This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gryzz
Explorer
‎2022-10-26 10:53 PM
Jump to solution

Correct way to use VPN communities in Access policy

Hello to everyone, 

I am trying to understand the logic behind access rules and VPN communities.

I have an example ruleset what regulates traffic between internet / ipsec tunnel / Local VLAN-s

NameSourceDestinationVPNServicesAction
users_to_inetuser_addressInternet*Any *Any *Accept
users_to_ipsecuser_addressipsec_addressipsec_comAny * Accept
users_to_local

user_address

ssl_vpn_address

local_servicesAny*Any*Accept
Cleanupany*any*any*any*Drop

 

I am experiencing an behaviour when traffic destinated to the IPSEC tunnel is going through the "users_to_inet" rule but not through "users_to_ipsec" rule. It seems that the first match is because of the VPN=>Any* but I have no knowledge yet to disable it if it is even possible.

I am experiencing an behaviour when traffic hits "users_to_local" rule the checkpoint tries to create a IPsec tunnel to the remote host , because that the rule has ssl_vpn_address" in the source. Even though the traffic is destinated to a neighbour VLAN and no tunnel should be used.

When moving the priority of the rules, then traffic in some cases are matched the correct rule but some other rules tend to try move through the higher priority ones.

I have read the administration manual, but I find the answers I was looking for.

Can someone please explain to me:

  • What is the correct way to describe LAN => Internet rule that the VPN communities don't try to go through it.?
  • What is the correct way to describe VLAN => VLAN rules that the VPN communities don't try to go through it.?
  • How to disable the use of VPN Communities when creating VLAN => VLAN rules in the firewall.?
  • What is the correct way to prioritize rules when you have on-prem VLANS and remote IPSEC tunnels where you try to allow and forward traffic.
  • What is the logic behind the explanation and behaviour of the Checkpoint SGW?

I hope this explanation is enough but feel free to ask me for additional questions if it is too hard to understand. I was working with a fortigate unit for some time and there the logic was a bit different. 

 

Best Regards,

Gryzz

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-10-27 12:45 PM
Jump to solution

The VPN column is meant as an additional matching criteria in the rulebase.
It is possible to put a specific VPN Community there, but it is NOT possible to create a rule that only applies to non-VPN traffic.
That means any rule that applies exclusively to VPN traffic should be before rules that could apply to either VPN or non-VPN traffic.

While there are probably some exceptions, generally your rules should be ordered "more specific" to "least specific."
Which means your "users_to_inet" should be listed right before your Cleanup rule in the example rulebase.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2022-10-27 12:45 PM
Jump to solution

The VPN column is meant as an additional matching criteria in the rulebase.
It is possible to put a specific VPN Community there, but it is NOT possible to create a rule that only applies to non-VPN traffic.
That means any rule that applies exclusively to VPN traffic should be before rules that could apply to either VPN or non-VPN traffic.

While there are probably some exceptions, generally your rules should be ordered "more specific" to "least specific."
Which means your "users_to_inet" should be listed right before your Cleanup rule in the example rulebase.

gryzz
Explorer
‎2022-10-28 12:39 AM
In response to PhoneBoy
Jump to solution

Hello

Thank you. I had a hunch that "VPN=Any" Will also apply to all the defined communities. 

But for example when I'll move the "users_to_inet" rule before the cleanup rule and all the "specific" VPN rules have the higher priority. Will the users_to_inet rule will be still hit when higher priority rules won't match, making it the fallback rule.

By that I mean that the higher priority rules should have ip1:1ip and port1:port1: principle on both GW1 and RGW1. 

So that it means that I cannot allow in the whole network range inbound on the remote VPN GW because when all the specific conditions don't match then the fallback "users_to_inet" rule would be still matched for inbound traffic in the remote gateway when it's not configured 1:1. 

Am I correct?

It might be confusedly explained but I hope that you get my idea.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-28 10:41 AM
In response to gryzz
Jump to solution

To understand how the rulebase works, please refer to the following: https://community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/m-p/9888#M1...
In general, the rule nearest to the top of the rulebase will apply if multiple rules match (e.g. if rules 2, 4, and 33 potentially match a given connection, rule 2 is applied).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events