Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jones_Jardel_Po
Contributor

Policies in Traditional and Simplified mode

Jump to solution

Is it possible to copy all firewall, QoS rules from a simplified policy to a traditional policy?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
10 Replies
PhoneBoy
Admin
Admin

Traditional Mode policies have been discouraged since at least NG (R5x) versions.

In R80, the ability to create new Traditional Mode policies was removed and isn't coming back.

What's the real problem you're trying to solve?

Let's find a way to solve that in a way that doesn't involve Traditional Mode policies.

Jones_Jardel_Po
Contributor

Hello Dameon,

Thank you first.

I have a IPsec VPN established and I need to forward all Internet traffic to this tunnel, but only one internal subnet must be affected on tihs.

How can I do this using communities?

0 Kudos
PhoneBoy
Admin
Admin
Jones_Jardel_Po
Contributor

Thank you Dameon.

I want to send to that tunnel only requests from 192.168.1.0/24 going to the Internet (example);

Thinking on that, I will need to exclude all my internal subnets going to the Internet, example:

// // User defined INSPECT code //  vpn_exclude_src={<192.168.1.1,192.168.1.254>}; vpn_exclude_dst={<I need to put all Internet IPs here?>};  #ifndef IPV6_FLAVORipv #define NON_VPN_TRAFFIC_RULES ((src in vpn_exclude_src) and (dst in vpn_exclude_dst)) #else #define NON_VPN_TRAFFIC_RULES 0 #endif

So, I'll need to put all Internet IPs on vpn_exclude_dst?

0 Kudos
PhoneBoy
Admin
Admin

Correct.

All IPs can be represented using the range specified in the All_Internet object, which is <0.0.0.0,255.255.255.255>.

Jones_Jardel_Po
Contributor

Thanks

0 Kudos
Jones_Jardel_Po
Contributor

And a curious thing: why Check Point does not put this kind of configuration in the Smart Dashboard?

0 Kudos
PhoneBoy
Admin
Admin
If I had to guess, it's because it's not a common use case.

I personally hadn't heard of this specific use case before.

0 Kudos
Jones_Jardel_Po
Contributor

Uhmmm... but this case does not sounds like a not common case.

If it was a common case, we will not have a SK to this kind of situation...

0 Kudos
PhoneBoy
Admin
Admin
SKs exist for both common and uncommon issues.
0 Kudos