Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harmesh_Yadav
Collaborator
Jump to solution

Feasible Option to send specific traffic to Zscaler- From Checkpoint Gateway

Dear Team,

First question

As i checked in Zscaler Official Website they have given list which is supported Firewall device for IPSEC Tunnel so checkpoint Device not in list ,(So my first question is why checkpoint is not supportable device to build tunnel with Zscaler ) (For GRE I know that checkpoint is not supported this feature)

 

Secondly ,

 

My requirement is matching which given diagram which is not exact customer digram but its scenario found from zscaler , So, In My Client environment

 

GRE Tunnels from the Border Router to the ZENs

Second Diagram JPG

https://help.zscaler.com/zia/gre-deployment-scenarios

 

ISP ---> ROuter --->IPS (IN L2 Mode)-->SwitchL2-->Checkpoint Device ----> LAN SWICH AND OTHER USERS

 

In this requirement If Zscaler is making GRE WIth CISCO ROuter RIght so how can i pass traffic to GRE Tunnel Without NAT , Becuase From Router to CP WAN PUblic LAN Pool we are using .and presently i have configured Hide nat to forward traffic of private pool towards Internet (By router)

(Zscaler need to give reporting with Original LAN IP so they want without nat traffic)

 

So, i dont know if i will disable NAT so traffic will go to router side or not , and If it s done then as per standard i am doing right thing or not can you please suggest me , because outside firewall if we are publishing our local LAN it will be security bridge right .

 

SO What will be feasible suggestion.

 

Another option we are thinking is (First option which i mentioned that IPSEC Tunnel between CP to Zscaler) But in this case we need to forward only 80 and 443 port traffic so is not possible becuase as i know PBR is not supported with service based traffic forwarding

 

Our device in R80.10 and latest one so there is no limitation with update.

 

Regards,

Harmesh

Harmesh Yadav
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

There are two supported configurations for connecting with Zscaler:

This requires the versions specified in the SKs.
The above is not relevant on the SMB appliances running Embedded Gaia and an RFE via your local Check Point office will likely be necessary.

View solution in original post

0 Kudos
15 Replies
PhoneBoy
Admin
Admin
If you don't NAT the GRE tunnel and it's originating from a private IP, how exactly do you expect the GRE tunnel to be established, exactly?
The traffic inside the GRE tunnel won't be NATted here.

Unless I'm misunderstanding the environment.
In which case, an annotated network diagram of the actual environment would be helpful.
0 Kudos
Maarten_Sjouw
Champion
Champion
Can you get your ISP to route a /30 from your external range to the FW?
If so you can use that between gateway and router and use this external IP to setup the GRE tunnel.
Regards, Maarten
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

I use a VPN tunnel for many customers for ZScaler proxy:

1) Add an VPN tunnel to ZScaler and add all internet addresses ( 0.0.0.1-223.255,255,255 and exclude privat networks)
2) Exclude your private and other used networks via crypt.def and no vpn traffic rules.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

Here the sk86582 to no vpn trffic rules:

Excluding subnets in encryption domain from accessing a specific VPN community

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Raj_Khatri
Advisor

HeikoAnkenbrand, what kinds of device(s) are you terminating the VPN tunnel on and how is performance?   We have tested on 1100, 1400 and 4200 with 77.20, 77.30 and 80.20 with poor performance.

0 Kudos
Herold
Contributor
Hi,
Do you have a more detailed procedure? I'm trying to setup a similar VPN between Checkpoint and Zscaler in order to forward 80/443 to them.
Thanks,
0 Kudos
Mohd_Hafizainiz
Explorer

Hi HeikoAnkenbrand,

Can you help to explain in more details how to successfully create the tunnel to zscaler proxy?

Here's the environment for your reference.

Example of current configuration

CheckPoint 4800 with existing 3 tunnels to AWS and azure

CheckPoint firewall VPN domain ( 172.16.0.0/16 , 172.18.0.0/16 172.19.1.0/24, 172.24.0.0/16)

 

before migrating few server subnet to zscaler proxy via ipsec tunnel, we want to test using one IP address only. (172.18.215.10).

what is the step to create the vpn community( mostly the vpn domain for checkpoint fw since we already have vpn domain defined), interoperable device, etc

 

thanks in advance

0 Kudos
HighTech
Explorer

Hello Sir,

Could you please more steps and guidance in order to implement such setup ?

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

There are two supported configurations for connecting with Zscaler:

This requires the versions specified in the SKs.
The above is not relevant on the SMB appliances running Embedded Gaia and an RFE via your local Check Point office will likely be necessary.

0 Kudos
HighTech
Explorer

First of all, I would like to thank you for sharing this, it's very informative!

I still have some questions here and wonder if you could help:

  • on section 2.1, what does Group 1 stands for as VPN domain on Zscaler gateway? What would be its definiton ?
  • From Checkpoint side, how can we configure different VPN domains for each VPN community ?
  • How can we exclude Internal traffic from being forwarded over the tunnel to Zscaler ?
  •  If we disable NAT on the VPN community, NAT-T enabled on the device level will have no effect ? 
  • According to Zscaler team, each IPsec tunnel will carry 400Mbits/s, how can we setup 3 active tunnels at the same time to have 1.2Gbit/s

Thank you in advance!

0 Kudos
Raj_Khatri
Advisor

We have GRE tunnels setup and working by following sk175385.  However, the SK only shows how to create a policy rule using HTTP (80) / TCP (Step 8e).  What is the best way to route all ports over the GRE tunnel instead of creating a rule for each port and protocol?

0 Kudos
PhoneBoy
Admin
Admin

If you're routing to Zscaler, they only look at HTTP/HTTPS (as I recall), which is why the SK lists that step.
You should be able to uncheck Service Port and/or Protocol in that step to allow all ports and/or protocols.

0 Kudos
Cyber_Serge
Collaborator

The Zscaler engineer we worked with also mentioned that GRE tunnel method should pass traffic more than just http/https; So if we don't specify any port and protocol, it will just pass all right?
If we already have restriction on outbound traffic, do we then still need to configure firewall rule to allow any> any for Zscaler destination? 

0 Kudos
Raj_Khatri
Advisor

Zscaler looks at all ports and protocols, not just HTTP/HTTPS.  I guess the SK shows those services as that is the most common traffic that is normally sent.  I presume a policy rule based on interface or source network can be used instead of service ports/protocols to match on (sk100500) which should theoretically send all traffic over the GRE tunnel.

0 Kudos
checkpointer
Participant

Hello Heiko, can you post an example of how you did this exclusion in r80.20? ("Exclude your private and other used networks via crypt.def and no vpn traffic rules.")

We need to do similar but are not in a position to upgrade as yet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events