Hi Guys,
it has been long time since my last post here. I have a quick question. Currently we have one issue which a bit confusing for us. We have a Check Point firewall configured with identity awareness which at the same time have 2 VPN tunnel currently active. the identity awareness should be connecting to 3 AD server to provide redundancy should one/two of the server not available for service. 2 of the AD server is currently connected behind each VPN Peer. So we are expecting that each time the management server and gateway want to fetch user information from the 2 AD server, it should be connecting to VPN tunnel. However, based on the logs we can see it does not go thru VPN tunnel. Below are the steps that we have tried.
(How we test)
Creating a test LDAP profile for AD, after configuring we tried to fetch users to the remote AD and we find the management server successfully connected to the remote AD servers. The logs shows that the testing traffic able to connect and using VPN tunnel to communicate to the remote AD. However, after pushing/installing the policy to the firewall, we found out that management and gateway not able to connect to the remote AD. traffic logs shows that the connection does not flow thru VPN tunnel as per previous test. We can confirm that client PC able to connect to the remote AD thru VPN tunnel.
(Troubleshooting Steps)
1. Based on the logs we can see that the traffic is being processed by implied rule. Due to this, we have checked the global properties and change the rules for identity awareness to be process "before last" so it will be able to hit the VPN rules and installed policy as usual. However, it still does not solve the issue. the connection still using implied rule and does not use any VPN tunnel to connect to the remote AD.
2. We have also refer to sk105950 to further troubleshoot. We simulate the activity again. Based on the debug logs we couldn't find anything related to the KB.
Please help, there might be something that I have missed out.
Looking for guidance.
😁