Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DR_74
Collaborator

VPN Disconnect after disabling: Accept Remote Access Control Connections

Hi,

TCP 264 was opened on our gateways. As we don't use Remote Access VPN on our Gateway we would like to disable it.

We only have Site 2 Site VPN with Azure.(built in Azure VPN, not a Checkpoint VM in Azure)

After disabling "Accept Remote Access Control Connections" on our Checkpoint gateway, the VPN with Azure get disconnected.

Re-enabling it and Install Policiies makes the VPN up again

From my understanding TCP 264 is only relevant with for Remote Access VPN, not Site2Site...

 

Does it make sense?

 

 

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend

From sk52421 Ports used by Check Point software it does look like that:

TCP 264 FW1_topo - Check Point Security Gateway SecuRemote Topology Requests Topology Download from Security Gateway (by FWD daemon) to SecuRemote (build 4100 and higher) and SecureClient

 

But in sk42815: How to create a site to site (S2S) VPN without using control connections we learn:

If you turn off implied rules (if you disable them in Global Properties > Firewall > Accept VPN-1 power/UTM control connection and Accept Remote Access control connections), you may not be able to install a policy on a Remote VPN-1 Power Gateway. Even if you define explicit rules in place of the implied rules, you may still not be able to install the policy.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
DR_74
Collaborator

Thanks, maybe I don't understand the sk but it does'nt make sense in our environment:

- We have an On-Prem gateway and the remote GW is an Azure gateway.

- We only disable : Accept Remote Access control connections

We don't use Remote VPN.

0 Kudos
PhoneBoy
Admin
Admin

I suspect that option is doing something else in addition.
Recommend the following: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
G_W_Albrecht
Legend Legend
Legend

sk42815 tells you how to replace implied rules my manually defined rules. For working S2S VPN, either just enable Accept Remote Access control connections or use sk42815 to create a manual rule instead !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events