This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Champion
Champion
‎2021-01-23 01:52 PM

Accessing the firewalls directly once VPN-ed in

Hey guys,

 

Im sorry if this may seem like a silly inquiry, but its baffling to me why it fails. So I was trying to test something with the customer and we cant seem to figure it out. So, here is the situation...what we would like to be able to do is get direct ssh access to the firewalls once you connect via vpn endpoint client.

We created a rule on top saying from office mode net to the cluster, allow on ssh, but that does not seem to work. There are few layers below and on vpn layer, parent rule is simply office mode net to any on vpn layer itself and then one of rules below allows the access. Same for internal layer...here is the kicker...the 2nd rule we created, which is to block pings from anywhere to firewall also does not seem to do anything, as it has 0 hits, but pings to cluster are blocked by the last implicit clean up rule.

 

Anyway, they simply want to be able to give ssh access to certain people when they connect to vpn, so they dont need to remote desktop further into anything. I checked office mode community and it shows that vpn domain is set for everything behind the gateways based on topology, so that seems correct.

 

Any suggestions/insight would be helpful. I talked to TAC about it and they have no clue and to make it worse, they dont even want to bother trying...such a waste of time.

 

Tx!

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2021-01-23 02:50 PM

Send me the SR in a PM.
The funny thing is the Security Gateway is always in the encryption domain, so you should be able to reach the Security Gateway, assuming there's a rule in place.
Is there ANY attempts showing in the logs when you try to connect to the Security Gateway via ssh? (Search on the destination IP, not the source)

0 Kudos
the_rock
Champion
Champion
‎2021-01-23 05:25 PM
In response to PhoneBoy

See, thats another hot mess problem with this...its a **bleep** cloud instance and its so useless when it comes to parsing logs (thats the case I opened with TAC). The thing is, I get it has to go through whole rulebase, even layers, so if the very first rule, which is NOT layered rule, allows ssh and then same rule exists in vpn AND internal layer, then it makes no sense at all why it fails and all I see in the logs when I filter is ssh is blocked on clean up rule, which makes no sense at all. 

 

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-23 06:51 PM
In response to the_rock

If the rulebase uses multiple ordered layers, the traffic must hit an accept rule in each ordered layer.
If you're hitting a cleanup rule in a specific layer, that means no other rule in that layer is matching the traffic.
Which points to either the appropriate rule being missing or a bug.

0 Kudos
the_rock
Champion
Champion
‎2021-01-23 06:56 PM
In response to PhoneBoy

Well, below is what I did to fix it...I showed TAC clearly how it was configured and they said "that looks fine", thought thats their typical response for 99% of the things...:). Anyway, looks good now, Man, sometimes I miss old ipso and Nokia days, so nice and simple...

To fix it, I added layer towards the top that said from anywhere to cluster, created new layer and then added allow rule to cluster from accessrole vpn group on desired services and explicit clean up as 2nd layered rule...done.

 

Thanks D.

 

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-23 07:01 PM
In response to the_rock

I remember the days before Nokia IPSO 🙂

0 Kudos
the_rock
Champion
Champion
‎2021-01-23 07:05 PM
In response to PhoneBoy

Im sure both you and Jason Ingram, hehe 😉

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-23 07:31 PM
In response to the_rock

Coming up on 25 years myself...this April 😳

0 Kudos
the_rock
Champion
Champion
‎2021-01-23 07:35 PM
In response to PhoneBoy

Thats quite something...but, it also makes you an "old" man at the same time ;))

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-24 09:43 PM
In response to the_rock

Experienced. Seasoned. 🙂

genisis__
Advisor
‎2022-01-23 10:57 AM
In response to the_rock

Hey was he not chap that developed ghost? 

0 Kudos