- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Checkpoint site to site excluded services
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint site to site excluded services
I have a management server which communicate with a remote gateway via Internet.
Between them there is a vpn site to site.
I would like to know which is the best practics for excluded services configuration on this vpn, like fw1_logs, cpd, cpmi, etc.
I would like to reach the gateway remotely even if the vpn is down and check logs as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If VPN is down, then you just need to make sure routing/rules are there.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know the exact situation (peers are CP it 3rd party), but when I set GW managened on its external IP.
So it was someting like that:
site1 (management) <-- VPN tunnel --> site2 (VPN peer IP is the same as the MGMT IP that reaches the Management)
This two SK helped me a lot:
After enabling 'Exclude gateway's external IP addresses from the VPN Domain' VPN Tunnel is down
https://support.checkpoint.com/results/sk/sk180716
VPN Site-to-Site with 3rd party
Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces
https://support.checkpoint.com/results/sk/sk108600
The sk108600 is not trivial, read carefully before do anything.
I hope it helps.
Akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, SIC related traffic does NOT go through the VPN tunnel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You mean that when the flow is SMS - GW1 - VPN - GW2 the SIC wont’t be tunnled?
I found this thread:
https://community.checkpoint.com/t5/Security-Gateways/Allow-Management-over-VPN/td-p/192915
I had memories about the exclusion in this scenario.
Maybe it woudn’t be necessary…
akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, SIC related traffic is accepted by implied rules before VPN is applied.