This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
G_W_Albrecht
Legend Legend
Legend
a week ago

Identity Awareness with AD not possible

Customer uses VPN with the GAiA cluster of the main site as center and SMB appliances (locally & SMP managed) on remote sites. As the SMBs also need to connect by VPN to a FortiGate, their external IPs have been removed from Encryption Domain using the Advanced Settings. This configuration was build with help of CP TAC and works as expected.

But now the customer wants to use IA for his users with an AD server at the main site - but IA packets use the external IP of the SMB and are not routed thru VPN to the main site, making the needed communication impossible.

Did anyone already encounter such an obstacle and found a way to resolve it ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee
Tuesday

I recall another option in Advanced Settings that caters to similar.

Will share a screenshot accordingly, but applicability to central managed devices would need to be checked/confirmed with TAC perhaps.

"VPN site to site global settings - Use internal IP address for encrypted connections from local gateway."

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend
Tuesday
In response to Chris_Atkinson

This is locally managed and VPN site to site global settings are already used as advised by TAC:

"Do not encrypt connections originating from the local gateway" in VPN->Community resolved the Forti VPN issue and does disable "Use internal IP address for encrypted connections from local gateway" = TRUE automatically, so the ping from WebGUI thru the VPN tunnel does not work, only from CLI using ping -I <Local Address> it succeeds.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
AkosBakos
Mentor Mentor
Mentor
Tuesday

Hi @G_W_Albrecht 

Maybe you are looking for this:

How to configure an alternate IP Address for Identity Awareness communication channel

Be careful before you change anything in the database. Save/backup everything 🙂

Akos

 

----------------
\m/_(>_<)_\m/
G_W_Albrecht
Legend Legend
Legend
Tuesday
In response to AkosBakos

Thank you, forgot about that sk ! But it can not work - as written above, customer has SMB appliances (locally & SMP managed), so changing the SMS database does not help as the SMS only manages the main GAiA GW, but not the SMBs.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
AkosBakos
Mentor Mentor
Mentor
Tuesday
In response to G_W_Albrecht

Indeed, I always forget that, you have always tricky and detailed questions... and SMB-s 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
G_W_Albrecht
Legend Legend
Legend
Tuesday
In response to AkosBakos

Remember - this is the SMB Gateways (Spark) board 😉 With GAiA this would be no issue at all as you could use the Encryption Domain per VPN Community feature and define different Communities for VPNs to CP and Forti. But that is impossible <yet with SMBs...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Dafna
Employee
Employee
Wednesday

Hi,

Can you please attach the topology?

Why did you exclude the external IP?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Wednesday
In response to Dafna

Customer has ca 73 SMBs locally Managed by SMP that each have a tunnel to a Fortigate (that is the reason why the external IP must be excluded (can send you a PM with SR# - this was configured by TAC)) and to the main Site GAiA cluster who sits in front of the AD.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top