Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dphonovation
Contributor

Unable to exclude FW1_ICA_Services from implied_rules.def

Jump to solution

I have a security gateway being managed by a SMS over a VPN. I realize this isn't the best solution, but it is a temporary setup.

I've read through all the posts I can find, relating to removing services from implied_rules.def on the Management Server and repushing policy, in order for the traffic to be caught by a regular VPN rule.

Such as:

https://community.checkpoint.com/t5/Management/Exclude-CPM-traffic-from-implied-rules/td-p/3934

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

So far so good. I am able to manage the gateway, retrieve its topology, push policy and the gateway is even sending logs back to the SMS. I'm now attempting to access the gateway remotely from home via Checkpoint ENDPOINT VPN. It is connecting but failing on "Failure to retrieve CRL". I have narrowed it down to FW1_ICA_Services and I can see on every attempt the gateway attempts to reach the gateway, but the log entry certaintly shows its being picked up by Implied Rules:

 

 

As opposed to something like CPD or CPMI currently leveraging the VPN tunnel:

dphonovation_2-1665172014397.png

This KB kindly lists the VPN services required:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


Great I thought, I must have forgotten to disable something from implied_rules.def. I close down SmartConsole as per the kb, but I already have fw1_ica_services disabled. I made sure to push policy again (to both gateways), but implied_rules are still picking it up. Here's what my implied_rules.def looks like right now:

#define ENABLE_FWD_TOPO
/* #define ENABLE_FWD_SVC */
/* #define ENABLE_CPMI */
/* #define ENABLE_CPD */
/* #define ENABLE_CPD_AMON */
#define ENABLE_FW1_SAM
/* #define ENABLE_FWD_LOG */
#define ENABLE_IKE
#define ENABLE_NATT
#define ENABLE_OFFICE_DHCP
/* #define ENABLE_FW1_ICA_PULL */
/* #define ENABLE_FW1_ICA_PUSH */
/* #define ENABLE_FW1_ICA_SERVICES */
#define ENABLE_CP_RTM
#define ENABLE_CP_REDUNDANT
#define ENABLE_CP_REPORTING
/* disable SC R60 policy server */
/* #define ENABLE_FW1_PSLOGON_NG */

(All of this will be rolled back in a few weeks when I have an inter connect up and working)

Any idea what I could be missing? 

 

 

 

0 Kudos
1 Solution
4 Replies
PhoneBoy
Admin
Admin

What version of management?
What version of gateway?
If they are not the same, you will need to modify the implied_rules.def in the relevant Backward Compatibility directory for this change to take effect.

dphonovation
Contributor

Thanks.

Both are 81.10, built off the same ISO even.

I think I see why its happening:

In between the gateway in question and its mgmt server is ANOTHER gateway performing a route based VPN. In other words, the gateway I'm managing remotely isn't the one terminating the Site2Site VPN.

(If you're curious, what I'm doing is bringing in Site B's cluster members into the management plane of Site A, without losing access to Site B. 1 Gateway/Firewall at a time that grabs a secondary WAN IP as I move it. Site2Site remains up to leftover gateway at Site B as I configure the gateway I pull out of Site Bs management plane. Once I'm happy with the policy and that I can access Site B over secondary IP but managed by Site A; I do the remaining gateway. What I'm really doing is mimicking the layer 2 interconnect I'll have in many... many weeks because I'm inpatient and want everything ready)   ......anyhow:

What appears is happening is the gateway handling the Site2Site Route Based VPN in between the gateway I'm accessing and the SMS is "choosing" to perform NAT on FW1_ica_services and translating the source to its local VPN-Tunnel Endpoint. Its not doing this with any of the other interesting Checkpoint MGMT traffic (such as CPD).

 

The other side then rejects this like so:

 

I just tried making a NO NAT rule as well as making sure this intermediate gateway (the one doing the NAT to its VPN Tunnel endpoint) has the implied_rules.def modification, but its still happening like this.

0 Kudos
dphonovation
Contributor

This worked!!!

0 Kudos