This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Robin_H
Contributor
‎2023-07-18 08:16 AM
Jump to solution

Gateway uses VPN despite not being part of the VPN domain

Hi!

 

I´m in the process of setting up a Site2Site VPN from our office to Cisco Umbrella to channel all user surf traffic to the Umbrella "Proxy".

Tunnel is a star community, one tunnel per gateway

My gateway is center and VPN domain is "User-computer-VLAN" (192.168.5.0/24).

Satellite Gateway is the Umbrella gateway with VPN domain "Internet_without_Private_Networks". This is a group-with-exclusion object, consisting of "Internet" except "Private networks (RFC 1918)". The purpose is that the clients shall access all internet IPs through the tunnel, only then being filtered through the Umbrella proxies.

The traffic is then allowed in the ruleset, I also added the community to the rule.

This works nicely but there is a side effect. Every traffic from the gateway itself is also send into the tunnel. This ranges from DNS traffic for ISP redundancy DNS proxy updates to user-VPN-tunnels not working to the gateway to not being able to download updates for IPS and patches.

"Excluded services" might help me with ISP redundancy ping and User-VPN-tunnels but not with the IPS updates. Eventually, Client DNS shall also go through the tunnel, so I can´t exlude that either.

Is there any way I can exclude the gateway from using the tunnel? 

Any ideas appreciated!

 

Greetings,

Robin

0 Kudos
1 Solution

Accepted Solutions
CheckPointerXL
Advisor
Advisor
‎2023-07-18 01:13 PM
Jump to solution

Take a look here, the setup should be similar

 

https://support.checkpoint.com/results/sk/sk179920

View solution in original post

5 Replies
RS_Daniel
Advisor
Advisor
‎2023-07-18 11:18 AM
Jump to solution

Yes,

Check sk108600 scenario 3:

https://support.checkpoint.com/results/sk/sk108600

You can use crypt.def file to exclude traffic from vpn including src ip, dst ip and ports.

Regards

 

CheckPointerXL
Advisor
Advisor
‎2023-07-18 01:13 PM
Jump to solution

Take a look here, the setup should be similar

 

https://support.checkpoint.com/results/sk/sk179920

Robin_H
Contributor
‎2023-07-19 08:39 AM
In response to CheckPointerXL
Jump to solution

This is the way I was already going. Good to know that it seems to be the current best-practice.

In this case, putting services in the cloud does not make things easier though.

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2023-12-18 04:31 AM
In response to Robin_H
Jump to solution

Hello, 

 

did you follow the Cisco guide?
https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnels-with-checkpoint-gaia

do you run a "Domain Based" tunnel or with VTI Tunnel interfaces?

 

Robin_H
Contributor
‎2023-12-21 06:12 AM
In response to Thomas_Eichelbu
Jump to solution

We´re not using VTI.
Our Umbrella contact just mentioned this new guide the other day but switching to it would be too big at the moment.

We do have an issue with the current setup (IKE SA is not simply renewed or gracefully finished) but that seems related to our usage of MEP, using two different Umbrella DCs in a star community for additional redundancy. Troubleshooting on this will commence soon.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events