This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
H2-F1
Participant
‎2020-02-04 01:50 AM
Jump to solution

1400 series limitations

Hello checkmates,

While migrating a Cisco ASA to a locally managed Checkpoint 1450 appliance running R77.20.86, I came across a few issues which I can only explain as limitations on this appliance/cut down version of Gaia. these are listed below.

- Unable to create admin account with Bin/Bash shell - either via webui or clish - "set user username shell" command is not accepted
- Unable to selectively specify a local encryption domain on a per site-to-site VPN, you can select specific remote       encryption domains but not local
- Unable to turn off NAT-T on a per site-to-site VPN site
- After deleting a newly formed sa and ipsec tunnel through "vpn tu" the vpn never came back up, performed an upgrade to .87 to no avail. for some reason the unit was attempting to use UDP/4500 (NAT-T) when it was connected directly on the internet

followed various debug guides such as 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

but the output from the firewall was not helpful, could this be an issue of running local management on the box? 

 

I read a thread on Checkmates where G_W_Albrecht suggests that "1430 remote gateways locally weakens them" and that there is "limitations on the number of S2S tunnels"

https://community.checkpoint.com/t5/General-Topics/IPSec-VPN-between-CP1430-e-CP3200-Drops-randomly/...

Has anyone come across these or similar issues?

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2020-02-04 02:23 AM
Jump to solution

1. you need to login to the account and use: bashUser on / bashUser off
2. not possible with Check Point. (new R80.40 will support it but not on 1450)
3. possible
4. depends on the external IP, when this a RFC1918 address it is NATted, therefore will try NAT-T
Regards, Maarten

View solution in original post

5 Replies
Maarten_Sjouw
Champion
Champion
‎2020-02-04 02:23 AM
Jump to solution

1. you need to login to the account and use: bashUser on / bashUser off
2. not possible with Check Point. (new R80.40 will support it but not on 1450)
3. possible
4. depends on the external IP, when this a RFC1918 address it is NATted, therefore will try NAT-T
Regards, Maarten
H2-F1
Participant
‎2020-02-04 02:50 AM
In response to Maarten_Sjouw
Jump to solution

Thanks for the quick reply Maarten

1 - is this only possible through cli or is there an option in the webui?

3 - I believe you can disable it globally on the 1450 but can you do it per S2S? if so can you please point me in the right direction?

4- In this case the External IP was a Public IP so would not have expected it to NAT-T

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-02-04 03:01 AM
In response to H2-F1
Jump to solution

1. only CLI
3. Looking at all I know about embedded, I would not expect anything to be enabled per VPN
4. weird indeed.
Regards, Maarten
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-02-04 03:04 AM
In response to H2-F1
Jump to solution

A locally managed 1430 GW will have the same performance as a cheaper, locally managed 730 GW, The full 1430 hardware resources are only used when managed centrally.

1 - only possible through cli !

3:

sk162472: How to force NAT-T on Gaia Embedded devices

sk105380: Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 / 910 Appliance Features and Kno...

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
H2-F1
Participant
‎2020-02-04 03:26 AM
In response to G_W_Albrecht
Jump to solution

Very interesting thanks guys,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events