This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tiago_Marques
Participant
‎2018-04-09 07:18 AM

730 Appliance Integration with SMP On Premisse (customer cloud)

Hi Gurus,

  I'm working in the following scenario:

  730 Appliance was already deployed, SMP On Premisse (Private at the Customer DC) installed.

  After installation I'm having difficult to integrate the 730 with this SMP. During troubleshooting I did:

  a. First test was trying integrate into the VPN. I could not and I noted the request of Cloud Services Connections flowing with IP Source originated with WAN IP to SMP (routable IP only in VPN) since must the LAN. I did configurations of request to force traffic for SMP host flow into the VPN but only Cloud Services Connections is originated with Public IP interface (and the network communications with SMP into VPN is working fine).
 
  b. Second test I'm having difficult to integrate without the VPN. I NATed (1:1) the SMP to the Internet with any service permitted from 730 and the integration not worked.
 
  c. Third test worked correctly but not as expected, I tried connect at the SMP On CP Cloud Services, it worked correctly.

  During troubleshooting I noted too that the SMP Service is down and the connection with SMP Portal is fine. So, is this services status really a problem ? How can I bring it On ?

  Did someone integrate 730 with SMP in the customer or in private cloud ? Any tip?


ps. I'm working with TAC and seeking for any thoughts that is always welcome.

Thank you so much by your attention and help.
Tiago Marques.

0 Kudos
1 Reply
Tiago_Marques
Participant
‎2018-04-10 11:23 AM

Hi Gurus,

   I'm still working in investigation and noted that the specific services from page 10 of SMP 12.30 Installation Guide, the services TCP 53, 257, 443, 18191, 18192, 18210, 18211, 18221, 18264 and UDP 514 needed to work fine.

   During the 730 request of integration with SMP, we see the traffic passed through the CP Cluster to SMP from NATed IP, we only HTTPS(TCP/443) arriving in SMP and analyzing logs and tcpdump output, we saw the cluster treating the traffic changing the source ip address of requisition from original to the cluster VIP.

   The design is 730 Appliance => Internet => CP Cluster => SMP, 

    a. For TCP/443 we see the traffic arriving in SMP with original 730 WAN IP (Correctly)

    b. For other services except TCP/443, we not see the 730 WAN IP, we see the CP Cluster VIP from logs and tcpdump from CP Cluster. And with packet capture in SMP we not see these ports arriving in it. 

Does someone had problem with CP Services that was treating as implied rules changing the NAT requests as explained above ? Some tip?

Sincerely.

Tiago Marques.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events