This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marcyn
Collaborator
Collaborator
‎2024-04-29 11:00 AM
Jump to solution

MEP only for selected gateways

Hi CheckMates,

Let's suppose we have one SMS which can manage 10 SGs.
We manage 6 of these SGs, and rest (4) are managed by 3rd party company (we see these gateways in SMS, but somebody else manages them, and they have their own LANs, DMZs, etc).

And now we decided that we want to add 2 more SGs that will act as VPN gateway for our remote users.

As we all know MEP is enabled by default, which we can of course change from "true" to "false" or "client_decide".

So if MEP is set as "true" ... what will remote user see after he will add new site in Check Point Mobile/Endpoint Connect ?
Soon after first connection topology will be downloaded from this VPN gateway and on next connection user will see a new option - select box - where he will see EACH AND EVERY gateway that are in RemoteAccess VPN Community.
If there will be only these newly added VPN gateways - he will see only these two.

But what if administrator from this 3rd party organisation will enable IPSec VPN blade and add one or more of these 4 SGs to the RemoteAccess VPN Community ?
Our remote users will see our 2 VPN gateways ... and these gateways of 3rd party organisation in this select box ... and 3rd party organisation remote users will see theirs gatewa ... and our 2 VPN gateways...

 

Two questions:
1) Do you know if there is some option to "filter" which gateways could be chosen by remote users for MEP (so that ours remote users should see only our 2 VPN gateway, and remote users from 3rd party organisation should see only theirs 4 gateways) ?
I was thinking about trac_client_1.ttm file ... but I don't see anything about that...
However I know that this file doesn't contain everything ... for example if you want to allow remote users to exclude localy connected networks from Hub Mode ... you need to add special entry to this file.
So perhabs there is something similar regarding MEP ?
Eh... if we could have more then one RemoteAccess VPN Community .... but we can't 😞

2) Even if Customer will select one particular gateway from this select box ... client's application connects to different gateway (each and every time it is the first one from the list) - even that I have option "client_decide" in "automatic_mep_topology".
How can I change that. It looks like as if "client_decide" for "mep_mode" is the same as "first_to_respond"...
Or maybe each Customer should change file C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.defaults regarding MEP .... it would be absurd.

Excerpt from $FWDIR/conf/trac_client_1.ttm:

(...)
                :mep_mode (
                        :gateway (
                                :map (
                                        :dns_based (dns_based)
                                        :first_to_respond (first_to_respond)
                                        :primary_backup (primary_backup)
                                        :load_sharing (load_sharing)
                                        :client_decide (client_decide)
                                )
                                :default (client_decide)
                        )
                )
(...)

(...)
                :automatic_mep_topology (
                        :gateway (
                                :map (
                                        :false (false)
                                        :true (true)
                                        :client_decide (client_decide)
                                )
                                :default (true)
                        )
                )
(...)

As you can see these are default settings.

I can understand that with "automatic_mep_topology" selected as "true" client's application will not be able to select gateway - this choice will be done "automatically" based on some parameters.
But if this option will be changed to "client_decide" ... in my opinion gateway that will be chosen, should be this one selected from select box by the user ....


What do you think ?

--
Best
m.

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2024-04-29 11:22 AM
In response to marcyn
Jump to solution

Wait, maybe I misunderstood. in case you do NOT want users to see the gateways, just choose whichever is deemed as primary, then choose option automatic mep topology to true, as per below, depending if its implicit or manual MEP.

Andy

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

View solution in original post

7 Replies
the_rock
Legend
Legend
‎2024-04-29 11:13 AM
Jump to solution

Thats exactly how it works with that option client_decide, they would be given a choice when connecting.

Andy

0 Kudos
marcyn
Collaborator
Collaborator
‎2024-04-29 11:18 AM
In response to the_rock
Jump to solution

Hi Andy,

Yup ... they are ... but as I described I don't want them to see each and every gateway that is added to RemoteAccess VPN Community 🙂
And ... maybe they have this option ... but it doesn't matter which gateway they will choose ... application will connect to the first gateway on the list anyway 🙂

--
Best
m.

0 Kudos
the_rock
Legend
Legend
‎2024-04-29 11:22 AM
In response to marcyn
Jump to solution

Wait, maybe I misunderstood. in case you do NOT want users to see the gateways, just choose whichever is deemed as primary, then choose option automatic mep topology to true, as per below, depending if its implicit or manual MEP.

Andy

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

marcyn
Collaborator
Collaborator
‎2024-04-29 11:27 AM
In response to the_rock
Jump to solution

Hi Andy,

Ah yes ... I completely forgot about manual mode for MEP ...

I will try this one:

Under mep_mode, change default (client_decide) to default(first_to_respond).
Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).
For example, default(192.168.20.250&#192.168.20.240&#).

It looks like it could be the option that I'm looking for ... "ips_of_gws_in_mep" 🙂

 

I will let you know if it will work

--
Best
m.

the_rock
Legend
Legend
‎2024-04-29 11:28 AM
In response to marcyn
Jump to solution

Yep, thats it!

Sure, hope it works.

Andy

0 Kudos
marcyn
Collaborator
Collaborator
‎2024-04-29 12:06 PM
In response to the_rock
Jump to solution

Yes,
I confirm this is it !

Again ... completely forgot about manual MEP .... ehh 🙂

So in case anybody will have the same "problem" - choose Manual MEP 🙂

 

Thanks Andy.

--
Best
m.

the_rock
Legend
Legend
‎2024-04-29 12:11 PM
In response to marcyn
Jump to solution

FYFOC = for you, free of charge 😉

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events