Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
William_Garner
Employee Alumnus
Employee Alumnus

Exclude CPM traffic from implied rules

I need the ability to manage a remote R80.10 SmartCenter that is on the other side of a Check Point R80.10 GW. The two locations are connected via a site to site VPN. CPM traffic from remote SmartConsole client R80.10 is sent in the clear to R80.10 SmartCenter because of implied rules instead of being encrypted by the site to site VPN.

SK105719 describes the procedure in earlier versions by removing CPMI from the implied rules but does not reference CPM. I have verified that turning off all implied rules in global properties will fix the problem but I only want to remove CPM (tcp 19009) and CPMI (tcp 18190).

Thanks!

5 Replies
Tomer_Sole
Mentor
Mentor

Hi,

The checkbox that controls this implied rule is "Accept Control Connections". It also generates 36 additional implied rules, all responsible for the different Check Point processes and the interactions between them.

0 Kudos
William_Garner
Employee Alumnus
Employee Alumnus

Hi Tomer,

Yes unchecking "Accept Control Connections" will allow the SmartConsole client to connect over the VPN but having a workaround that only excludes CPM and CPMI would be helpful. If this was a VSX environment, disabling "Accept Control Connections", would cause problems with provisioning virtual hardware. 

Thanks!

0 Kudos
Norbert_Bohusch
Advisor

The "#define ENABLE_CPMI" in $FWDIR/lib/implied_rules.def on SmartCenter should also responsible for the CPM-Traffic.

See following output:

# cat implied_rules.def | grep CPM
#define ENABLE_CPMI
#ifdef ENABLE_CPMI
(dport = CPMI_PORT or dport = CPMI_PORT_NGM), tcp, \
(sport = CPMI_PORT or sport = CPMI_PORT_NGM), tcp,

# cat services.def | grep CPMI_PORT_NGM
#ifndef CPMI_PORT_NGM
#define CPMI_PORT_NGM 19009

So it should be possible to exclude CPM/CPMI-Traffic by commenting out the "#define ENABLE_CPMI" like the following:

/* #define ENABLE_CPMI */

Be sure to backup your files beforehand Smiley Happy

William_Garner
Employee Alumnus
Employee Alumnus

That did indeed work. I will see about getting that SK updated for R80.10.

Much appreciated!

0 Kudos
Jelle_Hazenberg
Collaborator
Collaborator

Hi,

Thank you for sharing this info. I commented radius out of $FWDIR/lib/implied_rules.def. I needed to exclude this traffic because we use a route-based VPN in our situation. I noticed that the specific connection was accepted by a implied rule (control connection) and leaving the gateway un-encrypted via the wrong interface.

FYI

I found sk32564 explaining WHY this happens.

Greetz!

Jelle

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events