Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christine_Berns
Explorer

VPN between Checkpoint cluster and Zscaler ZIA public service edge as documented in sk174848

We are trying to implement a VPN tunnel between our Checkpoint 7000 cluster and the Zscaler ZIA service as documented in sk174848.  It looks like this procedure will cause ALL traffic, including traffic that would normally be handled by other VPN tunnels on the same cluster, traffic that would normally be routed to DMZ segments on the cluster, traffic from the Checkpoints to Checkpoint cloud update services and other traffic that should bypass the tunnel and go direct to the Internet, to be sent through this Zscaler tunnel.  How can one exclude this traffic from going into the Zscaler tunnel? 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

I believe, in this case, only traffic routed to the default route is sent across the tunnel.
Which means any more specific routes should apply first (i.e. for your LAN/DMZ or similar).
As for excluding traffic from Check Point updates, etc: my first thought was to see: https://support.checkpoint.com/results/sk/sk167135
Unfortunately, this isn’t supported with VPN.

Which means: what you’re asking for is very likely an RFE.

0 Kudos
Christine_Berns
Explorer

Our VPNs are configured as domain-based VPNs.  Let's say a packet for an external site gets routed via the default route to the firewall external interface and there are two VPN communities that this packet matches.  Community-A is for a specific VPN to a client and the packet matches the specific source and destination addresses defined in the source and destination encryption domains.   Community-B is for this Zscaler VPN and the packet matches the specific source address in the source encryption domain and also matches on the destination as this VPN is configured as a universal tunnel (as required by Zscaler).  Which VPN community will this packet be encrypted by?

0 Kudos
PhoneBoy
Admin
Admin

When you use an empty encryption domain, it’s a route-based VPN.
In this case, the following rules apply: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Bottom line: Domain-Based VPNs take precidence.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events