This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TomShanti
Collaborator
‎2020-01-22 01:24 AM
Jump to solution

Exclude IP addresses (non local subnets) from hub mode

Hi,

 

is it possible to also exclude specific IP adresses/subnets for a VPN client running in hub mode (route all traffic to gateway) ?

I know there is a solution for excluding local LANs (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...but I need to exclude specific IPs and I must not disable hub mode.

 

Thanks and regards

Thomas

 

0 Kudos
1 Solution

Accepted Solutions
LukeOxley
Participant
‎2020-03-31 09:34 AM
Jump to solution

If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:

  1. Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect. 
  2. Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
  3. Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
  4. Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
  5. Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
  6. Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
  7. Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
  8. Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.

To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.

Hope that helps!

Luke

View solution in original post

0 Kudos
5 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-01-22 02:28 AM
Jump to solution

Why not user Access Roles to differentiate between local and RA VPN clients and create a ruleset that denies access to these IP addresses for RA VPN clients only ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
TomShanti
Collaborator
‎2020-01-22 05:35 AM
In response to G_W_Albrecht
Jump to solution

Hi Günther,

 

can you elaborate what you mean by  local and RA VPN clients ?

Target scenario is this

 

RA VPN client ---- forced tunnel ---------------------------Corp FW -- company LAN

          |------------- Webserver 80.80.80.80 (Corp DMZ)--------|

 

Regards Thomas

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-01-22 06:01 AM
In response to TomShanti
Jump to solution

You have  local clients at your site that connect to the internet thru the GW, and you have RA VPN clients using Hub Mode / Route all traffic to gateway, So you could use one access rule  for local clients and another for RA VPN clients with excluded destinations...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
TomShanti
Collaborator
‎2020-01-23 06:11 AM
In response to G_W_Albrecht
Jump to solution

"and another for RA VPN clients with excluded destinations..."

 

This configuration is what I am looking for. How do you exclude destinations in Hub mode ?


Regards Thomas

0 Kudos
LukeOxley
Participant
‎2020-03-31 09:34 AM
Jump to solution

If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:

  1. Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect. 
  2. Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
  3. Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
  4. Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
  5. Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
  6. Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
  7. Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
  8. Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.

To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.

Hope that helps!

Luke

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events