This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
skandshus
Advisor
Advisor
‎2024-12-18 05:39 AM

Remote-Access pulls all subnets from Gateways in remote-access community

Hello everyone

 

We manage gateway for different customer.

Since many of them use remote-access we have disabled the automatic mep topology to block endpoint client from pulling information about all gateway in the manager.

 

If we do a route print in CMD in windows we can see routes are being pushed to endpoint client from all the gateways. Perhapt because all gateway are in the remote-access community. How do we Block that from happening so connection to Gateway A only gets routes to Gateway A and not routes to Gateway B/C/D even though they dont work

 

0 Kudos
6 Replies
JozkoMrkvicka
Authority
Authority
‎2024-12-18 05:53 AM

Since it is not possible to have more than 1 Remote Access Community in the same Domain, the solution can be to migrate Gateway B to Domain2, Gateway C to Domain3 and so on.

If Gateways B/C/D dont work, why you have them part of Remote Access Community ?

Kind regards,
Jozko Mrkvicka
0 Kudos
skandshus
Advisor
Advisor
‎2024-12-18 05:57 AM
In response to JozkoMrkvicka

Correct.

But that would result in having to buy multiple management license because we have to go multidomain server or multiple management servers.
and we have paid for 1 management server to manage multiple gateways 🙂

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-18 10:30 AM

Remote Access clients get their routes based on the RemoteAccess encryption domain.
At the moment, there is only one RemoteAccess encryption domain per management domain.
As far as I know, there is no way around this.

I believe I heard we are planning to add support for multiple RemoteAccess encryption domains in R82.10.
Given that we just released R82, I don't see R82.10 coming out in the near future.
This leaves you with using either multiple management servers (may wish to consider Smart-1 Cloud for this) or multi-domain as the only way to meet this requirement currently.

0 Kudos
skandshus
Advisor
Advisor
‎2024-12-18 10:57 AM
In response to PhoneBoy

does that mean you are forced to recieved routes from all gateways in the remote access part?

isnt there any way to actually modify anything in the trac client so it doesnt pull from all other gateway but only the current connected gateway?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-18 11:20 AM
In response to skandshus

There is a single RemoteAccess community per management domain.
Each gateway has it's own (Remote Access) Encryption Domain.
When the gateway is added to the RemoteAccess community, the necessary routes for ALL gateways in the RemoteAccess encryption domain will be sent to the client when the client connects to one of the gateways. 

It does appear there might be a way to resolve this (get topology from connected gateway only).
See: https://support.checkpoint.com/results/sk/sk92676 

0 Kudos
skandshus
Advisor
Advisor
‎2025-01-01 01:09 PM
In response to PhoneBoy

i have read that one before but it implies editing the trac client on the endpoint machine.

 

i cant manually edit 200 machines file just because of this..

this might be by design, but it sure feels like a bug or an oversight since it feels absurd being forced to pull all routes just because you have multiple gateways in a single remote access(because we are forced to only having 1 remote-access community)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top