This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Khay
Participant
‎2025-09-22 02:21 AM
Jump to solution

Get rid of Secondary Connect - use VPN routing

Hello,


For now vpn client are using basic authentication (AD login/password) and I want to enforce a new authentication method for vpn client (azure SAML),


The issue is every client usually open a secondary tunnel to our main site, it's totaly transparent for the user.


With SAML I will have a prompt when the second tunnel open, so I want to get ride of this functionnality, the traffic going though this secondary tunnel is legit but I want to use vpn routing instead.


To achieve this, should I disable secondary connect on all gateway with "$FWDIR/conf/trac_client_1.ttm" file ?
Or can I only modify Encryption domain for vpn client to include the destination subnet of the remote gateway ?

 

here is a picture of a part of my infra (default: default encryption domain, azure, vpn-client are specific encryption domain)

site 1 is the center gateway of a star community where site 2 and 3 are satellite

clients on site 2 and 3 usually open a secondary tunnel to site 1 

If I add the subnet in red and blue in encryption domain, should it be enough ? I did some test and I still see a secondary tunnel, if I check routes on client I see subnets from all my gateway is it the issue ?

 

secondaryconnect.jpg

All Gateway version : R81.20 Take 99

Thanks for your help

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-09-29 01:56 PM
Jump to solution

This is expected behavior with SAML as each gateway/cluster is a unique service provider.
I believe it's possible to use Infinity Identity with Secondary Connect, though I'm sure @Royi_Priov will correct me if I'm wrong.

Without Infinity Identity and SAML, yes, you have to disable Secondary Connect if you don't want to be prompted for authentication again.
If you want a specific gateway to allow access to other subnets behind other gateways via VPN routing, you need to add those subnets to the RemoteAccess encryption domain on the relevant gateway.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2025-09-29 01:56 PM
Jump to solution

This is expected behavior with SAML as each gateway/cluster is a unique service provider.
I believe it's possible to use Infinity Identity with Secondary Connect, though I'm sure @Royi_Priov will correct me if I'm wrong.

Without Infinity Identity and SAML, yes, you have to disable Secondary Connect if you don't want to be prompted for authentication again.
If you want a specific gateway to allow access to other subnets behind other gateways via VPN routing, you need to add those subnets to the RemoteAccess encryption domain on the relevant gateway.

Khay
Participant
3 weeks ago
In response to PhoneBoy
Jump to solution

Hello,

thanks for the information, I didnt know Infinity Identity.

Is it only available on R82 ? this component is part of a subscription or can be use free of charge ?

 

Thanks for your help

 

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to Khay
Jump to solution

Infinity Identity is still in Early Availability as far as I know (though @Royi_Priov can confirm)
Currently it requires R82 management and either R81.20 or R82 gateways.
As this requires Infinity Portal, I expect there will ultimately be a charge for this, but the details are not finalized yet.

0 Kudos
Royi_Priov
Employee
Employee
3 weeks ago
Jump to solution

Thanks @PhoneBoy for tagging me.

  1. The administrator configures the IDP once in the Infinity Portal.
  2. The IDP is "replicated" into SmartConsole, and you can place it for authentication and in the access role picker.
  3. The infinity portal acts as a SAML service provider, and the identity can be shared via Infinity Identity to other gateways (to Identity Awareness component).

Now, to the disclamers 🙂

  1. Infinity Identity is a cloud service, and the gateway side that supports it is currently in EA. It will be included in R82.10GA2 which is right across the corner.
  2. the VPN support for Infinity Identity/Portal SAML I/S was not released yet. It is planned for 2026 as far as I know. Currently only Identity Awareness supports this (from R82 GA).
Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events