This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave_Taylor1
Collaborator
‎2018-05-21 09:45 AM

Excluded Services issue

We recently encountered an issue setting up an IPSEC tunnel between our Check Point and Bluecoat/Symantec for their Web Security Services. We could not successfully use service ranges as recommended within Check Point. We were able to create the service ranges, however it failed to exclude the services.

We instead were required to list every service we needed to exempt from the tunnel.

Is this a known limitation within Check Point R77.30 or has this been addressed with R80.10?

Blue Coat's instruction

  1. In the SmartDashboard, select Services.
  2. Right-click Group and select New Group. The interface displays the Group Properties dialog.

  3. Click New. The interface displays the Group Properties dialog.

    1. Name the object. For example, indicate that these are ports 1 to 79.
    2. In Port field, enter 1-79. This excludes all ports up to 80 (web).
    3. Click Advanced. The interface displays the Advanced TCP Service Properties dialog.
    4. Select Match For 'Any'. This prevents policy installation warnings because of a possible already-defined port.
    5. Click OK; click OK again to close the Group Properties dialog.

  4. Repeat Steps 3.1 through 3.3 to add two more groups.

    1. Mid-TCP-Ports: 81 to 442.

    2. High-TCP-Ports: 444 to 65535.

      This allows port 443 traffic into the VPN tunnel.

  5. (Optional) You can also add ICMP and all UDP ports.

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-05-25 01:56 AM

What you list from BlueCoat is how to define which traffic should not go thru the VPN tunnel - but you left out the final step, that is, where you have to add these newly defined service/port groups so they are excluded ! This is made in Community settings under Excluded Services.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Dave_Taylor1
Collaborator
‎2018-05-25 06:27 AM
In response to G_W_Albrecht

Right, I understand that.

What I'm saying is the example they provide for the ranges - Mid-TCP-Ports: 81 to 442. & High-TCP-Ports: 444 to 65535, although I can create them, will not work for some reason.

Is there a limitation with service ranges for VPN exclusion?

0 Kudos
Dave_Taylor1
Collaborator
‎2018-07-10 10:47 AM

Just an FYI. Apparently this was an issue in certain versions of R77.30 later fixed in a HotFix, but not an issue in R80.10 according to our support at Optiv.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-11 05:44 AM
In response to Dave_Taylor1

Confirmed.

See: Services configured as Excluded for IPSec tunnel are not being excluded 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events