@G_W_Albrecht Thanks a lot for the info.

Regards

interesting in the custom vpn domains, could you give a reference or explain how this could be used to exclude ip addresses from a vpn?   We are now hitting this as we move customers over to smart-1 cloud.

You can see a screenshot of it here: https://community.checkpoint.com/t5/Security-Gateways/multiple-domain-per-vpn-community/m-p/115382/h...
There are still going to be situations where .def files will need to be edited, which will have to be done by the TAC.

yeah definitely doesn't match my case, 1500 remote gateways with route-all vpn, but now we need to exclude the cloud Maas service IP addresses for things to work correctly with smart-1 cloud.

Someday we will be able to modify and exclude encryption domains on all devices.

Hi @Ted_Serreyn,

Can you share some details on what didn't work for you and whether excluding the Management service IPs really solved the issue?

Did you exclude the Management instance internal IP, or the IPs of other service entry points?

Theoretically, there should be implied rules that exclude Management services from the VPN community. I'd like to understand why this didn't work out of the box.

If you prefer to take the discussion offline, we can do that as well.

Thanks,
Tomer

After our short conversation, it seems that the outgoing traffic from the gateway to the Management in the cloud is encrypted by the "route all traffic through VPN" setting. It might be possible to handle this via .def changes on the Management, but there is a simpler solution.

On the latest Gaia Embedded firmware (R80.20.30) there is a new parameter for this scenario, in which you can exclude encryption on outgoing traffic that originates from the satellite gateway. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
(SMB-15429 - accept_outgoing_without_vpn)

We will follow up to see that the issue is indeed resolved. Also, we will check how to improve this scenario and make it work seamlessly out-of-the-box, without manual tweaks.

Hi Tomer,

Just for my own information, though it might be slightly unrelated, if there is ever a need to modify any files in cloud mgmt server, what is official process? Open TAC case or something else? I ask, because I know there is no ssh access to cloud mgmt and what can be opened from web portal I believe only gives basic api access, not even regular clish commands.

Thanks in advance.

The official process is opening a TAC case and we make the required changes on the backend.

Indeed, a TAC case is needed when a customer / partner needs to change a file or use some expert setting on the Management environment.

We understand that this is not always convenient, so we are working to minimize the need for such cases.

• Many file related changes are actually not necessary when we manage the environment. The customer doesn't need to tweak performance, storage or other details.
• Some changes can already be done in the UI, instead of files. A good example is customizing the VPN encryption domains that exists in the SmartConsole UI since R80.40, but we still see customers configure it in user.def.
• CG IaaS auto-scaling configuration was also done in files, but in R81.10 we added the option to configure it via Management REST API or Management CLI. Soon Smart-1 Cloud will upgrade to R81.10, so that will be available as well.
• Last, we are working to take the most common cases and expose them in a better way. For example, we are looking at giving users the option to upload customized .def files. It's not full access via SSH, but will cover a relatively common need.

I hope the extra info helps.

Yes, thank you, very good explanation!