This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
G_W_Albrecht
Legend Legend
Legend
‎2018-03-23 01:05 AM

Locally managed SMBs .def files for VPN fine-tuning

This is a follow-up to SMB units SMS files for VPN fine-tuning after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def for VPN Fine-Tuning that are usually made on the SMS and installed on a GW by a policy install. SMB units also have these files - crypt.def can be found in /pfrm2.0/config1/fw1/lib/ or /pfrm2.0/config2/fw1/lib/ and in /opt/fw1/lib/crypt.def.

The VPN configuration from sk108600 VPN Site-to-Site with 3rd party and sk86582 Excluding subnets in encryption domain from accessing a specific VPN community can also be found on locally managed SMBs crypt.def and edited there. As locally managed SMB units have no manual policy install command to recompile and apply these changes, Yuri points out that reboot would activate the new settings, but also, a much easier way is available ("not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274), changes can be applied by issuing:
[Expert]# fw_configload

The sk100278 gives two commands to apply changes from an edited $FWDIR/conf/trac_client_1.ttm file:
[Expert]# fw_configload
[Expert]# sfwd_restart

So i have asked R&D for more information and i have received the following as the officially supported procedures: In locally managed SMB appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported. Also note that sk30919 does not list SMB as relevant Product. Only crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect.

Supported for locally managed SMB appliances are changes to crypt.def to enable VPN features not available in WebGUI or CLI. We learn that the files from /pfrm2.0/config1/ or /pfrm2.0/config2/ are linked to /opt/fw1/lib/. And we learn the command vpn_configload !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
7 Replies
Pedro_Espindola
Advisor
‎2019-12-26 03:37 PM

Gunther, do you know how to make the procedure from "sk114882 - Remote Access clients configuration based on group membership" work on SMB gateways?

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2019-12-26 08:30 PM
In response to Pedro_Espindola

Actually there seems to be a shell script on SMB that appears to do the vpn_configload thingy the right way:

/opt/fw1/bin/vpn_configload.sh
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-01-09 01:16 AM
In response to HristoGrigorov

That is just the command i have mentioned far above 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-01-10 09:03 PM
In response to G_W_Albrecht

vpn_configload is binary and vpn_configload.sh is shell script.... so actually there are two commands.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-01-09 01:15 AM
In response to Pedro_Espindola

You could try with a User group defined in Users & Objects > Users Management > Users 

and

/pfrm2.0/opt/fw1/conf/trac_client_1.ttm

/pfrm2.0/config2/fw1/conf/trac_client_1.ttm

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Baasanjargal_Ts
Advisor
Advisor
‎2020-08-02 05:59 PM
In response to G_W_Albrecht

Hello

 

I am trying to configure universal tunnel on Check Point SMB firewall with 3rd party. Branch router has  0.0.0.0 0.0.0.0 subnet for the tunnel destination side. Check Point SMB firewall is enabled Allow remote gateway all traffic pass through this gateway option. 
Problem is: Branch hosts access to internet through their own router instead of check point SMB.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-08-19 01:47 AM
In response to Baasanjargal_Ts

The SMB Route all traffic thru GW option is for RA clients only, not for IPSEc VPN tunnels. So the branch router is having an issue when not routing everything into the VPN...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events