This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KamilWolan
Participant
‎2024-06-13 03:46 AM
Jump to solution

Check Point Mobile - missing entries in routing table

Hi,

I spotted strange issue that we have in our environment (R81.10, JHF 139), however I'm not able to find the solution/explanation.
Here is the outcome of the routing table when I'm connected to our VPN with Check Point Mobile:

mobile.png

Here is the same, but for Check Point SSL connection over the browser:

ssl.png

 

As you can see, for the Check Point Mobile connection, IP 10.2.0.5 is missing, and whole 10.2.0.0/16 network is split into segments. Additionally IPs of all Firewalls Clusters with Mobile blade active is missing (IPs of cluster members are fine).
Do you have any idea what is the reason for this behavior? 

Best regards,
Kamil

0 Kudos
1 Solution

Accepted Solutions
KamilWolan
Participant
‎2024-06-17 01:52 AM
Jump to solution

We find a solution during call with CP support. Policy source for one of FW was set to "Legacy Policy". Somehow it was impacting other FWs with VPN blade (probably because of the same encryption domain used for all VPN entry points).

vpn_solution.png

Anyhow - problem for my case can be solved by changing Policy Source to Unified, or by using different encryption domain for firewall with Legacy Policy Source.   

 

View solution in original post

7 Replies
the_rock
Legend
Legend
‎2024-06-13 05:07 AM
Jump to solution

Hey Kamil,

I remember similar issue with customer few years ago and if I recall right, it had to do with the rules configured. I will see if I can find notes about it.

Andy

the_rock
Legend
Legend
‎2024-06-13 05:40 AM
Jump to solution

For the context, there should be an entry in the routing table for subnet like below (depending what your OM mode subnet is)

What I blur out is DG for it, which should be UPSTREAM router IP

Andy

 

Screenshot_1.png

0 Kudos
KamilWolan
Participant
‎2024-06-13 05:52 AM
In response to the_rock
Jump to solution

Thanks, I will check it.

the_rock
Legend
Legend
‎2024-06-13 05:54 AM
In response to KamilWolan
Jump to solution

100% you should check it mate AND also, make sure NAT is enabled on it in smart console, as per below.

Andy

 

Screenshot_2.png

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-14 02:36 PM
Jump to solution

Please check the end user's IP address without VPN.
If their local IP is in the encryption domain, you'll see routes like that.
It's expected behavior.

KamilWolan
Participant
‎2024-06-17 01:52 AM
Jump to solution

We find a solution during call with CP support. Policy source for one of FW was set to "Legacy Policy". Somehow it was impacting other FWs with VPN blade (probably because of the same encryption domain used for all VPN entry points).

vpn_solution.png

Anyhow - problem for my case can be solved by changing Policy Source to Unified, or by using different encryption domain for firewall with Legacy Policy Source.   

 

the_rock
Legend
Legend
‎2024-06-17 03:21 AM
In response to KamilWolan
Jump to solution

Good to know!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events