This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Dave_Taylor1
Collaborator
‎2018-05-21 09:45 AM

Excluded Services issue

We recently encountered an issue setting up an IPSEC tunnel between our Check Point and Bluecoat/Symantec for their Web Security Services. We could not successfully use service ranges as recommended within Check Point. We were able to create the service ranges, however it failed to exclude the services.

We instead were required to list every service we needed to exempt from the tunnel.

Is this a known limitation within Check Point R77.30 or has this been addressed with R80.10?

Blue Coat's instruction

  1. In the SmartDashboard, select Services.
  2. Right-click Group and select New Group. The interface displays the Group Properties dialog.

  3. Click New. The interface displays the Group Properties dialog.

    1. Name the object. For example, indicate that these are ports 1 to 79.
    2. In Port field, enter 1-79. This excludes all ports up to 80 (web).
    3. Click Advanced. The interface displays the Advanced TCP Service Properties dialog.
    4. Select Match For 'Any'. This prevents policy installation warnings because of a possible already-defined port.
    5. Click OK; click OK again to close the Group Properties dialog.

  4. Repeat Steps 3.1 through 3.3 to add two more groups.

    1. Mid-TCP-Ports: 81 to 442.

    2. High-TCP-Ports: 444 to 65535.

      This allows port 443 traffic into the VPN tunnel.

  5. (Optional) You can also add ICMP and all UDP ports.

0 Kudos
Reply
4 Replies
G_W_Albrecht
Champion
Champion
‎2018-05-25 01:56 AM

What you list from BlueCoat is how to define which traffic should not go thru the VPN tunnel - but you left out the final step, that is, where you have to add these newly defined service/port groups so they are excluded ! This is made in Community settings under Excluded Services.

0 Kudos
Reply
Dave_Taylor1
Collaborator
‎2018-05-25 06:27 AM
In response to G_W_Albrecht

Right, I understand that.

What I'm saying is the example they provide for the ranges - Mid-TCP-Ports: 81 to 442. & High-TCP-Ports: 444 to 65535, although I can create them, will not work for some reason.

Is there a limitation with service ranges for VPN exclusion?

0 Kudos
Reply
Dave_Taylor1
Collaborator
‎2018-07-10 10:47 AM

Just an FYI. Apparently this was an issue in certain versions of R77.30 later fixed in a HotFix, but not an issue in R80.10 according to our support at Optiv.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-07-11 05:44 AM
In response to Dave_Taylor1

Confirmed.

See: Services configured as Excluded for IPSec tunnel are not being excluded 

0 Kudos
Reply