- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hey guys,
Im sorry if this may seem like a silly inquiry, but its baffling to me why it fails. So I was trying to test something with the customer and we cant seem to figure it out. So, here is the situation...what we would like to be able to do is get direct ssh access to the firewalls once you connect via vpn endpoint client.
We created a rule on top saying from office mode net to the cluster, allow on ssh, but that does not seem to work. There are few layers below and on vpn layer, parent rule is simply office mode net to any on vpn layer itself and then one of rules below allows the access. Same for internal layer...here is the kicker...the 2nd rule we created, which is to block pings from anywhere to firewall also does not seem to do anything, as it has 0 hits, but pings to cluster are blocked by the last implicit clean up rule.
Anyway, they simply want to be able to give ssh access to certain people when they connect to vpn, so they dont need to remote desktop further into anything. I checked office mode community and it shows that vpn domain is set for everything behind the gateways based on topology, so that seems correct.
Any suggestions/insight would be helpful. I talked to TAC about it and they have no clue and to make it worse, they dont even want to bother trying...such a waste of time.
Tx!
Send me the SR in a PM.
The funny thing is the Security Gateway is always in the encryption domain, so you should be able to reach the Security Gateway, assuming there's a rule in place.
Is there ANY attempts showing in the logs when you try to connect to the Security Gateway via ssh? (Search on the destination IP, not the source)
See, thats another hot mess problem with this...its a **bleep** cloud instance and its so useless when it comes to parsing logs (thats the case I opened with TAC). The thing is, I get it has to go through whole rulebase, even layers, so if the very first rule, which is NOT layered rule, allows ssh and then same rule exists in vpn AND internal layer, then it makes no sense at all why it fails and all I see in the logs when I filter is ssh is blocked on clean up rule, which makes no sense at all.
Andy
If the rulebase uses multiple ordered layers, the traffic must hit an accept rule in each ordered layer.
If you're hitting a cleanup rule in a specific layer, that means no other rule in that layer is matching the traffic.
Which points to either the appropriate rule being missing or a bug.
Well, below is what I did to fix it...I showed TAC clearly how it was configured and they said "that looks fine", thought thats their typical response for 99% of the things...:). Anyway, looks good now, Man, sometimes I miss old ipso and Nokia days, so nice and simple...
To fix it, I added layer towards the top that said from anywhere to cluster, created new layer and then added allow rule to cluster from accessrole vpn group on desired services and explicit clean up as 2nd layered rule...done.
Thanks D.
Andy
I remember the days before Nokia IPSO 🙂
Im sure both you and Jason Ingram, hehe 😉
Coming up on 25 years myself...this April 😳
Thats quite something...but, it also makes you an "old" man at the same time ;))
Experienced. Seasoned. 🙂
Hey was he not chap that developed ghost?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY