This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Collaborator
‎2022-09-06 02:39 PM

management server in VPN domain

I've bumped into an unintended consequence of a circuit migration.

Previous config was 8 sites connected privately via MPLS.  We moved off MPLS onto dedicated internet circuits, and created one VPN community with all sites.  For the encryption domain at the location where management is, rather than selecting the whole subnet, i added the objects individually, but didn't add the management server for the obvious reason that i didn't want a VPN failure to prevent management from communicating w the gateways.  Management reaches all gateways via their public IP.  And management is publicly addressed.

I realize now that i need management to communicate with some inside resources for AD related items.  So, what would be the best way to handle?

Is there a way to supercede with a rule that says management <-> gateways don't tunnel?

Maybe drop the management server into the encrypt domain but exclude all services that management which looks like at least: tcp/18191, tcp/18264, tcp/18192

Open to all ideas,or maybe (likely) i'm missing the obvious answer.  Don't think it matters for this, but all versions are r81.10, latest GA HFA

thanks

 

0 Kudos
1 Reply
the_rock
Legend
Legend
‎2022-09-06 02:45 PM

I think one idea is to exclude services that would be used for the communication, within VPN tunnel, so that way anything on them would not be encrypted, but maybe there is a better way. Lets see what else is suggested.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events