This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2024-10-29 05:45 PM
Jump to solution

CP to Azure S2S vpn issue

Hey guys,

I hope someone might be able to shed some light into this situation, as I find it very peculiar. So, customer has domain based vpn between cp and azure and tunnel works fine, BUT, here is the issue. So, azure subnet is 10.18.0.0/16 and there is one host in that subnet that no matter what we do, logs show its going through the tunnel, though random one shows it being dropped or going out clear (randomly), but the page to access it never does come up, like it should. 

All the other hosts/services work fine.

Now, customer did have Azure case, they did bunch of checks and determined its not the problem on their end. I, together with the customer, did bunch of captures, checked the logs, we even added that host IP into enc domain, reset the tunnel, set tunnel management per gateway as a test, no dice.

I dont sadly have the actual log at the moment (can get it from the client), but captures when we run them show traffic comes to internal interface and thats it, nothing else, which is super odd, because say host 10.18.0.80 or .85 are fine, but .81 never works. Now, I know logically it would indicate issue with the host, but MS support verified 100% that is not the case.

I had client do basic vpn debugs on cp side, will review them myself, but just wondering if anyone may have any insight/suggestions we could try. I cant possible think of anything else myself that we had not tested.

Thanks as always.

Andy

0 Kudos
32 Replies
the_rock
Legend
Legend
Friday
In response to Duane_Toler
Jump to solution

Thanks for all the help brother, always appreciate everyone in the community that gives the advice/guidance.

👌👍

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
Friday
In response to Duane_Toler
Jump to solution

It is possible that the firewall's topology is not completely and correctly defined, which will cause objects like "Internet" to get improperly calculated and therefore matched incorrectly.  In my Gateway Performance Optimization Course I repeatedly harp on the fact that the firewall's topology must be completely and correctly defined, as there are many blades that rely on that configuration to understand what is Internal and what is External, and adjust the depth of inspection appropriately.  

  • Object "Internet" is derived from the topology based on which interface is considered External,  and is used by APCL/URLF and HTTPS Inspection mainly
  • Threat Prevention relies on this too, especially Anti-Virus 
  • Interfaces that are defined in Gaia but missing in the firewall's topology will be treated as EXTERNAL
  • Interfaces with "Interface leads to DMZ" set will be treated as EXTERNAL even though they are set for Internal

Traffic getting pulled into HTTPS Inspection that should not be will not only degrade the performance of the firewall, but can break some things too: sk118574: FTP/SSH/SFTP Traffic fails when HTTPS Inspection and Application Control are enabled.  This is usually caused by accidentally utilizing "Any" in the Destination and/or Services field of the HTTPS Inspection policy, which is a big no-no.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend
Friday
In response to Timothy_Hall
Jump to solution

Funny you say that, cause thats the FIRST thing TAC verified and all was good.

I think at this point, since all is solved and we verified no other issues, we are "happy campers" 🙂

Cheers and again, thank you very much!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events