This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Louis_Poulin
Collaborator
‎2018-01-10 12:52 PM

What is the equivalent of Cisco "tunneled" route in Check Point to forward all traffic inbound from a VPN connection, straight to another device?

Hello,

I want my remote access users/clients to have a different "default route" than the one of the Security Gateway (R80.10). I want a way to tell the Security Gateway to forward all traffic inbound from a VPN connection, straight to another device.

In Cisco's world, you can achieve this with a "tunneled" route :

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example - Cisco 

This document describes how to configure the Adaptive Security Appliance (ASA) to route the SSL VPN traffic through the tunneled default gateway (TDG). When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes is sent to this route. For traffic emerging from a tunnel, this route overrides any other configured or learned default routes.

How can this be done with R80.10 using a VS on a VSX in VSLS mode?

Please see attached diagram for more info.

Note : I wanted to use Policy-Based Routing, but it doesn't seem to be available with my setup based on the following document from Check Point : Policy-Based Routing (PBR) on Gaia OS 

Preview file
83 KB
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2018-01-12 06:02 PM

I don't believe it is possible to do this, but I could be wrong.

What is the actual problem you're trying to solve (i.e. why are you trying to forward all VPN traffic to a specific nexthop)?

0 Kudos
Louis_Poulin
Collaborator
‎2018-01-16 12:00 PM

There is already a Virtual System (VS) in place, on a VSX in VSLS, running R80.10. This VS is providing Internet access to internal users and is running the following blades:

  • Firewall
  • Application Control
  • URL Filtering
  • Identity Awareness
  • Monitoring
  • IPS
  • Anti-Bot
  • Anti-Virus

We now have to provide remote access to approximately 150 concurrent remote users and site-to-site VPN to approximately 5 to 10 remote sites.

Remote users need to access internal services and to browse the Internet while being filtering just like the internal users.

There are approximately 6000 internal users.

I'm looking for the best setup. Should I put everything on one VS? Or should I create another one? If I create another one, what services and blades do I put on it?

I didn't find any written references, guidelines, recommandations in the Check Point world, so any help is welcome!

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-16 02:35 PM
In response to Louis_Poulin

If you've already got VSX going, adding another "Remote Access" VS seems like a good way to resolve the issue.

All you'd need on that VS would be FW + VPN + Identity Awareness.

That said, that sort of approach is going to cause additional load on your Internet pipe and the gateway, particularly if most of the Remote Access traffic is going to the Internet anyway.

You may want to look into Capsule Cloud, which can enforce the same policy "in the cloud" without routing all your traffic back to your premise.

Both VPN clients can coexist on your client PCs. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events