This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2019-11-07 08:04 AM

Remote site encryption domain

We have a remote user which we will be setting up a site to site VPN using a locally managed 1430 appliance (at user site) and a centrally managed Check Point gateway (in datacenter).

The user needs to have traffic from corporate assets use the VPN tunnel (including traffic bound for internet) and traffic from personal devices not go through the tunnel (i.e. straight to the internet).

My plan was to have him connect his personal devices to the DMZ interface (which I have assigned a separate network) and have corporate devices use the LAN switch. I have configured the VPN site and have set the Remote Site Encryption Domain to "Route all traffic through this site." I chose this to have all the traffic from corporate assets (including traffic bound for internet) go through the tunnel. I am unsure, however, if "all traffic" includes traffic from devices connected to the DMZ interface.

Does anyone know if "all traffic" in this setting includes traffic sourced from behind DMZ interface? If yes, any suggestions as to how to accomplish what I need?

 

Thanks,

Dave

0 Kudos
3 Replies
Ted_Serreyn
Collaborator
‎2019-11-07 10:23 AM

I have done this exact same configuration.  Corporate connection at house is at LAN, personal network is on DMZ.

 

Exclude the DMZ network from the VPN (sk25675,sk86582 for reference).  We did this by editing user.def.FW1 and user.def.SFWR77CMP.   We used the source range to exclude the whole DMZ network from the VPNs.  We also excluded the static external ip address of the 1400 allowing it to get updates directly.

 

Allowed NAT directly out to the internet, and it worked.

0 Kudos
David_C1
Advisor
‎2019-11-07 10:37 AM
In response to Ted_Serreyn

Thanks Ted,

 

I looked through the articles and they all reference modifying the files (user.DEF, etc) on the management servers. My 1430 at the remote site will be locally managed (and configured as an Interoperable Device on management server) -- is this how yours is configured, and then did you modify the files you referenced below on the locally managed device itself?

 

Thanks,

Dave

0 Kudos
Ted_Serreyn
Collaborator
‎2019-11-07 10:42 AM
In response to David_C1

No we did centrally managed so we could control it better.  I'm not sure if it is possible for a self managed box to do exclusions, or at least I have never tried it.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events