This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SaxMan
Participant
‎2022-09-19 12:52 PM

1500/1600 Locally Managed - IPSEC Local encryption domain

  1. Hi,
    I'm trying to test the following scenario in a LAB with locally managed 1500 and 1600 appliances - running R81.10.

    POC Requirement:
    A local encryption domain for each IPSEC (S2S) tunnel.
    Example:
    HQ's LAN = 192.168.88.0/24
    Interesting traffic:
    1. Warehouse_WMS_Server_192.168.88.22 Port: tcp/9443
    2. Biometrics_Access_Server_192.168.88.24 Ports: rdp_33899
    3. HQ's LAN = 192.168.88.0/24
    Required rules:
    1. Delivery company must access Warehouse_WMS_Server_192.168.88.22 Port: tcp/9443 ONLY
    2. Access/physical security company must access Biometrics_Access_Server_192.168.88.24 Ports: rdp_3389 ONLY
    3. Remote/Branch office to have access to entire 192.168.88.0/24 network for AD, MFA, SIP/VOIP, HR, etc

    When appliance (HQ) has STANDARD mode enabled on the firewall blade control, it auto generates:
    Source: VPN Sites       Destination:Any     Service:Any     Action:Accept      Log:log
    (cannot be changed)
    In the section "Site To Site" --> "Advanced" there is an option to define local encryption separately.
    With only 192.168.88.22 and 192.168.88.24 defined therein, it means that the delivery company is able to "ping" / access the Biometrics server at 192.168.88.24 and vice versa.
    If the entire 192.168.88.0/24 is in local encryption then it's basically "open" to all. (and so is "automatically determine local network topology")

    If, the blade control is switched to STRICT, the "VPN Sites" object is no longer available and thus manual rules cannot be created.

    Any suggestions on how to achieve the above would be greatly appreciated.
    I also had a look at the "NextGen" rules in SMP/Infinity - does not appear to be 'doable' there either.
    (I hope it something simple that I'm overlooking) 😄 😀

    Many thanks.
    👍


0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-09-20 04:52 AM

This is beyond the scope of the SMB appliances ! You can open a SR# with CP TAC to get that confirmed.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
SaxMan
Participant
‎2022-09-20 05:10 AM
In response to G_W_Albrecht

Thanks a million for the feedback.
Let me engage my local CP Account Manager and explore the chances/possibility of applying for a RFE.
👍

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-20 05:48 AM
In response to SaxMan

RFE for GAiA features on GAiA Embedded is a nice try ! I would not think that there are any hopes for fullfillment...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
SaxMan
Participant
‎2022-09-20 06:12 AM
In response to G_W_Albrecht

I think it'll be worth a shot?
'Cos if we build IPSEC tunnels (as outlined above) on the current (I get the embedded aspect) topology, could it not be seen as a risk by potential clients that we demo IPSEC to?
In other words: 2 different business partners connecting to their network, but cannot be separated by individual local encryption domains?

The other option would be to build ("Non-VPN") rules:
Each business partner connects from their public/static IP address to the HQ's NATted IPs for the appropriate/relevant server(s).
(Or...servers are put in the DMZ?)
But, the brief/requirement (in this case) is IPSEC.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-09-20 06:22 AM
In response to SaxMan

It took very, very long until we did receive more than one VPN community in GAiA - so i think this is not very realistic...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
SaxMan
Participant
‎2022-09-20 06:47 AM
In response to G_W_Albrecht

For real?? 😃
OK...I also asked a while back for on-prem/3rd party MFA for AD/VPN users. (SMB appliances)
I saw a few mentions regarding this on the "SMB Masters" webinar a few weeks back - so, I'm crossing fingers. 
😀
Thanks a million for your insight.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events