This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hsanity
Contributor
‎2023-11-01 11:20 AM

Loss of Administrator Access to Branch Firewall's Public IP while VPN tunnel is up

I've set up the branch site firewall (1450 | R77.20.87 | 990173120 | 990173120) to allow access to its public IP ("x.y.z.a:4434") from the HQ network (m.n.o.p/29). So, access to the branch site firewall over the internet from specific public IPs. This setting works without any issue until a VPN tunnel is established between these two firewalls. After the tunnel is established, I lose admin access to the branch firewall's public IP from the HQ network. HQ firewall is 1570 | R81.10.07 | 996001457. Few notes: 

  • Encryption domains on both sides do not contain their public IPs or any public IPs
  • When I look at the log on the branch site, I can see the VPN blade is blocking the local_WebUI service from HQ's server IP. Screenshot attached.

VPN blade is blocking the local_WebUI service from HQ's server IP.png

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-11-01 11:36 AM

Even if your encryption domain does not include the external IP of the gateway, it is always included.
Scenario 3 here: https://support.checkpoint.com/results/sk/sk108600 

If your gateway is locally managed, you can make the changes in $FWDIR/lib on the local gateway to exclude the gateway's public IP.
For the changes to take effect after editing the file, either use the CLI command fw_configload or reboot the gateway.

Hsanity
Contributor
‎2023-11-01 12:45 PM
In response to PhoneBoy

Thank you @PhoneBoy! But there are a crazy amount of .def files inside "/opt/fw1/lib/". Which .def file am I editing? It would also be awesome if you could mention the line/s to edit on the file.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-01 12:54 PM
In response to Hsanity

The SK I linked tells you what file to edit (crypt.def) as well as exactly what edits to make.
Line numbers are dependent on release as well as other changes you may have made.
Note these manual changes will have to be re-applied if you upgrade your firmware.

However, before you do that, you may want to see if this setting is available in R77.20.87 (which will do the same thing):

image.png

Hsanity
Contributor
‎2023-11-01 01:28 PM
In response to PhoneBoy

I used the webUI advanced settings as it was available. I changed the value to true on both sides. But it didn't help. Ran fw_configload as well as rebooted the branch site fw.

 

 

do not encrypt.png

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-01 01:57 PM
In response to Hsanity

Curious, do you see the traffic on the WAN interface with a tcpdump?

0 Kudos
Hsanity
Contributor
‎2023-11-03 01:14 AM
In response to PhoneBoy

Generated a tcp dump on the HQ fw.

Command used: tcpdump -i any -nn -vvv -s0 -w /opt/fw1/tmp/email_tmp/tcp_dump.pcap host <HQ public IP> or host <Branch public IP> and port 4434

tcp dump on the HQ fw.png

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-03 11:58 AM
In response to Hsanity

It's not going through the VPN, which is what I was checking for.
The retransmissions are concerning, definitely recommend getting the TAC involved here: https://help.checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events