Re: Checkpoint site to site excluded services

Ilovecheckpoint · ‎2024-09-09

I have a management server which communicate with a remote gateway via Internet.

Between them there is a vpn site to site.

I would like to know which is the best practics for excluded services configuration on this vpn, like fw1_logs, cpd, cpmi, etc.

I would like to reach the gateway remotely even if the vpn is down and check logs as well.

the_rock · ‎2024-09-09

If VPN is down, then you just need to make sure routing/rules are there.

Andy

Best,
Andy

AkosBakos · ‎2024-09-09

I don't know the exact situation (peers are CP it 3rd party), but when I set GW managened on its external IP.

So it was someting like that:

site1 (management) <-- VPN tunnel --> site2 (VPN peer IP is the same as the MGMT IP that reaches the Management)

This two SK helped me a lot:

After enabling 'Exclude gateway's external IP addresses from the VPN Domain' VPN Tunnel is down
https://support.checkpoint.com/results/sk/sk180716

VPN Site-to-Site with 3rd party
Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

The sk108600 is not trivial, read carefully before do anything.

I hope it helps.

Akos

----------------
\m/_(>_<)_\m/

PhoneBoy · ‎2024-09-09

By default, SIC related traffic does NOT go through the VPN tunnel.

AkosBakos · ‎2024-09-09

Hi,

You mean that when the flow is SMS - GW1 - VPN - GW2 the SIC wont’t be tunnled?

I found this thread:

I had memories about the exclusion in this scenario.

Maybe it woudn’t be necessary…

akos

----------------
\m/_(>_<)_\m/

PhoneBoy · ‎2024-09-09

Correct, SIC related traffic is accepted by implied rules before VPN is applied.

Are you a member of CheckMates?