This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chethan_m
Collaborator
3 weeks ago
Jump to solution

Management Server Traffic Hits the Implied Rules

Hi,

 

We are currently deploying CGNS firewalls on AWS.

 

Architecture:

  • The management server is hosted on-premises behind a Check Point firewall cluster.
  • The CGNS firewall cluster is deployed in the cloud (AWS).
  • A route-based IPsec site-to-site VPN is established between the on-prem Check Point firewall cluster and the AWS VPN Gateway.

 

The Issue:

  • Initially, we successfully established SIC communication between the on-prem SMS and the CGNS firewall cluster, and were able to push policies.
  • However, after a few minutes, the communication between the SMS and CGNS firewalls dropped (Gateways Lost).
  • We observed that traffic related to CPD (port 18191) and CPD_amon (port 18192) was hitting implied rules instead of the explicit VPN access rules configured.
  • Non-Check Point related traffic continues to flow over the VPN tunnel and is encrypted as expected.

 

Should any exclusions be made in the "$FWDIR/lib/implied_rules.def file"  to ensure CP management traffic is properly use the VPN tunnel instead of Implied rules.

 

Any guidance or suggestions to help resolve this would be greatly appreciated.

 

Thank you,

Chethan

 

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
3 weeks ago
In response to chethan_m
Jump to solution

I don't see why not, I've done this many times with many customers around the globe.

View solution in original post

4 Replies
_Val_
Admin
Admin
3 weeks ago
Jump to solution

SIC traffic should not go via your VPN rules, ever. If your VPn tunnel is down, you would lose control. For that reason, it is covered by implied rules, and it is not recommended to change that.

Management traffic is encrypted, and there is no need to encrypt it again through your IPSec tunnels. 

chethan_m
Collaborator
3 weeks ago
In response to _Val_
Jump to solution

Thank you for the quick response, @_Val_ 

 

There is currently no alternative communication channel between the on-prem SMS and the cloud-deployed CGNS firewalls. AWS Direct Connect is also not yet in place.

Given that the management server traffic is already encrypted, would it be feasible to re-establish SIC using public IP addresses instead of private IP addresses?

 

Regards,

Chethan

0 Kudos
_Val_
Admin
Admin
3 weeks ago
In response to chethan_m
Jump to solution

I don't see why not, I've done this many times with many customers around the globe.

chethan_m
Collaborator
3 weeks ago
In response to _Val_
Jump to solution

Thank you once again, I see — this is the solution.

 

Regards,

Chethan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events