkpoint.com/t5/Management/Exclude-CPM-traffic-from-implied-rules/td-p/3934
So far so good. I am able to manage the gateway, retrieve its topology, push policy and the gateway is even sending logs back to the SMS. I'm now attempting to access the gateway remotely from home via Checkpoint ENDPOINT VPN. It is connecting but failing on "Failure to retrieve CRL". I have narrowed it down to FW1_ICA_Services and I can see on every attempt the gateway attempts to reach the gateway, but the log entry certaintly shows its being picked up by Implied Rules:
As opposed to something like CPD or CPMI currently leveraging the VPN tunnel:
This KB kindly lists the VPN services required:
Great I thought, I must have forgotten to disable something from implied_rules.def. I close down SmartConsole as per the kb, but I already have fw1_ica_services disabled. I made sure to push policy again (to both gateways), but implied_rules are still picking it up. Here's what my implied_rules.def looks like right now:
#define ENABLE_FWD_TOPO
/* #define ENABLE_FWD_SVC */
/* #define ENABLE_CPMI */
/* #define ENABLE_CPD */
/* #define ENABLE_CPD_AMON */
#define ENABLE_FW1_SAM
/* #define ENABLE_FWD_LOG */
#define ENABLE_IKE
#define ENABLE_NATT
#define ENABLE_OFFICE_DHCP
/* #define ENABLE_FW1_ICA_PULL */
/* #define ENABLE_FW1_ICA_PUSH */
/* #define ENABLE_FW1_ICA_SERVICES */
#define ENABLE_CP_RTM
#define ENABLE_CP_REDUNDANT
#define ENABLE_CP_REPORTING
/* disable SC R60 policy server */
/* #define ENABLE_FW1_PSLOGON_NG */
(All of this will be rolled back in a few weeks when I have an inter connect up and working)
Any idea what I could be missing?
Thanks.
Both are 81.10, built off the same ISO even.
I think I see why its happening:
In between the gateway in question and its mgmt server is ANOTHER gateway performing a route based VPN. In other words, the gateway I'm managing remotely isn't the one terminating the Site2Site VPN.
(If you're curious, what I'm doing is bringing in Site B's cluster members into the management plane of Site A, without losing access to Site B. 1 Gateway/Firewall at a time that grabs a secondary WAN IP as I move it. Site2Site remains up to leftover gateway at Site B as I configure the gateway I pull out of Site Bs management plane. Once I'm happy with the policy and that I can access Site B over secondary IP but managed by Site A; I do the remaining gateway. What I'm really doing is mimicking the layer 2 interconnect I'll have in many... many weeks because I'm inpatient and want everything ready) ......anyhow:
What appears is happening is the gateway handling the Site2Site Route Based VPN in between the gateway I'm accessing and the SMS is "choosing" to perform NAT on FW1_ica_services and translating the source to its local VPN-Tunnel Endpoint. Its not doing this with any of the other interesting Checkpoint MGMT traffic (such as CPD).
The other side then rejects this like so:
I just tried making a NO NAT rule as well as making sure this intermediate gateway (the one doing the NAT to its VPN Tunnel endpoint) has the implied_rules.def modification, but its still happening like this.
| User | Count |
|---|---|
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Tue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasWed 20 Nov 2024 @ 05:00 PM (CET)
Under the Hood: DO NOT Renew your WAF without watching THIS!!Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaSThu 21 Nov 2024 @ 02:00 PM (MST)
Denver North: Infinity External Risk Management and Harmony SaaSTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management Workshop
