Create a Post
Showing results for 
Search instead for 
Did you mean: 

Excluded Services issue

We recently encountered an issue setting up an IPSEC tunnel between our Check Point and Bluecoat/Symantec for their Web Security Services. We could not successfully use service ranges as recommended within Check Point. We were able to create the service ranges, however it failed to exclude the services.

We instead were required to list every service we needed to exempt from the tunnel.

Is this a known limitation within Check Point R77.30 or has this been addressed with R80.10?

Blue Coat's instruction

  1. In the SmartDashboard, select Services.
  2. Right-click Group and select New Group. The interface displays the Group Properties dialog.
  3. Click New. The interface displays the Group Properties dialog.

    1. Name the object. For example, indicate that these are ports 1 to 79.
    2. In Port field, enter 1-79. This excludes all ports up to 80 (web).
    3. Click Advanced. The interface displays the Advanced TCP Service Properties dialog.
    4. Select Match For 'Any'. This prevents policy installation warnings because of a possible already-defined port.
    5. Click OK; click OK again to close the Group Properties dialog.
  4. Repeat Steps 3.1 through 3.3 to add two more groups.

    1. Mid-TCP-Ports: 81 to 442.
    2. High-TCP-Ports: 444 to 65535.

      This allows port 443 traffic into the VPN tunnel.

  5. (Optional) You can also add ICMP and all UDP ports.

0 Kudos
4 Replies

What you list from BlueCoat is how to define which traffic should not go thru the VPN tunnel - but you left out the final step, that is, where you have to add these newly defined service/port groups so they are excluded ! This is made in Community settings under Excluded Services.

0 Kudos

Right, I understand that.

What I'm saying is the example they provide for the ranges - Mid-TCP-Ports: 81 to 442. & High-TCP-Ports: 444 to 65535, although I can create them, will not work for some reason.

Is there a limitation with service ranges for VPN exclusion?

0 Kudos

Just an FYI. Apparently this was an issue in certain versions of R77.30 later fixed in a HotFix, but not an issue in R80.10 according to our support at Optiv.

0 Kudos

0 Kudos