This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Udupi_krishna
Contributor
‎2019-04-17 04:14 AM
Jump to solution

SDL with location awareness

Hello Everyone,

 

I am working on a specific requirement with Endpoint security VPN E80.92 clients. I read the admin guide in order to enable SDL and location awareness (Global properties>Endpoint connect). It contains a group with our internal IP addresses.

 

SDL is enabled on the client. Now when these users connect over an external network the SDL pops up which is good. But when the user comes into office, we have configured the parameter to not come up, but it doesn't work.

I added below parameter on the Security gateway trac client ttm file, but it still doesn't work.

:ignore_sdl_in_encdomain (
:gateway (
:map (
:false (false)
:true (true)
)
:default (true)

Unless I have mistaken on the syntax or procedure, the above statement should be good. In addition to that, when I look at the trac.defaults file of the client, ignore_sdl_in_encdomain is infact set to true.

ignore_sdl_in_encdomain STRING true GW_USER 0

 

While reviewing the logs from the endpoint, I see a weird behavior but unable to conclude what component is possibly causing the issue.

[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: entering...
[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] sdl_enabled return value true, because it is User config variable. Scope: site NULL ,gw NULL ,user USER
[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] ignore_sdl_in_encdomain return value true, because it is Default variable. Scope: site clientvpn.flybe.com, gw NULL ,user USER
[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: check if client is in enc domain
[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::GetCurrentClientIP: mLA is NULL
[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: clientIP is not initialized in LA yet, try getting it directly
[ 4324 5340][16 Apr 9:37:03][CONFIG_MANAGER] gw_ipaddr return value XXX.XX.93.6, because it is Gateway config variable. Scope: site clientXXX.XXXXX.com ,gw NULL ,user USER
[ 4324 5340][16 Apr 9:37:03][location_awareness] GetExternalInterfaceIndex: GetIpForwardTable needs 1412 bytes
[ 4324 5340][16 Apr 9:37:03][location_awareness] GetExternalInterfaceIndex: External index interface is 0x0, Default gw is 0.0.0.0
[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: GetExternalInterfaceIndex failed
[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::SetIsDisableSDLInEncDomain: no client ip - set enc domain result NO_NETWORK
[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TrConnManager::SaveInEncDomainResult: InEncStatus=no_network
[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Trying to open or create registry: Software\CheckPoint\TRAC
[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Successfully opened key Software\CheckPoint\TRAC
[ 4324 5340][16 Apr 9:37:03][slim_utils] RaisDbSetValue: Successfully set (DWORD) key IsInEncDomain with value 2
[ 4324 5340][16 Apr 9:37:03][TR_CONN_MANAGER] TR_CONN_MANAGER::isUserLoggedOn: Entering...

 

Here are logs from another test.

[ 4420 5272][17 Apr 10:30:33][location_awareness] LocationAwareness::_NotifyNetworkChange: entering...
[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TrConnManager::NotifyNetworkChange: entering, location is UNKNOWN(-1), interfaceIdx=2, interfaceIp=XX.XXX.23.45
[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::NotifyNetworkChange: save location result in the registry for sdl
[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TrConnManager::SaveInEncDomainResult: InEncStatus=out
[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Trying to open or create registry: Software\CheckPoint\TRAC
[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Successfully opened key Software\CheckPoint\TRAC
[ 4420 5272][17 Apr 10:30:33][slim_utils] RaisDbSetValue: Successfully set (DWORD) key IsInEncDomain with value 0
[ 4420 5272][17 Apr 10:30:33][location_awareness] LocationAwareness::NotifyLocation: notify our current location - UNKNOWN
[ 4420 5272][17 Apr 10:30:33][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::LocationNotification: called with location of type -1

I have masked the IP address, but the IP seen here is part of the location awareness Internal IP group.

Not sure if I am missing some basic stuff here.

 

0 Kudos
1 Solution

Accepted Solutions
Netanel_Cohen
Employee
Employee
‎2019-04-21 04:26 AM
Jump to solution

Hi,

 

From first look at the logs you added it seems that on the 1st one the SDL should not pop.

Is that indeed the case or it pops in bots logs?

As for the 2nd logs, we have added a fix to the same flow (Network is UNKNOWN), this fix is part of our next release E81.00 that should be GA-ed during May.

 

Thanks,

Netanel Cohen, 

Software Developer, VPN Clients, Check point

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2019-04-18 07:22 PM
Jump to solution

Might be worth a TAC case.
0 Kudos
Netanel_Cohen
Employee
Employee
‎2019-04-21 04:26 AM
Jump to solution

Hi,

 

From first look at the logs you added it seems that on the 1st one the SDL should not pop.

Is that indeed the case or it pops in bots logs?

As for the 2nd logs, we have added a fix to the same flow (Network is UNKNOWN), this fix is part of our next release E81.00 that should be GA-ed during May.

 

Thanks,

Netanel Cohen, 

Software Developer, VPN Clients, Check point

Udupi_krishna
Contributor
‎2019-04-22 01:02 AM
In response to Netanel_Cohen
Jump to solution

Hi,

Yes the SDL still pops up during the Windows logon within an internal network.

I will probably reach out to TAC as well to if there's anything they can point me too.
Is there a way to get an EA for E81 to see if that fixes any of the problems I am going through?
0 Kudos
Netanel_Cohen
Employee
Employee
‎2019-04-28 12:57 AM
In response to Udupi_krishna
Jump to solution

Hi,

 

Sorry for the delay.

Unfortunately we do not have public EAs since we move to monthly releases. 

The current ETA for E81.0 is during May.

 

Thanks,

Netanel Cohen,

Software Developer, PC VPN clients, Check Point

0 Kudos
Udupi_krishna
Contributor
‎2019-06-07 01:02 AM
In response to Netanel_Cohen
Jump to solution

This indeed fixed the issue 🙂 after installing E81.00. This issue needs to go into an SK if it's not there already
0 Kudos
rlamerico
Contributor
‎2021-08-09 04:35 AM
In response to Udupi_krishna
Jump to solution

Hello Udupi_Krishna,

I have the same problem, my configuration on  (Global properties>Endpoint connect) is correct and SDL is enabled on endpoint.

Do you know how can I configure the options below on trac client ttm file ?

I added below parameter on the Security gateway trac client ttm file, but it still doesn't work.

:ignore_sdl_in_encdomain (
:gateway (
:map (
:false (false)
:true (true)
)
:default (true)

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top