This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-03-23 01:05 AM

Locally managed SMBs .def files for VPN fine-tuning

This is a follow-up to SMB units SMS files for VPN fine-tuning after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def for VPN Fine-Tuning that are usually made on the SMS and installed on a GW by a policy install. SMB units also have these files - crypt.def can be found in /pfrm2.0/config1/fw1/lib/ or /pfrm2.0/config2/fw1/lib/ and in /opt/fw1/lib/crypt.def.

The VPN configuration from sk108600 VPN Site-to-Site with 3rd party and sk86582 Excluding subnets in encryption domain from accessing a specific VPN community can also be found on locally managed SMBs crypt.def and edited there. As locally managed SMB units have no manual policy install command to recompile and apply these changes, Yuri points out that reboot would activate the new settings, but also, a much easier way is available ("not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274), changes can be applied by issuing:
[Expert]# fw_configload

The sk100278 gives two commands to apply changes from an edited $FWDIR/conf/trac_client_1.ttm file:
[Expert]# fw_configload
[Expert]# sfwd_restart

So i have asked R&D for more information and i have received the following as the officially supported procedures: In locally managed SMB appliances it’s possible to edit /opt/fw1/lib/crypt.def, but user.def is not officially supported. Also note that sk30919 does not list SMB as relevant Product. Only crypt.def can be modified, and afterwards ‘vpn_configload’ is good enough for the change to take effect.

Supported for locally managed SMB appliances are changes to crypt.def to enable VPN features not available in WebGUI or CLI. We learn that the files from /pfrm2.0/config1/ or /pfrm2.0/config2/ are linked to /opt/fw1/lib/. And we learn the command vpn_configload !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
8 Replies
Pedro_Espindola
Employee
Employee
‎2019-12-26 03:37 PM

Gunther, do you know how to make the procedure from "sk114882 - Remote Access clients configuration based on group membership" work on SMB gateways?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2019-12-26 08:30 PM
In response to Pedro_Espindola

Actually there seems to be a shell script on SMB that appears to do the vpn_configload thingy the right way:

/opt/fw1/bin/vpn_configload.sh
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-01-09 01:16 AM
In response to HristoGrigorov

That is just the command i have mentioned far above 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2020-01-10 09:03 PM
In response to G_W_Albrecht

vpn_configload is binary and vpn_configload.sh is shell script.... so actually there are two commands.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-01-09 01:15 AM
In response to Pedro_Espindola

You could try with a User group defined in Users & Objects > Users Management > Users 

and

/pfrm2.0/opt/fw1/conf/trac_client_1.ttm

/pfrm2.0/config2/fw1/conf/trac_client_1.ttm

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Baasanjargal_Ts
Advisor
Advisor
‎2020-08-02 05:59 PM
In response to G_W_Albrecht

Hello

 

I am trying to configure universal tunnel on Check Point SMB firewall with 3rd party. Branch router has  0.0.0.0 0.0.0.0 subnet for the tunnel destination side. Check Point SMB firewall is enabled Allow remote gateway all traffic pass through this gateway option. 
Problem is: Branch hosts access to internet through their own router instead of check point SMB.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-08-19 01:47 AM
In response to Baasanjargal_Ts

The SMB Route all traffic thru GW option is for RA clients only, not for IPSEc VPN tunnels. So the branch router is having an issue when not routing everything into the VPN...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
ereche
Participant
‎2025-04-10 03:28 PM

I'm looking for a solution, trying to solve the mystery of why even if i put is on SMS crypt.def it's not work. Now i know, SMB is everything different and there`s no documentation about it. We do these steps on Quantum Spark 1900 and solve the problem.

Do this on SMS, not on GW. Depends on version SMS you have to choose correct file. 

vi /opt/CPSFWR81CMP-R82/lib/crypt.def

Insert these lines on the file and save it.

define USERC_CHECK(rule) {

(<src> in userc_rules)

};

#ifndef NON_VPN_TRAFFIC_RULES

#ifndef IPV6_FLAVOR

#define NON_VPN_TRAFFIC_RULES (dst=192.168.5.1 or dst=192.168.5.2)

#else

#define NON_VPN_TRAFFIC_RULES 0

#endif

#endif

#endif /* __crypt_def__ */

Then install policy on gateways and see the logs. The traffic will pass directly do p2p and not encrypted anymore.

Preview file
58 KB
Preview file
30 KB

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events