We recently encountered an issue setting up an IPSEC tunnel between our Check Point and Bluecoat/Symantec for their Web Security Services. We could not successfully use service ranges as recommended within Check Point. We were able to create the service ranges, however it failed to exclude the services.
We instead were required to list every service we needed to exempt from the tunnel.
Is this a known limitation within Check Point R77.30 or has this been addressed with R80.10?
Blue Coat's instruction
- In the SmartDashboard, select Services.
- Right-click Group and select New Group. The interface displays the Group Properties dialog.
Click New. The interface displays the Group Properties dialog.
- Name the object. For example, indicate that these are ports 1 to 79.
- In Port field, enter 1-79. This excludes all ports up to 80 (web).
- Click Advanced. The interface displays the Advanced TCP Service Properties dialog.
- Select Match For 'Any'. This prevents policy installation warnings because of a possible already-defined port.
- Click OK; click OK again to close the Group Properties dialog.
Repeat Steps 3.1 through 3.3 to add two more groups.
- Mid-TCP-Ports: 81 to 442.
High-TCP-Ports: 444 to 65535.
This allows port 443 traffic into the VPN tunnel.
(Optional) You can also add ICMP and all UDP ports.