This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DR_74
Collaborator
‎2021-09-16 06:36 AM

VPN Disconnect after disabling: Accept Remote Access Control Connections

Hi,

TCP 264 was opened on our gateways. As we don't use Remote Access VPN on our Gateway we would like to disable it.

We only have Site 2 Site VPN with Azure.(built in Azure VPN, not a Checkpoint VM in Azure)

After disabling "Accept Remote Access Control Connections" on our Checkpoint gateway, the VPN with Azure get disconnected.

Re-enabling it and Install Policiies makes the VPN up again

From my understanding TCP 264 is only relevant with for Remote Access VPN, not Site2Site...

 

Does it make sense?

 

 

Labels
0 Kudos
4 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-09-16 07:20 AM

From sk52421 Ports used by Check Point software it does look like that:

TCP 264 FW1_topo - Check Point Security Gateway SecuRemote Topology Requests Topology Download from Security Gateway (by FWD daemon) to SecuRemote (build 4100 and higher) and SecureClient

 

But in sk42815: How to create a site to site (S2S) VPN without using control connections we learn:

If you turn off implied rules (if you disable them in Global Properties > Firewall > Accept VPN-1 power/UTM control connection and Accept Remote Access control connections), you may not be able to install a policy on a Remote VPN-1 Power Gateway. Even if you define explicit rules in place of the implied rules, you may still not be able to install the policy.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
DR_74
Collaborator
‎2021-09-16 07:29 AM
In response to G_W_Albrecht

Thanks, maybe I don't understand the sk but it does'nt make sense in our environment:

- We have an On-Prem gateway and the remote GW is an Azure gateway.

- We only disable : Accept Remote Access control connections

We don't use Remote VPN.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-16 07:38 AM
In response to DR_74

I suspect that option is doing something else in addition.
Recommend the following: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-09-16 08:02 AM
In response to DR_74

sk42815 tells you how to replace implied rules my manually defined rules. For working S2S VPN, either just enable Accept Remote Access control connections or use sk42815 to create a manual rule instead !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events