This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jones_Jardel_Po
Contributor
‎2018-07-06 08:41 AM
Jump to solution

Policies in Traditional and Simplified mode

Is it possible to copy all firewall, QoS rules from a simplified policy to a traditional policy?

0 Kudos
1 Solution

Accepted Solutions
10 Replies
PhoneBoy
Admin
Admin
‎2018-07-06 09:57 AM
Jump to solution

Traditional Mode policies have been discouraged since at least NG (R5x) versions.

In R80, the ability to create new Traditional Mode policies was removed and isn't coming back.

What's the real problem you're trying to solve?

Let's find a way to solve that in a way that doesn't involve Traditional Mode policies.

Jones_Jardel_Po
Contributor
‎2018-07-06 10:25 AM
In response to PhoneBoy
Jump to solution

Hello Dameon,

Thank you first.

I have a IPsec VPN established and I need to forward all Internet traffic to this tunnel, but only one internal subnet must be affected on tihs.

How can I do this using communities?

0 Kudos
Jones_Jardel_Po
Contributor
‎2018-07-06 03:18 PM
In response to PhoneBoy
Jump to solution

Thank you Dameon.

I want to send to that tunnel only requests from 192.168.1.0/24 going to the Internet (example);

Thinking on that, I will need to exclude all my internal subnets going to the Internet, example:

// // User defined INSPECT code //  vpn_exclude_src={<192.168.1.1,192.168.1.254>}; vpn_exclude_dst={<I need to put all Internet IPs here?>};  #ifndef IPV6_FLAVORipv #define NON_VPN_TRAFFIC_RULES ((src in vpn_exclude_src) and (dst in vpn_exclude_dst)) #else #define NON_VPN_TRAFFIC_RULES 0 #endif

So, I'll need to put all Internet IPs on vpn_exclude_dst?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-06 03:32 PM
In response to Jones_Jardel_Po
Jump to solution

Correct.

All IPs can be represented using the range specified in the All_Internet object, which is <0.0.0.0,255.255.255.255>.

Jones_Jardel_Po
Contributor
‎2018-07-06 03:40 PM
In response to PhoneBoy
Jump to solution

And a curious thing: why Check Point does not put this kind of configuration in the Smart Dashboard?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-06 03:51 PM
In response to Jones_Jardel_Po
Jump to solution

If I had to guess, it's because it's not a common use case.

I personally hadn't heard of this specific use case before.

0 Kudos
Jones_Jardel_Po
Contributor
‎2018-07-06 04:16 PM
In response to PhoneBoy
Jump to solution

Uhmmm... but this case does not sounds like a not common case.

If it was a common case, we will not have a SK to this kind of situation...

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-06 04:40 PM
In response to Jones_Jardel_Po
Jump to solution

SKs exist for both common and uncommon issues.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top