This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christine_Berns
Explorer
‎2023-03-22 06:49 AM

VPN between Checkpoint cluster and Zscaler ZIA public service edge as documented in sk174848

We are trying to implement a VPN tunnel between our Checkpoint 7000 cluster and the Zscaler ZIA service as documented in sk174848.  It looks like this procedure will cause ALL traffic, including traffic that would normally be handled by other VPN tunnels on the same cluster, traffic that would normally be routed to DMZ segments on the cluster, traffic from the Checkpoints to Checkpoint cloud update services and other traffic that should bypass the tunnel and go direct to the Internet, to be sent through this Zscaler tunnel.  How can one exclude this traffic from going into the Zscaler tunnel? 

Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-03-22 01:45 PM

I believe, in this case, only traffic routed to the default route is sent across the tunnel.
Which means any more specific routes should apply first (i.e. for your LAN/DMZ or similar).
As for excluding traffic from Check Point updates, etc: my first thought was to see: https://support.checkpoint.com/results/sk/sk167135
Unfortunately, this isn’t supported with VPN.

Which means: what you’re asking for is very likely an RFE.

0 Kudos
Christine_Berns
Explorer
‎2023-03-22 02:49 PM
In response to PhoneBoy

Our VPNs are configured as domain-based VPNs.  Let's say a packet for an external site gets routed via the default route to the firewall external interface and there are two VPN communities that this packet matches.  Community-A is for a specific VPN to a client and the packet matches the specific source and destination addresses defined in the source and destination encryption domains.   Community-B is for this Zscaler VPN and the packet matches the specific source address in the source encryption domain and also matches on the destination as this VPN is configured as a universal tunnel (as required by Zscaler).  Which VPN community will this packet be encrypted by?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-23 06:57 AM
In response to Christine_Berns

When you use an empty encryption domain, it’s a route-based VPN.
In this case, the following rules apply: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Bottom line: Domain-Based VPNs take precidence.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events