This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ilovecheckpoint
Participant
‎2024-09-09 09:56 AM

Checkpoint site to site excluded services

 I have a management server which communicate with a remote gateway via Internet.

Between them there is a vpn site to site.

I would like to know which is the best practics for excluded services configuration on this vpn, like fw1_logs, cpd, cpmi, etc.

I would like to reach the gateway remotely even if the vpn is down and check logs as well.

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2024-09-09 10:25 AM

If VPN is down, then you just need to make sure routing/rules are there.

Andy

0 Kudos
AkosBakos
Advisor
Advisor
‎2024-09-09 11:01 AM

Hi @Ilovecheckpoint 

I don't know the exact situation (peers are CP it 3rd party), but when I set GW managened on its external IP. 

So it was someting like that:

site1 (management) <-- VPN tunnel --> site2 (VPN peer IP is the same as the MGMT IP that reaches the Management)

This two SK helped me a lot:

After enabling 'Exclude gateway's external IP addresses from the VPN Domain' VPN Tunnel is down
https://support.checkpoint.com/results/sk/sk180716

VPN Site-to-Site with 3rd party
Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

https://support.checkpoint.com/results/sk/sk108600

The sk108600 is not trivial, read carefully before do anything.

I hope it helps. 

Akos

 

----------------
\m/_(>_<)_\m/
PhoneBoy
Admin
Admin
‎2024-09-09 01:13 PM

By default, SIC related traffic does NOT go through the VPN tunnel.

0 Kudos
AkosBakos
Advisor
Advisor
‎2024-09-09 01:23 PM
In response to PhoneBoy

Hi,

You mean that when the flow is SMS - GW1 - VPN - GW2 the SIC wont’t be tunnled?

I found this thread:

https://community.checkpoint.com/t5/Security-Gateways/Allow-Management-over-VPN/td-p/192915

I had memories about the exclusion in this scenario.

Maybe it woudn’t be necessary…

akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-09 01:29 PM
In response to AkosBakos

Correct, SIC related traffic is accepted by implied rules before VPN is applied.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events